[Samba] ACL problem after sysvolreset (possible bug ?)
denis bonnenfant@sambaedu.org
denis.bonnenfant at sambaedu.org
Thu Feb 27 19:28:39 UTC 2025
Le 27/02/2025 à 19:49, Rowland Penny via samba a écrit :
> On Thu, 27 Feb 2025 19:00:29 +0100
> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
>
>> Just for information :
>>
>> changing file "/usr/lib/python3/dist-packages/samba/ntacls.py",
>> lines 308-309 to
>>
>>
>> if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and
>> str(ace.trustee) != security.SID_BUILTIN_PREW2K:
>>
>> removes problematic ace (the one with uuid), and after that gpo are
>> working perfectly. after sysvolreset. It's juste a hack, with
>> probably corner effects, but itl isout of my skills to test it....
>>
>>
> The GPOs are stored in sysvol and in AD (they are in
> 'CN=Policies,CN=System,DC=samdom,DC=example,DC=com') and the
> 'nTSecurityDescriptor' attribute from each policy is used by sysvolreset
> to set the permissions on each policy in sysvol, it seems that this is
> where the problem comes from.
>
> If you compare the output of the following command with the SDDL of the
> GPO in sysvol, they should be very similar:
>
> sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb
> '(distinguishedName=CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com)'
> nTSecurityDescriptor
>
> Where '{6AC1786C-016F-11D2-945F-00C04FB984F9}' is the GPO.
>
> Rowland
>
>
Yes, and the problem comes from the ACE
(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU) in ldb gpo object ,
that must not be applied to sysvol files, as it corrupts all newly
created files and folders (and most important, is not present in newly
created GPO)
So it is probably a good idea to filter it before comparison with sysvol
ntacls
More information about the samba
mailing list