[Samba] ACL problem after sysvolreset (possible bug ?)

Wed Feb 26 21:18:44 UTC 2025

Le 26/02/2025 à 20:38, Rowland Penny via samba a écrit :
> On Wed, 26 Feb 2025 18:57:13 +0100
> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> Summary :
>>
>> New gpo are created from windows with  explicit rwx user and group
>> acls for "Domain admins", which are inherited for every objects
>> created, while sysvolreset is changing this to user:group ownership,
>> which is not inheritable, and removes the acls for "Domain Admins".
>>
>> There are three permissions in play here, the normal Unix 'ugo', the EA
>> you are reading with setfacl and a further one that is set with the
>> Windows permissions. Can you try to read the latter with:
>>
>> samba-tool ntacl get <file> --as-sddl
>>
>> Where '<file>' is the directory or file
>>
>> For example, on my DC, this:
>>
>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>>
>> Produces this:
>>
>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>
>> Rowland

Hello,

Here are the  ntacls in sddl form :

### New GPO from Windows RSTAT tool, created by an user member of Doman 
Admins group :

# samba-tool ntacl get  --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

New Folder created in explorer.exe :

# samba-tool ntacl get  --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

New file :

# samba-tool ntacl get  --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/logon.txt
O:BAG:DUD:AI(A;ID;FA;;;DA)(A;ID;FA;;;EA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;ED)

### After sysvolreset

# samba-tool ntacl get  --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)

SSDL are exactly the same for  all files and folders after sysvolreset

New folder :

# samba-tool ntacl get  --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2
O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;OICI;0x1200a9;;;ED)

New file :

# samba-tool ntacl get  --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2.txt 

O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(OA;;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;;0x1200a9;;;ED)

test2 and test2.txt acls's  are not readable in windows explorer, it 
just displays an error message.

setting back  ACLS to the original values (before sysvolreset) is 
working as expected :

# samba-tool ntacl set 
"O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)" 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon

# samba-tool ntacl get  --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

# samba-tool ntacl get  --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test3
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

So the issue is definitely related to sysvolreset.