On Sun, Oct 25, 2020 at 3:31 PM Rowland penny via samba <samba at lists.samba.org> wrote:> OK, if you look at the end of the permissions, there is a '+' sign, this > shows that extended acls set, to see these: > > getfacl /usr/local/samba/var/locks/sysvolThe difference in acls is that the non-working domain includes: user:3000001:r-x user:3000002:rwx user:3000003:r-x and default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x Otherwise they are identical.> You can also see the extended ACL's with: > samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddlWorking domain: O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) Non-working domain: O:LAG:DAD:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;;;;WD)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) I tried adding the sgid bit and restarting samba but there was no change in the results.
On 25/10/2020 19:44, Sonic wrote:> On Sun, Oct 25, 2020 at 3:31 PM Rowland penny via samba > <samba at lists.samba.org> wrote: >> OK, if you look at the end of the permissions, there is a '+' sign, this >> shows that extended acls set, to see these: >> >> getfacl /usr/local/samba/var/locks/sysvol > The difference in acls is that the non-working domain includes: > user:3000001:r-x > user:3000002:rwx > user:3000003:r-x > and > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > > Otherwise they are identical. > >> You can also see the extended ACL's with: >> samba-tool ntacl get /usr/local/samba/var/locks/sysvol --as-sddl > Working domain: > O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) > > Non-working domain: > O:LAG:DAD:(A;OICI;0x001f01ff;;;LA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;SA)(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;S-1-5-21-546846319-217595157-9522986-572)(A;OICI;;;;WD)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;LA)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG) > > I tried adding the sgid bit and restarting samba but there was no > change in the results.What do you mean by 'working domain' and 'non-working domain' ? Do you have two domains ? I am also trying to understand why you have 'DENIED_RODC_PASSWORD_REPLICATION_GROUP' in your ACL ? i do not normally advise this, but try running 'samba-tool ntacl sysvolreset' Rowland
On Sun, Oct 25, 2020 at 4:02 PM Rowland penny via samba <samba at lists.samba.org> wrote:> What do you mean by 'working domain' and 'non-working domain' ? > Do you have two domains ?Different sites, different companies, not related. The working one was also a classic upgrade but earlier on, pre 4.6.x. Just using it to compare.> I am also trying to understand why you have > 'DENIED_RODC_PASSWORD_REPLICATION_GROUP' in your ACL ? > > i do not normally advise this, but try running 'samba-tool ntacl > sysvolreset'This is what the sysvolcheck returns: # samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/my.example.com/Policies/{E2BC0255-64C8- 42CF-A27A-59A7D3DCD2DC} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO; 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI; 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff; ;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A; OICI;0x001200a9;;;ED) from GPO object File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py", line 446, in run lp) File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line 1894, in checksysvolacl direct_db_access) File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line 1844, in check_gpos_acl domainsid, direct_db_access) File "/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py", line 1786, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl) Should sysvolreset fix this? Thanks, Chris