[Samba] ACL problem after sysvolreset (possible bug ?)
denis bonnenfant@sambaedu.org
denis.bonnenfant at sambaedu.org
Thu Feb 27 09:12:26 UTC 2025
Le 27/02/2025 à 09:58, Rowland Penny via samba a écrit :
> On Thu, 27 Feb 2025 09:49:47 +0100
> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
>> Le 26/02/2025 à 22:44, Rowland Penny via samba a écrit :
>>> On Wed, 26 Feb 2025 22:18:44 +0100
>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>>
>>>> Le 26/02/2025 à 20:38, Rowland Penny via samba a écrit :
>>>>> On Wed, 26 Feb 2025 18:57:13 +0100
>>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Summary :
>>>>>>
>>>>>> New gpo are created from windows with explicit rwx user and
>>>>>> group acls for "Domain admins", which are inherited for every
>>>>>> objects created, while sysvolreset is changing this to user:group
>>>>>> ownership, which is not inheritable, and removes the acls for
>>>>>> "Domain Admins".
>>>>>>
>>>>>> There are three permissions in play here, the normal Unix 'ugo',
>>>>>> the EA you are reading with setfacl and a further one that is set
>>>>>> with the Windows permissions. Can you try to read the latter
>>>>>> with:
>>>>>>
>>>>>> samba-tool ntacl get <file> --as-sddl
>>>>>>
>>>>>> Where '<file>' is the directory or file
>>>>>>
>>>>>> For example, on my DC, this:
>>>>>>
>>>>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>>>>>>
>>>>>> Produces this:
>>>>>>
>>>>>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>>>>>
>>>>>> Rowland
>>>> Hello,
>>>>
>>>> Here are the ntacls in sddl form :
>>>>
>>>>
>>>> ### New GPO from Windows RSTAT tool, created by an user member of
>>>> Doman Admins group :
>>>>
>>>> # samba-tool ntacl get --as-sddl
>>>> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
>>>> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>>>>
>>> Let me examine these and get back to you.
>> In addition, on newly created GPO :
>>
>> jeu. févr. 27 09:39:47 root at se4ad.:~
>> # samba-tool ntacl get --as-sddl
>> /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}
>> O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
>>
>> # samba-tool ntacl get --as-sddl
>> /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts
>> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>>
>> ACE are different on GPO root and childrens.
>>
>>
>> dsacl on a fresh GPO before sysvolreset :
>>
>> jeu. févr. 27 09:39:49 root at se4ad.:~
>> # samba-tool dsacl get
>> --objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org'
>>
>> descriptor for
>> CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org:
>> O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> Before I dive into this, can you supply the smb.conf from the DC and
> the Unix permissions from /var/lib/samba/sysvol and
> /var/lib/samba/sysvol/diderot.org
smb;conf :
[global]
netbios name = se4ad
workgroup = DIDEROT
realm = DIDEROT.ORG
dns forwarder = 172.16.1.253
server role = active directory domain controller
[netlogon]
path = /var/lib/samba/sysvol/diderot.org/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Unix ACLs :
ID mappings :
jeu. févr. 27 10:03:34 root at se4ad.:~
# wbinfo --uid-info=3000006
DIDEROT\enterprise admins:*:3000006:3000006::/home/DIDEROT/enterprise
admins:/bin/false
jeu. févr. 27 10:08:27 root at se4ad.:~
# wbinfo --uid-info=3000009
NT Authority\enterprise domain controllers:*:3000009:3000009::/home/NT
Authority/enterprise domain controllers:/bin/false
jeu. févr. 27 10:08:57 root at se4ad.:~
# wbinfo --uid-info=3000000
BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false
jeu. févr. 27 10:09:35 root at se4ad.:~
# wbinfo --uid-info=3000002
NT Authority\system:*:3000002:3000002::/home/NT Authority/system:/bin/false
jeu. févr. 27 10:10:40 root at se4ad.:~
# wbinfo --uid-info=3000003
NT Authority\authenticated users:*:3000003:3000003::/home/NT
Authority/authenticated users:/bin/false
jeu. févr. 27 10:10:48 root at se4ad.:~
# wbinfo --uid-info=3000001
BUILTIN\server operators:*:3000001:3000001::/home/BUILTIN/server
operators:/bin/false
jeu. févr. 27 10:10:56 root at se4ad.:~
# wbinfo --uid-info=30000025
jeu. févr. 27 10:11:16 root at se4ad.:~
# wbinfo --uid-info=3000025
DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain
admins:/bin/false
getfacl : suppression du premier « / » des noms de chemins absolus
# file: var/lib/samba/sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
# getfacl /var/lib/samba/sysvol/diderot.org/
getfacl : suppression du premier « / » des noms de chemins absolus
# file: var/lib/samba/sysvol/diderot.org/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
example of gpo root before sysvolreset :
jeu. févr. 27 10:02:19 root at se4ad.:~
# getfacl
/var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/
getfacl : suppression du premier « / » des noms de chemins absolus
# file:
var/lib/samba/sysvol/diderot.org/Policies/{3E5EB18B-221D-4173-958D-D913D3C6BFBB}/
# owner: 3000025
# group: 3000025
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000009:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000009:r-x
group:3000025:rwx
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000009:r-x
default:user:3000025:rwx
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000009:r-x
default:group:3000025:rwx
default:mask::rwx
default:other::---
GPO root with sysvolreset :
jeu. févr. 27 10:02:48 root at se4ad.:~
# getfacl
/var/lib/samba/sysvol/diderot.org/Policies/\{F1B4F439-1C9D-4FB0-AD0C-A32CBD0A4512\}/
getfacl : suppression du premier « / » des noms de chemins absolus
# file:
var/lib/samba/sysvol/diderot.org/Policies/{F1B4F439-1C9D-4FB0-AD0C-A32CBD0A4512}/
# owner: 3000025
# group: 3000025
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
More information about the samba
mailing list