Rowland Penny
2025-Apr-14 13:14 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
On Mon, 14 Apr 2025 14:37:29 +0200 Klaas TJEBBES via samba <samba at lists.samba.org> wrote:> Hi. > > To give more context. > > I have only one DC.It is recommended to run more than one DC, just in case one fails.> > Appart from being member of Domain Admins, Administrator is not > mapped with UID=0 (unix root), it is not mapped with any unix UID at > all.On a Samba AD DC it should be, on my DCs, 'id Administrator' returns: uid=0(root) gid=100(users) groups=0(root),100(users),3000005(SAMDOM\group policy creator owners),3000001(SAMDOM\denied rodc password replication group),3000003(SAMDOM\schema admins),3000004(SAMDOM\enterprise admins),3000000(SAMDOM\domain admins),3000006(BUILTIN\users),3000002(BUILTIN\administrators) I do not have 'idmap_ldb:use rfc2307 = yes' in smb.conf.> > # smb.conf : > > [global] > realm = DOM.LAN > workgroup = DOM > netbios name = ADDC > disable netbios = yesOn a DC that isn't enough.> smb ports = 445 > map acl inherit = Yes > store dos attributes = Yes > winbind separator = / > server role = active directory domain controller > server services = -dnsTo turn off the Netbios part of the samba deamon, you need: server services = -dns -nbt> tls enabled = yes > tls keyfile = /var/lib/samba/private/tls/key.pem > tls certfile = /var/lib/samba/private/tls/cert.pem > tls cafile > usershare max shares = 0 > restrict anonymous = 2 > interfaces = 192.168.0.30 > > # Domain Admins has a GIDSorry, but no it hasn't> root at addc:~# id domain\ admins > uid=3000004(DOM/domain admins) gid=3000004(DOM/domain admins) > groupes=3000004(DOM/domain admins)Those numbers in the '3000000' range are xidNumber attributes from idmap.ldb (only found on Samba AD DCs).> > So after running 'samba-tool ntacl sysvolreset' I can no longer > modify GPO from RSAT.You should be able to.> After a bit of digging, I came with a solution > that partially works : > > > file=/home/sysvol/DOM.lan/Policies/ > chown -R DOM/domain\ admins ${file} > chown -R DOM/domain\ admins ${file} > setfacl -Rbk ${file} > setfacl -Rm user::rwx ${file} > setfacl -Rm user:NT\ Authority/system:rwx ${file} > setfacl -Rm user:NT\ Authority/authenticated\ users:r-x ${file} > setfacl -Rm user:DOM/enterprise\ admins:rwx ${file} > setfacl -Rm user:NT\ Authority/enterprise\ domain\ controllers:r-x > ${file} setfacl -Rm group::rwx ${file} > setfacl -Rm group:NT\ Authority/system:rwx ${file} > setfacl -Rm group:NT\ Authority/authenticated\ users:r-x ${file} > setfacl -Rm group:DOM/domain\ admins:rwx ${file} > setfacl -Rm group:DOM/enterprise\ admins:rwx ${file} > setfacl -Rm group:NT\ Authority/enterprise\ domain\ controllers:r-x > ${file} setfacl -Rm mask::rwx ${file} > setfacl -Rm other::--- ${file} > setfacl -Rdm user::rwx ${file} > setfacl -Rdm user:NT\ Authority/system:rwx ${file} > setfacl -Rdm user:NT\ Authority/authenticated\ users:r-x ${file} > setfacl -Rdm user:DOM/domain\ admins:rwx ${file} > setfacl -Rdm user:DOM/enterprise\ admins:rwx ${file} > setfacl -Rdm user:NT\ Authority/enterprise\ domain\ controllers:r-x > ${file} setfacl -Rdm group::--- ${file} > setfacl -Rdm group:NT\ Authority/system:rwx ${file} > setfacl -Rdm group:NT\ Authority/authenticated\ users:r-x ${file} > setfacl -Rdm group:DOM/domain\ admins:rwx ${file} > setfacl -Rdm group:DOM/enterprise\ admins:rwx ${file} > setfacl -Rdm group:NT\ Authority/enterprise\ domain\ controllers:r-x > ${file} setfacl -Rdm mask::rwx ${file} > setfacl -Rdm other::--- ${file}That is basically what sysvolreset does, but working on a different EA and Samba sets the rest.> > > I say "partially" because after running those commands, Windows RSAT > tells me : > "The permissions for this GPO inthe SYSVOL foder are inconsistent > with those in Active Directory. It is recommended that those > permissions be consistent. To Change the SYSVOL permissions to those > in Active Directory, Click OK.".And it then does what sysvolreset does.> > After clicking OK and making a diff between before/after, I see no > differences on ACLs (getfacl -R),Well you wouldn't, you are looking at the wrong place and with the wrong tool, try: sudo samba-tool ntacl get /var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} --as-sddl It should return something like this: O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED) Long and short of it, I cannot recommend running only one DC and setting permissions on sysvol in the way you are. Rowland
Klaas TJEBBES
2025-Apr-14 14:05 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
This example I gave is from a test server. A simple setup with 1 DC, 1
fileserver and 2 Windows clients.
