[Samba] ACL problem after sysvolreset (possible bug ?)
denis bonnenfant@sambaedu.org
denis.bonnenfant at sambaedu.org
Thu Feb 27 08:49:47 UTC 2025
Le 26/02/2025 à 22:44, Rowland Penny via samba a écrit :
> On Wed, 26 Feb 2025 22:18:44 +0100
> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
>> Le 26/02/2025 à 20:38, Rowland Penny via samba a écrit :
>>> On Wed, 26 Feb 2025 18:57:13 +0100
>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>>
>>>> Hello,
>>>>
>>>> Summary :
>>>>
>>>> New gpo are created from windows with explicit rwx user and group
>>>> acls for "Domain admins", which are inherited for every objects
>>>> created, while sysvolreset is changing this to user:group
>>>> ownership, which is not inheritable, and removes the acls for
>>>> "Domain Admins".
>>>>
>>>> There are three permissions in play here, the normal Unix 'ugo',
>>>> the EA you are reading with setfacl and a further one that is set
>>>> with the Windows permissions. Can you try to read the latter with:
>>>>
>>>> samba-tool ntacl get <file> --as-sddl
>>>>
>>>> Where '<file>' is the directory or file
>>>>
>>>> For example, on my DC, this:
>>>>
>>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>>>>
>>>> Produces this:
>>>>
>>>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>>>
>>>> Rowland
>> Hello,
>>
>> Here are the ntacls in sddl form :
>>
>>
>> ### New GPO from Windows RSTAT tool, created by an user member of
>> Doman Admins group :
>>
>> # samba-tool ntacl get --as-sddl
>> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
>> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>>
> Let me examine these and get back to you.
In addition, on newly created GPO :
jeu. févr. 27 09:39:47 root at se4ad.:~
# samba-tool ntacl get --as-sddl
/var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}
O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
# samba-tool ntacl get --as-sddl
/var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
ACE are different on GPO root and childrens.
dsacl on a fresh GPO before sysvolreset :
jeu. févr. 27 09:39:49 root at se4ad.:~
# samba-tool dsacl get
--objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org'
descriptor for
CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org:
O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
More information about the samba
mailing list