[Samba] ACL problem after sysvolreset (possible bug ?)
Rowland Penny
rpenny at samba.org
Wed Feb 26 21:44:44 UTC 2025
On Wed, 26 Feb 2025 22:18:44 +0100
denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
> Le 26/02/2025 à 20:38, Rowland Penny via samba a écrit :
> > On Wed, 26 Feb 2025 18:57:13 +0100
> > denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> >
> >> Hello,
> >>
> >> Summary :
> >>
> >> New gpo are created from windows with explicit rwx user and group
> >> acls for "Domain admins", which are inherited for every objects
> >> created, while sysvolreset is changing this to user:group
> >> ownership, which is not inheritable, and removes the acls for
> >> "Domain Admins".
> >>
> >> There are three permissions in play here, the normal Unix 'ugo',
> >> the EA you are reading with setfacl and a further one that is set
> >> with the Windows permissions. Can you try to read the latter with:
> >>
> >> samba-tool ntacl get <file> --as-sddl
> >>
> >> Where '<file>' is the directory or file
> >>
> >> For example, on my DC, this:
> >>
> >> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> >>
> >> Produces this:
> >>
> >> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
> >>
> >> Rowland
>
> Hello,
>
> Here are the ntacls in sddl form :
>
>
> ### New GPO from Windows RSTAT tool, created by an user member of
> Doman Admins group :
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
Let me examine these and get back to you.
Rowland
More information about the samba
mailing list