[Samba] ACL problem after sysvolreset (possible bug ?)
denis bonnenfant@sambaedu.org
denis.bonnenfant at sambaedu.org
Wed Feb 26 21:38:16 UTC 2025
Le 26/02/2025 à 22:18, denis bonnenfant--- via samba a écrit :
>
> Le 26/02/2025 à 20:38, Rowland Penny via samba a écrit :
>> On Wed, 26 Feb 2025 18:57:13 +0100
>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>
>>> Hello,
>>>
>>> Summary :
>>>
>>> New gpo are created from windows with explicit rwx user and group
>>> acls for "Domain admins", which are inherited for every objects
>>> created, while sysvolreset is changing this to user:group ownership,
>>> which is not inheritable, and removes the acls for "Domain Admins".
>>>
>>> There are three permissions in play here, the normal Unix 'ugo', the EA
>>> you are reading with setfacl and a further one that is set with the
>>> Windows permissions. Can you try to read the latter with:
>>>
>>> samba-tool ntacl get <file> --as-sddl
>>>
>>> Where '<file>' is the directory or file
>>>
>>> For example, on my DC, this:
>>>
>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>>>
>>> Produces this:
>>>
>>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>>
>>>
>>> Rowland
>
> Hello,
>
> Here are the ntacls in sddl form :
>
>
> ### New GPO from Windows RSTAT tool, created by an user member of
> Doman Admins group :
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
>
> New Folder created in explorer.exe :
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test
> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
>
> New file :
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/logon.txt
> O:BAG:DUD:AI(A;ID;FA;;;DA)(A;ID;FA;;;EA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;ED)
>
>
> ### After sysvolreset
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
> O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>
>
> SSDL are exactly the same for all files and folders after sysvolreset
>
>
> New folder :
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2
> O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;OICI;0x1200a9;;;ED)
>
>
> New file :
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2.txt
>
> O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(OA;;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;;0x1200a9;;;ED)
>
>
> test2 and test2.txt acls's are not readable in windows explorer, it
> just displays an error message.
>
>
> setting back ACLS to the original values (before sysvolreset) is
> working as expected :
>
> # samba-tool ntacl set
> "O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)"
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
>
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test3
> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
>
>
> So the issue is definitely related to sysvolreset.
>
>
>
>
>
In addition :
# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/diderot.org/Policies/{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0}/User/Scripts/Logon/test3
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
from GPO object
More information about the samba
mailing list