denis bonnenfant@sambaedu.org
2025-Feb-26 21:18 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:> On Wed, 26 Feb 2025 18:57:13 +0100 > denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> Summary : >> >> New gpo are created from windows with? explicit rwx user and group >> acls for "Domain admins", which are inherited for every objects >> created, while sysvolreset is changing this to user:group ownership, >> which is not inheritable, and removes the acls for "Domain Admins". >> >> There are three permissions in play here, the normal Unix 'ugo', the EA >> you are reading with setfacl and a further one that is set with the >> Windows permissions. Can you try to read the latter with: >> >> samba-tool ntacl get <file> --as-sddl >> >> Where '<file>' is the directory or file >> >> For example, on my DC, this: >> >> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl >> >> Produces this: >> >> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) >> >> RowlandHello, Here are the? ntacls in sddl form : ### New GPO from Windows RSTAT tool, created by an user member of Doman Admins group : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) New Folder created in explorer.exe : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) New file : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/logon.txt O:BAG:DUD:AI(A;ID;FA;;;DA)(A;ID;FA;;;EA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;ED) ### After sysvolreset # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED) SSDL are exactly the same for? all files and folders after sysvolreset New folder : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2 O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;OICI;0x1200a9;;;ED) New file : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2.txt O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(OA;;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;;0x1200a9;;;ED) test2 and test2.txt acls's? are not readable in windows explorer, it just displays an error message. setting back? ACLS to the original values (before sysvolreset) is working as expected : # samba-tool ntacl set "O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)" /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test3 O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) So the issue is definitely related to sysvolreset.
denis bonnenfant@sambaedu.org
2025-Feb-26 21:38 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 26/02/2025 ? 22:18, denis bonnenfant--- via samba a ?crit?:> > Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: >> On Wed, 26 Feb 2025 18:57:13 +0100 >> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >> >>> Hello, >>> >>> Summary : >>> >>> New gpo are created from windows with? explicit rwx user and group >>> acls for "Domain admins", which are inherited for every objects >>> created, while sysvolreset is changing this to user:group ownership, >>> which is not inheritable, and removes the acls for "Domain Admins". >>> >>> There are three permissions in play here, the normal Unix 'ugo', the EA >>> you are reading with setfacl and a further one that is set with the >>> Windows permissions. Can you try to read the latter with: >>> >>> samba-tool ntacl get <file> --as-sddl >>> >>> Where '<file>' is the directory or file >>> >>> For example, on my DC, this: >>> >>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl >>> >>> Produces this: >>> >>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) >>> >>> >>> Rowland > > Hello, > > Here are the? ntacls in sddl form : > > > ### New GPO from Windows RSTAT tool, created by an user member of > Doman Admins group : > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon > O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) > > > New Folder created in explorer.exe : > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test > O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) > > > New file : > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/logon.txt > O:BAG:DUD:AI(A;ID;FA;;;DA)(A;ID;FA;;;EA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;ED) > > > ### After sysvolreset > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon > O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED) > > > SSDL are exactly the same for? all files and folders after sysvolreset > > > New folder : > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2 > O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;OICI;0x1200a9;;;ED) > > > New file : > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2.txt > > O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(OA;;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;;0x1200a9;;;ED) > > > test2 and test2.txt acls's? are not readable in windows explorer, it > just displays an error message. > > > setting back? ACLS to the original values (before sysvolreset) is > working as expected : > > # samba-tool ntacl set > "O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)" > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon > > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon > O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) > > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test3 > O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) > > > > So the issue is definitely related to sysvolreset. > > > > >In addition : # samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/diderot.org/Policies/{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0}/User/Scripts/Logon/test3 O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED) from GPO object
Rowland Penny
2025-Feb-26 21:44 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
On Wed, 26 Feb 2025 22:18:44 +0100 denis bonnenfant--- via samba <samba at lists.samba.org> wrote:> > Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: > > On Wed, 26 Feb 2025 18:57:13 +0100 > > denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > > > >> Hello, > >> > >> Summary : > >> > >> New gpo are created from windows with? explicit rwx user and group > >> acls for "Domain admins", which are inherited for every objects > >> created, while sysvolreset is changing this to user:group > >> ownership, which is not inheritable, and removes the acls for > >> "Domain Admins". > >> > >> There are three permissions in play here, the normal Unix 'ugo', > >> the EA you are reading with setfacl and a further one that is set > >> with the Windows permissions. Can you try to read the latter with: > >> > >> samba-tool ntacl get <file> --as-sddl > >> > >> Where '<file>' is the directory or file > >> > >> For example, on my DC, this: > >> > >> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl > >> > >> Produces this: > >> > >> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) > >> > >> Rowland > > Hello, > > Here are the? ntacls in sddl form : > > > ### New GPO from Windows RSTAT tool, created by an user member of > Doman Admins group : > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon > O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) >Let me examine these and get back to you. Rowland