Setting access rights with setfacl was just to try to understand what
the problems was. I should have presented the problem otherwise, like this :
I create a GPO in RSAT. At that point, rights on GPO are OK, I can
modify it no problems.
I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly.
I run 'samba-tool ntacl sysvolreset'. At that point, problem occurs, GPO
can no longer be modified.
I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again.
The diffs between ACLs and ATTRs before/after are :
############ ACLs ##################
# BEFORE samba-tool ntacl sysvolreset
# file:
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
# owner: BUILTIN/administrators
# group: users
user::rwx
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
user:DOM/domain\040admins:rwx
user:DOM/enterprise\040admins:rwx
user:NT\040Authority/enterprise\040domain\040controllers:r-x
group::---
group:users:---
group:BUILTIN/administrators:rwx
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
group:DOM/domain\040admins:rwx
group:DOM/enterprise\040admins:rwx
group:NT\040Authority/enterprise\040domain\040controllers:r-x
mask::rwx
other::---
# file:
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
# owner: BUILTIN/administrators
# group: users
user::rwx
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
user:DOM/domain\040admins:rwx
user:DOM/enterprise\040admins:rwx
user:NT\040Authority/enterprise\040domain\040controllers:r-x
group::---
group:users:---
group:BUILTIN/administrators:rwx
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
group:DOM/domain\040admins:rwx
group:DOM/enterprise\040admins:rwx
group:NT\040Authority/enterprise\040domain\040controllers:r-x
mask::rwx
other::---
default:user::rwx
default:user:BUILTIN/administrators:rwx
default:user:NT\040Authority/system:rwx
default:user:NT\040Authority/authenticated\040users:r-x
default:user:DOM/domain\040admins:rwx
default:user:DOM/enterprise\040admins:rwx
default:user:NT\040Authority/enterprise\040domain\040controllers:r-x
default:group::---
default:group:users:---
default:group:NT\040Authority/system:rwx
default:group:NT\040Authority/authenticated\040users:r-x
default:group:DOM/domain\040admins:rwx
default:group:DOM/enterprise\040admins:rwx
default:group:NT\040Authority/enterprise\040domain\040controllers:r-x
default:mask::rwx
default:other::---
# AFTER samba-tool ntacl sysvolreset
# file:
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
# owner: DOM/domain\040admins
# group: DOM/domain\040admins
user::rwx
user:root:rwx
user:BUILTIN/administrators:rwx
user:BUILTIN/server\040operators:r-x
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
group::rwx
group:BUILTIN/administrators:rwx
group:BUILTIN/server\040operators:r-x
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
mask::rwx
other::---
# file:
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
# owner: DOM/domain\040admins
# group: DOM/domain\040admins
user::rwx
user:root:rwx
user:BUILTIN/administrators:rwx
user:BUILTIN/server\040operators:r-x
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
group::rwx
group:BUILTIN/administrators:rwx
group:BUILTIN/server\040operators:r-x
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN/administrators:rwx
default:user:BUILTIN/server\040operators:r-x
default:user:NT\040Authority/system:rwx
default:user:NT\040Authority/authenticated\040users:r-x
default:group::---
default:group:BUILTIN/administrators:rwx
default:group:BUILTIN/server\040operators:r-x
default:group:NT\040Authority/system:rwx
default:group:NT\040Authority/authenticated\040users:r-x
default:mask::rwx
default:other::---
######### ATTRs ########
# BEFORE samba-tool ntacl sysvolreset
# file:
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB
user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA=
# file:
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB
user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA=
# AFTER samba-tool ntacl sysvolreset
# file:
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=
# file:
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=
What do you think about this ?
Le 14/04/2025 ? 15:14, Rowland Penny via samba a ?crit?:> On Mon, 14 Apr 2025 14:37:29 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
>
>> Hi.
>>
>> To give more context.
>>
>> I have only one DC.
