thr3ads.net - samba - [Samba] Access denied on GPO after "ntacl sysvolreset" [Apr 2025]

If this information is useful, please help other people find it:
Share via:

Klaas TJEBBES

2025-Apr-14 14:05 UTC

[Samba] Access denied on GPO after "ntacl sysvolreset"

This example I gave is from a test server. A simple setup with 1 DC, 1 
fileserver and 2 Windows clients.

Setting access rights with setfacl was just to try to understand what 
the problems was. I should have presented the problem otherwise, like this :

I create a GPO in RSAT. At that point, rights on GPO are OK, I can 
modify it no problems.
I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly.
I run 'samba-tool ntacl sysvolreset'. At that point, problem occurs, GPO
can no longer be modified.
I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again.

The diffs between ACLs and ATTRs before/after are :

############ ACLs ##################

# BEFORE samba-tool ntacl sysvolreset

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
# owner: BUILTIN/administrators
# group: users
user::rwx
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
user:DOM/domain\040admins:rwx
user:DOM/enterprise\040admins:rwx
user:NT\040Authority/enterprise\040domain\040controllers:r-x
group::---
group:users:---
group:BUILTIN/administrators:rwx
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
group:DOM/domain\040admins:rwx
group:DOM/enterprise\040admins:rwx
group:NT\040Authority/enterprise\040domain\040controllers:r-x
mask::rwx
other::---

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
# owner: BUILTIN/administrators
# group: users
user::rwx
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
user:DOM/domain\040admins:rwx
user:DOM/enterprise\040admins:rwx
user:NT\040Authority/enterprise\040domain\040controllers:r-x
group::---
group:users:---
group:BUILTIN/administrators:rwx
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
group:DOM/domain\040admins:rwx
group:DOM/enterprise\040admins:rwx
group:NT\040Authority/enterprise\040domain\040controllers:r-x
mask::rwx
other::---
default:user::rwx
default:user:BUILTIN/administrators:rwx
default:user:NT\040Authority/system:rwx
default:user:NT\040Authority/authenticated\040users:r-x
default:user:DOM/domain\040admins:rwx
default:user:DOM/enterprise\040admins:rwx
default:user:NT\040Authority/enterprise\040domain\040controllers:r-x
default:group::---
default:group:users:---
default:group:NT\040Authority/system:rwx
default:group:NT\040Authority/authenticated\040users:r-x
default:group:DOM/domain\040admins:rwx
default:group:DOM/enterprise\040admins:rwx
default:group:NT\040Authority/enterprise\040domain\040controllers:r-x
default:mask::rwx
default:other::---


# AFTER samba-tool ntacl sysvolreset

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
# owner: DOM/domain\040admins
# group: DOM/domain\040admins
user::rwx
user:root:rwx
user:BUILTIN/administrators:rwx
user:BUILTIN/server\040operators:r-x
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
group::rwx
group:BUILTIN/administrators:rwx
group:BUILTIN/server\040operators:r-x
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
mask::rwx
other::---

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
# owner: DOM/domain\040admins
# group: DOM/domain\040admins
user::rwx
user:root:rwx
user:BUILTIN/administrators:rwx
user:BUILTIN/server\040operators:r-x
user:NT\040Authority/system:rwx
user:NT\040Authority/authenticated\040users:r-x
group::rwx
group:BUILTIN/administrators:rwx
group:BUILTIN/server\040operators:r-x
group:NT\040Authority/system:rwx
group:NT\040Authority/authenticated\040users:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN/administrators:rwx
default:user:BUILTIN/server\040operators:r-x
default:user:NT\040Authority/system:rwx
default:user:NT\040Authority/authenticated\040users:r-x
default:group::---
default:group:BUILTIN/administrators:rwx
default:group:BUILTIN/server\040operators:r-x
default:group:NT\040Authority/system:rwx
default:group:NT\040Authority/authenticated\040users:r-x
default:mask::rwx
default:other::---

######### ATTRs ########

# BEFORE samba-tool ntacl sysvolreset

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB
user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA=
# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB
user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA=

# AFTER samba-tool ntacl sysvolreset

# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=
# file: 
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=


What do you think about this ?



