[Samba] ACL problem after sysvolreset (possible bug ?)
Gregory Carter
gjcarter2 at gmail.com
Wed Feb 26 20:17:36 UTC 2025
Just out of curiosity, is there a reason why you didn't lab these upgrades
first and delaying the upgrades until you had solutions to these problems
you say, moving from 4.17->4.19?
I guess I find it curious a lot of people on this list do not or will not
create proper test environments before they upgrade. Maybe the environments
are not mission critical.
But all my samba installs are mission critical and beyond. :-)
On my test environment, I have a Laptop with 64 Gigs of memory and copies
of my dovecot-mail/samba-ad/samba-fs virtual machines and can at least do
basic upgrades between Fedora versions to see what problems a basic upgrade
will do. Same with basic config changes if I discover a better way of
managing things and want to put it into production.
If I do not have a solution to the problem I encounter to the above
upgrades, I just don't do the upgrade or the patches.
On Wed, Feb 26, 2025 at 11:15 AM denis bonnenfant--- via samba <
samba at lists.samba.org> wrote:
> Hello,
>
> Summary :
>
> New gpo are created from windows with explicit rwx user and group acls
> for "Domain admins", which are inherited for every objects created,
> while sysvolreset is changing this to user:group ownership, which is not
> inheritable, and removes the acls for "Domain Admins".
>
> Detail :
>
> I'm facing a weird issue with sysvol acls on all my DC running samba
> 4.21 : the problem appeared after upgrade from 4.17 to 4.19, and is also
> present with on new servers provisonned directly with 4.21
>
> the context :
>
> First, I'm not running Samba with rfc2307, and "Domain Admins" doesn't
> have a gidNumber.
>
> My smb.conf on DC is the default one from domain provision.
>
>
> # wbinfo --uid-info=3000025
> DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain
> admins:/bin/false
>
> # wbinfo --uid-to-sid=3000025
> S-1-5-21-909356044-1599522197-445740120-512
>
> This group is member of
>
> # wbinfo --uid-info=3000000
>
> BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false
>
> # wbinfo --uid-to-sid=3000000
> S-1-5-32-544
>
> The problem :
>
> When creating a new gpo from windows GPO management tool with an user
> member of "Domain Admins" , everything works as expected, GPO can be
> modified, elements added in...
>
> After running sysvolreset on DC, GPO is broken, as no new folders can be
> created inside.
>
> ACL before sysvolreset :
>
>
> # getfacl
> /var/lib/samba/sysvol/
> diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/
> <http://diderot.org/Policies/%5C%7B2094568D-7BAD-4018-834C-13181AFA2514%5C%7D/User/Scripts/Logon/>
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file:
> var/lib/samba/sysvol/
> diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/
> <http://diderot.org/Policies/%7B2094568D-7BAD-4018-834C-13181AFA2514%7D/User/Scripts/Logon/>
> # owner: 3000000
> # group: users
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:3000006:rwx
> user:3000009:r-x
> user:3000025:rwx
> group::---
> group:users:---
> group:3000000:rwx
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000009:r-x
> group:3000025:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000009:r-x
> default:user:3000025:rwx
> default:group::---
> default:group:users:---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000009:r-x
> default:group:3000025:rwx
> default:mask::rwx
> default:other::---
>
>
> Created folders or files inside GPO inherit these acls, and everything
> works.
>
>
> Acls After sysvolreset :
>
> # getfacl
> /var/lib/samba/sysvol/
> diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon
> <http://diderot.org/Policies/%5C%7B2094568D-7BAD-4018-834C-13181AFA2514%5C%7D/User/Scripts/Logon>
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file:
> var/lib/samba/sysvol/
> diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon
> <http://diderot.org/Policies/%7B2094568D-7BAD-4018-834C-13181AFA2514%7D/User/Scripts/Logon>
> # owner: 3000025
> # group: 3000025
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> When creating a new folder inside :
>
> # getfacl
> /var/lib/samba/sysvol/
> diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/test
> <http://diderot.org/Policies/%5C%7B2094568D-7BAD-4018-834C-13181AFA2514%5C%7D/User/Scripts/Logon/test>
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file:
> var/lib/samba/sysvol/
> diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/test
> <http://diderot.org/Policies/%7B2094568D-7BAD-4018-834C-13181AFA2514%7D/User/Scripts/Logon/test>
> # owner: 3000000
> # group: users
> user::rwx
> user:root:rwx #effective:r-x
> user:3000000:rwx #effective:r-x
> user:3000001:r-x
> user:3000002:rwx #effective:r-x
> user:3000003:r-x
> group::---
> group:3000000:rwx #effective:r-x
> group:3000001:r-x
> group:3000002:rwx #effective:r-x
> group:3000003:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
>
> So creating new folders is broken after sysvolreset. Running
> sysvolreset allows creation of one level again.
>
> Same problem using Administrator account from windows. So the only way
> to modify existing gpo is to create a new one and make all changes
> before sysvolreset.
>
>
> but when using smbclient, it is OK with Administrator :
>
> smb:
> \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
>
> mkdir test2
>
> smb:
> \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
>
> mkdir test2\test2
>
> but not with admin (member of "Domain Admins")
>
> smb:
> \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
>
> mkdir test2
> NT_STATUS_ACCESS_DENIED making remote directory
> \diderot.org
> \Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\test2
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list