Klaas TJEBBES
2025-Apr-15 08:03 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
Hi Rowland (and others)
Here is what you were asking for.
As a sidenote, 'samba-tool ntacl get' is a bit buggy on some pathes.
I've left the tracebacks so you can understand what I'm talking about.
But nevertheless, there are some differences between before and after
'samba-tool ntacl sysvolreset'. This command does not set back the
access rights like Windows does.
# BEFORE samba-tool ntacl sysvolreset, just after creating a GPO in RSAT
root at addc:~# samba-tool ntacl get
/home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
--as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2]
No
such file or directory:
'/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
root at addc:~# cd
/home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
ls -l
total 24
-rwxrwx---+ 1 BUILTIN/administrators users 68 avril 15 09:52 GPT.INI
drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:53 Machine
drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:52 User
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get . --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get GPT.INI --as-sddl
O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get Machine/ --as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2]
No
such file or directory: 'Machine/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
# AFTER samba-tool ntacl sysvolreset
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get . --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get GPT.INI --as-sddl
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
samba-tool ntacl get Machine/ --as-sddl
ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2]
No
such file or directory: 'Machine/'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
279, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
206, in run
acl = getntacl(lp,
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, in
getntacl
return smbd.get_nt_acl(file,
^^^^^^^^^^^^^^^^^^^^^
Le 14/04/2025 ? 16:38, Rowland Penny via samba a ?crit?:> On Mon, 14 Apr 2025 16:05:53 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
>
>> This example I gave is from a test server. A simple setup with 1 DC,
>> 1 fileserver and 2 Windows clients.
>>
>> Setting access rights with setfacl was just to try to understand what
>> the problems was. I should have presented the problem otherwise, like
>> this :
>>
>> I create a GPO in RSAT. At that point, rights on GPO are OK, I can
>> modify it no problems.
>> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly.
>> I run 'samba-tool ntacl sysvolreset'. At that point, problem
occurs,
>> GPO can no longer be modified.
>> I get ACLs (getfacl -R) and ATTRs (getfattr -Rd) recursivly again.
>>
>> The diffs between ACLs and ATTRs before/after are :
>>
>> ############ ACLs ##################
>>
>> # BEFORE samba-tool ntacl sysvolreset
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> # owner: BUILTIN/administrators
>> # group: users
>> user::rwx
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> user:DOM/domain\040admins:rwx
>> user:DOM/enterprise\040admins:rwx
>> user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> group::---
>> group:users:---
>> group:BUILTIN/administrators:rwx
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> group:DOM/domain\040admins:rwx
>> group:DOM/enterprise\040admins:rwx
>> group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> mask::rwx
>> other::---
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> # owner: BUILTIN/administrators
>> # group: users
>> user::rwx
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> user:DOM/domain\040admins:rwx
>> user:DOM/enterprise\040admins:rwx
>> user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> group::---
>> group:users:---
>> group:BUILTIN/administrators:rwx
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> group:DOM/domain\040admins:rwx
>> group:DOM/enterprise\040admins:rwx
>> group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:BUILTIN/administrators:rwx
>> default:user:NT\040Authority/system:rwx
>> default:user:NT\040Authority/authenticated\040users:r-x
>> default:user:DOM/domain\040admins:rwx
>> default:user:DOM/enterprise\040admins:rwx
>> default:user:NT\040Authority/enterprise\040domain\040controllers:r-x
>> default:group::---
>> default:group:users:---
>> default:group:NT\040Authority/system:rwx
>> default:group:NT\040Authority/authenticated\040users:r-x
>> default:group:DOM/domain\040admins:rwx
>> default:group:DOM/enterprise\040admins:rwx
>> default:group:NT\040Authority/enterprise\040domain\040controllers:r-x
>> default:mask::rwx
>> default:other::---
>>
>>
>> # AFTER samba-tool ntacl sysvolreset
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> # owner: DOM/domain\040admins
>> # group: DOM/domain\040admins
>> user::rwx
>> user:root:rwx
>> user:BUILTIN/administrators:rwx
>> user:BUILTIN/server\040operators:r-x
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> group::rwx
>> group:BUILTIN/administrators:rwx
>> group:BUILTIN/server\040operators:r-x
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> mask::rwx
>> other::---
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> # owner: DOM/domain\040admins
>> # group: DOM/domain\040admins
>> user::rwx
>> user:root:rwx
>> user:BUILTIN/administrators:rwx
>> user:BUILTIN/server\040operators:r-x
>> user:NT\040Authority/system:rwx
>> user:NT\040Authority/authenticated\040users:r-x
>> group::rwx
>> group:BUILTIN/administrators:rwx
>> group:BUILTIN/server\040operators:r-x
>> group:NT\040Authority/system:rwx
>> group:NT\040Authority/authenticated\040users:r-x
>> mask::rwx
>> other::---
>> default:user::rwx
>> default:user:root:rwx
>> default:user:BUILTIN/administrators:rwx
>> default:user:BUILTIN/server\040operators:r-x
>> default:user:NT\040Authority/system:rwx
>> default:user:NT\040Authority/authenticated\040users:r-x
>> default:group::---
>> default:group:BUILTIN/administrators:rwx
>> default:group:BUILTIN/server\040operators:r-x
>> default:group:NT\040Authority/system:rwx