Le 14/04/2025 ? 15:14, Rowland Penny via samba a ?crit?:> On Mon, 14 Apr 2025 14:37:29 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
> 
>> Hi.
>>
>> To give more context.
>>
>> I have only one DC.
> 
> It is recommended to run more than one DC, just in case one fails.
> 
>>
>> Appart from being member of Domain Admins, Administrator is not
>> mapped with UID=0 (unix root), it is not mapped with any unix UID at
>> all.
> 
> On a Samba AD DC it should be, on my DCs, 'id Administrator'
returns:
> 
> uid=0(root) gid=100(users) groups=0(root),100(users),3000005(SAMDOM\group
policy creator owners),3000001(SAMDOM\denied rodc password replication
group),3000003(SAMDOM\schema admins),3000004(SAMDOM\enterprise
admins),3000000(SAMDOM\domain
admins),3000006(BUILTIN\users),3000002(BUILTIN\administrators)
> 
> I do not have 'idmap_ldb:use rfc2307  = yes' in smb.conf.
> 
>>
>> # smb.conf :
>>
>> [global]
>>     realm = DOM.LAN
>>     workgroup = DOM
>>     netbios name = ADDC
>>     disable netbios = yes
> 
> On a DC that isn't enough.
> 
>>     smb ports = 445
>>     map acl inherit = Yes
>>     store dos attributes = Yes
>>     winbind separator = /
>>     server role = active directory domain controller
>>     server services = -dns
> 
> To turn off the Netbios part of the samba deamon, you need:
> 
> server services = -dns -nbt
> 
>>     tls enabled = yes
>>     tls keyfile = /var/lib/samba/private/tls/key.pem
>>     tls certfile = /var/lib/samba/private/tls/cert.pem
>>     tls cafile >>     usershare max shares = 0
>>     restrict anonymous = 2
>>     interfaces = 192.168.0.30
>>
>> # Domain Admins has a GID
> 
> Sorry, but no it hasn't
> 
>> root at addc:~# id domain\ admins
>> uid=3000004(DOM/domain admins) gid=3000004(DOM/domain admins)
>> groupes=3000004(DOM/domain admins)
> 
> Those numbers in the '3000000' range are xidNumber attributes from
> idmap.ldb (only found on Samba AD DCs).
> 
>>
>> So after running 'samba-tool ntacl sysvolreset' I can no longer
>> modify GPO from RSAT.
> 
> You should be able to.
> 
>> After a bit of digging, I came with a solution
>> that partially works :
>>
>>
>> file=/home/sysvol/DOM.lan/Policies/
>> chown -R DOM/domain\ admins ${file}
>> chown -R DOM/domain\ admins ${file}
>> setfacl -Rbk ${file}
>> setfacl -Rm user::rwx ${file}
>> setfacl -Rm user:NT\ Authority/system:rwx ${file}
>> setfacl -Rm user:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rm user:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rm user:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rm group::rwx ${file}
>> setfacl -Rm group:NT\ Authority/system:rwx ${file}
>> setfacl -Rm group:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rm group:DOM/domain\ admins:rwx ${file}
>> setfacl -Rm group:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rm group:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rm mask::rwx ${file}
>> setfacl -Rm other::--- ${file}
>> setfacl -Rdm user::rwx ${file}
>> setfacl -Rdm user:NT\ Authority/system:rwx ${file}
>> setfacl -Rdm user:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rdm user:DOM/domain\ admins:rwx ${file}
>> setfacl -Rdm user:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rdm user:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rdm group::--- ${file}
>> setfacl -Rdm group:NT\ Authority/system:rwx ${file}
>> setfacl -Rdm group:NT\ Authority/authenticated\ users:r-x ${file}
>> setfacl -Rdm group:DOM/domain\ admins:rwx ${file}
>> setfacl -Rdm group:DOM/enterprise\ admins:rwx ${file}
>> setfacl -Rdm group:NT\ Authority/enterprise\ domain\ controllers:r-x
>> ${file} setfacl -Rdm mask::rwx ${file}
>> setfacl -Rdm other::--- ${file}
> 
> That is basically what sysvolreset does, but working on a different EA
> and Samba sets the rest.
> 
>>
>>
>> I say "partially" because after running those commands,
Windows RSAT
>> tells me :
>> "The permissions for this GPO inthe SYSVOL foder are inconsistent
>> with those in Active Directory. It is recommended that those
>> permissions be consistent. To Change the SYSVOL permissions to those
>> in Active Directory, Click OK.".
> 
> And it then does what sysvolreset does.
> 
>>
>> After clicking OK and making a diff between before/after, I see no
>> differences on ACLs (getfacl -R),
> 
> Well you wouldn't, you are looking at the wrong place and with the
> wrong tool, try:
> 
> sudo samba-tool ntacl get
>
/var/lib/samba/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> --as-sddl
> 
> It should return something like this:
> 
>
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
> 
> Long and short of it, I cannot recommend running only one DC and
> setting permissions on sysvol in the way you are.
> 
> Rowland
> 
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Klaas TJEBBES
- P?le Logiciel Libre (EOLE)
- DSI
- Dijon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Rowland Penny

2025-Apr-14 14:38 UTC

head link

[Samba] Access denied on GPO after "ntacl sysvolreset"

