[Samba] ACL problem after sysvolreset (possible bug ?)
Rowland Penny
rpenny at samba.org
Thu Feb 27 08:58:17 UTC 2025
On Thu, 27 Feb 2025 09:49:47 +0100
denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
> Le 26/02/2025 à 22:44, Rowland Penny via samba a écrit :
> > On Wed, 26 Feb 2025 22:18:44 +0100
> > denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> >
> >> Le 26/02/2025 à 20:38, Rowland Penny via samba a écrit :
> >>> On Wed, 26 Feb 2025 18:57:13 +0100
> >>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> >>>
> >>>> Hello,
> >>>>
> >>>> Summary :
> >>>>
> >>>> New gpo are created from windows with explicit rwx user and
> >>>> group acls for "Domain admins", which are inherited for every
> >>>> objects created, while sysvolreset is changing this to user:group
> >>>> ownership, which is not inheritable, and removes the acls for
> >>>> "Domain Admins".
> >>>>
> >>>> There are three permissions in play here, the normal Unix 'ugo',
> >>>> the EA you are reading with setfacl and a further one that is set
> >>>> with the Windows permissions. Can you try to read the latter
> >>>> with:
> >>>>
> >>>> samba-tool ntacl get <file> --as-sddl
> >>>>
> >>>> Where '<file>' is the directory or file
> >>>>
> >>>> For example, on my DC, this:
> >>>>
> >>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> >>>>
> >>>> Produces this:
> >>>>
> >>>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
> >>>>
> >>>> Rowland
> >> Hello,
> >>
> >> Here are the ntacls in sddl form :
> >>
> >>
> >> ### New GPO from Windows RSTAT tool, created by an user member of
> >> Doman Admins group :
> >>
> >> # samba-tool ntacl get --as-sddl
> >> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
> >> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
> >>
> > Let me examine these and get back to you.
>
> In addition, on newly created GPO :
>
> jeu. févr. 27 09:39:47 root at se4ad.:~
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}
> O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
>
> # samba-tool ntacl get --as-sddl
> /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts
> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
> ACE are different on GPO root and childrens.
>
>
> dsacl on a fresh GPO before sysvolreset :
>
> jeu. févr. 27 09:39:49 root at se4ad.:~
> # samba-tool dsacl get
> --objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org'
>
> descriptor for
> CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org:
> O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
Before I dive into this, can you supply the smb.conf from the DC and
the Unix permissions from /var/lib/samba/sysvol and
/var/lib/samba/sysvol/diderot.org
Rowland
More information about the samba
mailing list