>
> It is recommended to run more than one DC, just in case one fails.
>
>>
>> Appart from being member of Domain Admins, Administrator is not
>> mapped with UID=0 (unix root), it is not mapped with any unix UID at
>> all.
>
> On a Samba AD DC it should be, on my DCs, 'id Administrator'
returns:
>
> uid=0(root) gid=100(users) groups=0(root),100(users),3000005(SAMDOM\group
policy creator owners),3000001(SAMDOM\denied rodc password replication
group),3000003(SAMDOM\schema admins),3000004(SAMDOM\enterprise
admins),3000000(SAMDOM\domain
admins),3000006(BUILTIN\users),3000002(BUILTIN\administrators)
>
> I do not have 'idmap_ldb:use rfc2307 = yes' in smb.conf.
>
>>
>> # smb.conf :
>>
>> [global]
>> realm = DOM.LAN
>> workgroup = DOM
>> netbios name = ADDC
>> disable netbios = yes
>
> On a DC that isn't enough.
>
>> smb ports = 445
>> map acl inherit = Yes
>> store dos attributes = Yes
>> winbind separator = /
>> server role = active directory domain controller
>> server services = -dns
>
> To turn off the Netbios part of the samba deamon, you need:
>
> server services = -dns -nbt
>
>> tls enabled = yes
>> tls keyfile = /var/lib/samba/private/tls/key.pem
>> tls certfile = /var/lib/samba/private/tls/cert.pem
>> tls cafile >> usershare max shares = 0
>> restrict anonymous = 2
>> interfaces = 192.168.0.30
>>
>> # Domain Admins has a GID
>
> Sorry, but no it hasn't
>
>> root at addc:~# id domain\ admins
>> uid=3000004(DOM/domain admins) gid=3000004(DOM/domain admins)
>> groupes=3000004(DOM/domain admins)
>
> Those numbers in the '3000000' range are xidNumber attributes from
> idmap.ldb (only found on Samba AD DCs).
>
>>
>> So after running 'samba-tool ntacl sysvolreset' I can no longer
>> modify GPO from RSAT.
>
> You should be able to.
>
>> After a bit of digging, I came with a solution
>> that partially works :
>>
>>
>> file=/home/sysvol/DOM.lan/Policies/
>> chown -R DOM/domain\ admins ${file}
>> chown -R DOM/domain\ admins ${file}
>> setfacl -Rbk ${file}
>> setfacl -Rm user::rwx ${file}
>> setfacl -Rm user:NT\ Authority/system:rwx ${file}
>> setfacl -Rm user:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rm user:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rm user:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rm group::rwx ${file}
>> setfacl -Rm group:NT\ Authority/system:rwx ${file}
>> setfacl -Rm group:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rm group:DOM/domain\ admins:rwx ${file}
>> setfacl -Rm group:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rm group:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rm mask::rwx ${file}
>> setfacl -Rm other::--- ${file}
>> setfacl -Rdm user::rwx ${file}
>> setfacl -Rdm user:NT\ Authority/system:rwx ${file}
>> setfacl -Rdm user:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rdm user:DOM/domain\ admins:rwx ${file}
>> setfacl -Rdm user:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rdm user:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rdm group::--- ${file}
>> setfacl -Rdm group:NT\ Authority/system:rwx ${file}
>> setfacl -Rdm group:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rdm group:DOM/domain\ admins:rwx ${file}
>> setfacl -Rdm group:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rdm group:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rdm mask::rwx ${file}
>> setfacl -Rdm other::--- ${file}
>
> That is basically what sysvolreset does, but working on a different EA
> and Samba sets the rest.
>
>>
>>
>> I say "partially" because after running those commands,
Windows RSAT
>> tells me :
>> "The permissions for this GPO inthe SYSVOL foder are inconsistent
>> with those in Active Directory. It is recommended that those
>> permissions be consistent. To Change the SYSVOL permissions to those
>> in Active Directory, Click OK.".
>
> And it then does what sysvolreset does.
>
>>
>> After clicking OK and making a diff between before/after, I see no
>> differences on ACLs (getfacl -R),
>
> Well you wouldn't, you are looking at the wrong place and with the
> wrong tool, try:
>
> sudo samba-tool ntacl get
>
/var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> --as-sddl
>
> It should return something like this:
>
>
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>
> Long and short of it, I cannot recommend running only one DC and
> setting permissions on sysvol in the way you are.
>
> Rowland
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Klaas TJEBBES
- P?le Logiciel Libre (EOLE)
- DSI
- Dijon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~