>> default:group:NT\040Authority/authenticated\040users:r-x
>> default:mask::rwx
>> default:other::---
>>
>> ######### ATTRs ########
>>
>> # BEFORE samba-tool ntacl sysvolreset
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>> user.DOSATTRIB=0sAAAFAAUAAAARAAAAIAAAABGDjqdErdsB
>>
user.SAMBA_PAI=0sAgSADwAAAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAA=>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>> user.DOSATTRIB=0sAAAFAAUAAAARAAAAEAAAAHJtj6dErdsB
>>
user.SAMBA_PAI=0sAgSADwAPAAABZAAAAAAC/////wABZAAAAAAAxMYtAAABxMYtAAAAx8YtAAABx8YtAAAAwMYtAAABwMYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAA3MYtAAAB3MYtAAABZAAAAAAAwMYtAAAC/////wABZAAAAAMAxMYtAAMBxMYtAAMAx8YtAAMBx8YtAAsAwMYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAAMA3MYtAAMB3MYtAA=>>
>>
>> # AFTER samba-tool ntacl sysvolreset
>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/GPT.INI
>>
user.SAMBA_PAI=0sAhSQDAAAAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=>>
>> # file:
>>
home/sysvol/dom.ac-test.fr/Policies/{3A9B7602-1445-4B31-A625-176F2982C3AD}/Machine/
>>
user.SAMBA_PAI=0sAhSQDAAMAAABwMYtAAAAAAAAAAAC/////wAAAAAAAAAAwMYtAAABwMYtAAAAwcYtAAABwcYtAAAAwsYtAAABwsYtAAAAw8YtAAABw8YtAAAAAAAAAAAC/////wABwMYtAAAAAAAAAAMAwMYtAAMBwMYtAAMAwcYtAAMBwcYtAAMAwsYtAAMBwsYtAAMAw8YtAAMBw8YtAA=>>
>>
>>
>> What do you think about this ?
>
> Sorry, but I am not going to wade through that.
> Sysvol contains files and directories to be used by Windows GPOs and as
> such your output is meaningless to me. I do not really understand the
> output from 'SAMBA_PAI', whereas the output from 'samba-tool
ntacl get
> <FILE> --as-sddl' is easily understood.
>
>>From what I posted earlier:
>
>
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>
> That shows the permissions in a form that Windows expects, the start
> 'O:DAG:DA' shows that the owner is 'DA' and the group is
'DA', (DA
> being Domain Admins) and everything inside each '(....)' is called
an
> ACE and you can easily work out what each ACE allows and to whom.
>
> I repeat, I cannot recommend setting the permissions on sysvol in the
> way you are doing it, use sysvolreset and samba-tool to read them.
>
> Rowland
>
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Klaas TJEBBES
- P?le Logiciel Libre (EOLE)
- DSI
- Dijon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rowland Penny
2025-Apr-15 08:44 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
On Tue, 15 Apr 2025 10:03:59 +0200 Klaas TJEBBES via samba <samba at lists.samba.org> wrote:> Hi Rowland (and others) > > Here is what you were asking for. > As a sidenote, 'samba-tool ntacl get' is a bit buggy on some pathes. > I've left the tracebacks so you can understand what I'm talking about. > > But nevertheless, there are some differences between before and after > 'samba-tool ntacl sysvolreset'. This command does not set back the > access rights like Windows does. > > > # BEFORE samba-tool ntacl sysvolreset, just after creating a GPO in > RSAT > > root at addc:~# samba-tool ntacl get > /home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/ > --as-sddlWhy is 'sysvol' in '/home' ?? it should be in /var/lib/samba unless you have self compiled Samba into somewhere else (usually /usr/local/samba).> ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No > such file or directory: > '/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}/' > File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", > line 279, in _run > return self.run(*args, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line > 206, in run > acl = getntacl(lp, > ^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, > in getntacl > return smbd.get_nt_acl(file, > ^^^^^^^^^^^^^^^^^^^^^ >I get the same sort of error if I have '/' on the end of the path, but it works if I remove it.> root at addc:~# cd > /home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/ > > root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# > ls -l > total 24 > -rwxrwx---+ 1 BUILTIN/administrators users 68 avril 15 09:52 GPT.INI > drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:53 Machine > drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:52 User > > root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# > samba-tool ntacl get . --as-sddl > O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED) > > root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# > samba-tool ntacl get GPT.INI --as-sddl > O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED) > > root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# > samba-tool ntacl get Machine/ --as-sddl > ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No > such file or directory: 'Machine/' > File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", > line 279, in _run > return self.run(*args, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line > 206, in run > acl = getntacl(lp, > ^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, > in getntacl > return smbd.get_nt_acl(file, > ^^^^^^^^^^^^^^^^^^^^^ > > > # AFTER samba-tool ntacl sysvolreset > > root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# > samba-tool ntacl get . --as-sddl > O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED) > > root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# > samba-tool ntacl get GPT.INI --as-sddl > O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED) >They are want I expected and identical to a GPO on one of my DCs.> root at addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}# > samba-tool ntacl get Machine/ --as-sddl > ERROR(<class 'FileNotFoundError'>): uncaught exception - [Errno 2] No > such file or directory: 'Machine/' > File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", > line 279, in _run > return self.run(*args, **kwargs) > ^^^^^^^^^^^^^^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line > 206, in run > acl = getntacl(lp, > ^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 125, > in getntacl > return smbd.get_nt_acl(file, > ^^^^^^^^^^^^^^^^^^^^^Try that again but this time without the '/' on the end of 'Machine/'. Rowland