On Mon, 14 Apr 2025 16:05:53 +0200
Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
> This example I gave is from a test server. A simple setup with 1 DC,
> 1 fileserver and 2 Windows clients.
> 
> Setting access rights with setfacl was just to try to understand what 
> the problems was. I should have presented the problem otherwise, like
> this :
> 
> I create a GPO in RSAT. At that point, rights on GPO are OK, I can 
> modify it no problems.
> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly.
> I run 'samba-tool ntacl sysvolreset'. At that point, problem
occurs,
> GPO can no longer be modified.
> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again.
> 
> The diffs between ACLs and ATTRs before/after are :
> 
> ############ ACLs ##################
> 
> # BEFORE samba-tool ntacl sysvolreset
> 
> # file: 
>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
> # owner: BUILTIN/administrators
> # group: users
> user::rwx
> user:NT\040Authority/system:rwx
> user:NT\040Authority/authenticated\040users:r-x
> user:DOM/domain\040admins:rwx
> user:DOM/enterprise\040admins:rwx
> user:NT\040Authority/enterprise\040domain\040controllers:r-x
> group::---
> group:users:---
> group:BUILTIN/administrators:rwx
> group:NT\040Authority/system:rwx
> group:NT\040Authority/authenticated\040users:r-x
> group:DOM/domain\040admins:rwx
> group:DOM/enterprise\040admins:rwx
> group:NT\040Authority/enterprise\040domain\040controllers:r-x
> mask::rwx
> other::---
> 
> # file: 
>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
> # owner: BUILTIN/administrators
> # group: users
> user::rwx
> user:NT\040Authority/system:rwx
> user:NT\040Authority/authenticated\040users:r-x
> user:DOM/domain\040admins:rwx
> user:DOM/enterprise\040admins:rwx
> user:NT\040Authority/enterprise\040domain\040controllers:r-x
> group::---
> group:users:---
> group:BUILTIN/administrators:rwx
> group:NT\040Authority/system:rwx
> group:NT\040Authority/authenticated\040users:r-x
> group:DOM/domain\040admins:rwx
> group:DOM/enterprise\040admins:rwx
> group:NT\040Authority/enterprise\040domain\040controllers:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:BUILTIN/administrators:rwx
> default:user:NT\040Authority/system:rwx
> default:user:NT\040Authority/authenticated\040users:r-x
> default:user:DOM/domain\040admins:rwx
> default:user:DOM/enterprise\040admins:rwx
> default:user:NT\040Authority/enterprise\040domain\040controllers:r-x
> default:group::---
> default:group:users:---
> default:group:NT\040Authority/system:rwx
> default:group:NT\040Authority/authenticated\040users:r-x
> default:group:DOM/domain\040admins:rwx
> default:group:DOM/enterprise\040admins:rwx
> default:group:NT\040Authority/enterprise\040domain\040controllers:r-x
> default:mask::rwx
> default:other::---
> 
> 
> # AFTER samba-tool ntacl sysvolreset
> 
> # file: 
>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
> # owner: DOM/domain\040admins
> # group: DOM/domain\040admins
> user::rwx
> user:root:rwx
> user:BUILTIN/administrators:rwx
> user:BUILTIN/server\040operators:r-x
> user:NT\040Authority/system:rwx
> user:NT\040Authority/authenticated\040users:r-x
> group::rwx
> group:BUILTIN/administrators:rwx
> group:BUILTIN/server\040operators:r-x
> group:NT\040Authority/system:rwx
> group:NT\040Authority/authenticated\040users:r-x
> mask::rwx
> other::---
> 
> # file: 
>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
> # owner: DOM/domain\040admins
> # group: DOM/domain\040admins
> user::rwx
> user:root:rwx
> user:BUILTIN/administrators:rwx
> user:BUILTIN/server\040operators:r-x
> user:NT\040Authority/system:rwx
> user:NT\040Authority/authenticated\040users:r-x
> group::rwx
> group:BUILTIN/administrators:rwx
> group:BUILTIN/server\040operators:r-x
> group:NT\040Authority/system:rwx
> group:NT\040Authority/authenticated\040users:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:BUILTIN/administrators:rwx
> default:user:BUILTIN/server\040operators:r-x
> default:user:NT\040Authority/system:rwx
> default:user:NT\040Authority/authenticated\040users:r-x
> default:group::---
> default:group:BUILTIN/administrators:rwx
> default:group:BUILTIN/server\040operators:r-x
> default:group:NT\040Authority/system:rwx
> default:group:NT\040Authority/authenticated\040users:r-x
> default:mask::rwx
> default:other::---
> 
> ######### ATTRs ########
> 
> # BEFORE samba-tool ntacl sysvolreset
> 
> # file: 
>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
> user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB
>
user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA=>
> # file: 
>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
> user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB
>
user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA=>
> 
> # AFTER samba-tool ntacl sysvolreset
> 
> # file: 
>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>
user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=>
> # file: 
>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>
user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=>
> 
> 
> What do you think about this ?
Sorry, but I am not going to wade through that.
Sysvol contains files and directories to be used by Windows GPOs and as
such your output is meaningless to me. I do not really understand the
output from 'SAMBA_PAI', whereas the output from 'samba-tool ntacl
get
<FILE> --as-sddl' is easily understood.

From what I posted earlier:

O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)

That shows the permissions in a form that Windows expects, the start
'O:DAG:DA' shows that the owner is 'DA' and the group is
'DA', (DA
being Domain Admins) and everything inside each '(....)' is called an
ACE and you can easily work out what each ACE allows and to whom. 

I repeat, I cannot recommend setting the permissions on sysvol in the
way you are doing it, use sysvolreset and samba-tool to read them.

Rowland

samba - Apr 2025 - Access denied on GPO after "ntacl sysvolreset"

[Samba] Access denied on GPO after "ntacl sysvolreset"

[Samba] Access denied on GPO after "ntacl sysvolreset"