thr3ads.net - samba - [Samba] ACL problem after sysvolreset (possible bug ?) [Feb 2025]

If this information is useful, please help other people find it:
Share via:

denis bonnenfant@sambaedu.org

2025-Feb-26 21:18 UTC

[Samba] ACL problem after sysvolreset (possible bug ?)

Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:> On Wed, 26 Feb 2025 18:57:13 +0100
> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> Summary :
>>
>> New gpo are created from windows with? explicit rwx user and group
>> acls for "Domain admins", which are inherited for every
objects
>> created, while sysvolreset is changing this to user:group ownership,
>> which is not inheritable, and removes the acls for "Domain
Admins".
>>
>> There are three permissions in play here, the normal Unix
'ugo', the EA
>> you are reading with setfacl and a further one that is set with the
>> Windows permissions. Can you try to read the latter with:
>>
>> samba-tool ntacl get <file> --as-sddl
>>
>> Where '<file>' is the directory or file
>>
>> For example, on my DC, this:
>>
>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>>
>> Produces this:
>>
>>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>
>> Rowland
Hello,

Here are the? ntacls in sddl form :

### New GPO from Windows RSTAT tool, created by an user member of Doman 
Admins group :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

New Folder created in explorer.exe :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

New file :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/logon.txt
O:BAG:DUD:AI(A;ID;FA;;;DA)(A;ID;FA;;;EA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;ED)

### After sysvolreset

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)

SSDL are exactly the same for? all files and folders after sysvolreset

New folder :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2
O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;OICI;0x1200a9;;;ED)

New file :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2.txt

O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(OA;;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;;0x1200a9;;;ED)

test2 and test2.txt acls's? are not readable in windows explorer, it 
just displays an error message.

setting back? ACLS to the original values (before sysvolreset) is 
working as expected :

# samba-tool ntacl set 
"O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)"
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test3
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

So the issue is definitely related to sysvolreset.

denis bonnenfant@sambaedu.org

2025-Feb-26 21:38 UTC

head link

[Samba] ACL problem after sysvolreset (possible bug ?)

Le 26/02/2025 ? 22:18, denis bonnenfant--- via samba a
?crit?:>
> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:
>> On Wed, 26 Feb 2025 18:57:13 +0100
>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>
>>> Hello,
>>>
>>> Summary :
>>>
>>> New gpo are created from windows with? explicit rwx user and group
>>> acls for "Domain admins", which are inherited for every
objects
>>> created, while sysvolreset is changing this to user:group
ownership,
>>> which is not inheritable, and removes the acls for "Domain
Admins".
>>>
>>> There are three permissions in play here, the normal Unix
'ugo', the EA
>>> you are reading with setfacl and a further one that is set with the
>>> Windows permissions. Can you try to read the latter with:
>>>
>>> samba-tool ntacl get <file> --as-sddl
>>>
>>> Where '<file>' is the directory or file
>>>
>>> For example, on my DC, this:
>>>
>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>>>
>>> Produces this:
>>>
>>>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>>
>>>
>>> Rowland
>
> Hello,
>
> Here are the? ntacls in sddl form :
>
>
> ### New GPO from Windows RSTAT tool, created by an user member of 
> Doman Admins group :
>
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
>
> New Folder created in explorer.exe :
>
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test
>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
>
> New file :
>
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/logon.txt
>
O:BAG:DUD:AI(A;ID;FA;;;DA)(A;ID;FA;;;EA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;ED)
>
>
> ### After sysvolreset
>
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
>
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>
>
> SSDL are exactly the same for? all files and folders after sysvolreset
>
>
> New folder :
>
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2
>
O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;OICI;0x1200a9;;;ED)
>
>
> New file :
>
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2.txt
>
>
O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(OA;;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;;0x1200a9;;;ED)
>
>
> test2 and test2.txt acls's? are not readable in windows explorer, it 
> just displays an error message.
>
>
> setting back? ACLS to the original values (before sysvolreset) is 
> working as expected :
>
> # samba-tool ntacl set 
>
"O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)"
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
>
>
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
>
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test3
>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>
>
>
> So the issue is definitely related to sysvolreset.
>
>
>
>
>In addition :


# samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/diderot.org/Policies/{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0}/User/Scripts/Logon/test3
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
does not match expected value 
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
from GPO object

Rowland Penny

2025-Feb-26 21:44 UTC

head link

[Samba] ACL problem after sysvolreset (possible bug ?)

On Wed, 26 Feb 2025 22:18:44 +0100
denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> 
> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:
> > On Wed, 26 Feb 2025 18:57:13 +0100
> > denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> >
> >> Hello,
> >>
> >> Summary :
> >>
> >> New gpo are created from windows with? explicit rwx user and group
> >> acls for "Domain admins", which are inherited for every
objects
> >> created, while sysvolreset is changing this to user:group
> >> ownership, which is not inheritable, and removes the acls for
> >> "Domain Admins".
> >>
> >> There are three permissions in play here, the normal Unix
'ugo',
> >> the EA you are reading with setfacl and a further one that is set
> >> with the Windows permissions. Can you try to read the latter with:
> >>
> >> samba-tool ntacl get <file> --as-sddl
> >>
> >> Where '<file>' is the directory or file
> >>
> >> For example, on my DC, this:
> >>
> >> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> >>
> >> Produces this:
> >>
> >>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
> >>
> >> Rowland
> 
> Hello,
> 
> Here are the? ntacls in sddl form :
> 
> 
> ### New GPO from Windows RSTAT tool, created by an user member of
> Doman Admins group :
> 
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
> 
Let me examine these and get back to you.

Rowland

samba - Feb 2025 - ACL problem after sysvolreset (possible bug ?)

[Samba] ACL problem after sysvolreset (possible bug ?)

[Samba] ACL problem after sysvolreset (possible bug ?)

[Samba] ACL problem after sysvolreset (possible bug ?)