Hi team,
I am trying to get NTACLs set properly on a directory and the subtree
below it. I do this with samba 4.22 (Debian 12) on client and server.
The server is a domain controller, the share sysvol, the directory is
subdir under "Policies", i.e. the root-dir of a GPO.
Some fragments of the smb.conf:
[global]
??????? vfs objects = dfs_samba4, acl_xattr, full_audit
??????? map acl inherit = yes
[sysvol]
??????? path = /var/lib/samba/sysvol
??????? read only = no
??????? inherit owner = yes
??????? inherit permissions = yes
Scenario 1 works alright:
1. I create a GPO-root-dir over smb (using smbclient) on the sysvol share
2. I? use smbcacls to set the ACLs on the GPO-root-dir.
3. I create subdirs and files using the smbclient.
4. The result is that everything in the subtree (files and dirs) uses
inherited ACLs from the GPO-root-dir where I applied explicit ACLs.
Explicitly applied ACLs on the GPO-root-dir (output of smbcacls):
REVISION:1
CONTROL:SR|DP
OWNER:SAMDOM\Domain Admins
GROUP:SAMDOM\Domain Admins
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Domain Admins:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Domain Computers:ALLOWED/OI|CI/READ
ACL:SAMDOM\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Group Policy Creator Owners:ALLOWED/OI|CI/FULL
ACL:SAMDOM\acl-permission-one:ALLOWED/OI|CI/READ
ACL:SAMDOM\acl-permission-two:ALLOWED/OI|CI/FULL
ACLs as visible on a subdir:
REVISION:1
CONTROL:SR|PD|DR|DP
OWNER:SAMDOM\Domain Admins
GROUP:SAMDOM\Domain Admins
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Domain Admins:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Domain Admins:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Domain Computers:ALLOWED/OI|CI/READ
ACL:SAMDOM\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Group Policy Creator Owners:ALLOWED/OI|CI/FULL
ACL:SAMDOM\acl-permission-one:ALLOWED/OI|CI/READ
ACL:SAMDOM\acl-permission-one:5/OI|CI/
ACL:SAMDOM\acl-permission-two:ALLOWED/OI|CI/FULL
A sub-file has exactly the same permissions but slightly different
control attributes: CONTROL:SR|PD|DP
This looks alright a it works alright when accessed from Windows.
Scenario 2 is not working correctly:
1. On the DC I create a GPO with samba-tool gpo create mygpo . This
creates the GPO-root-dir, subdirs "machine", "user" and
the file
"gpt.ini" (and it does the registration of the GPO in ldap).
2. I? use smbcacls to set the ACLs on the GPO-root-dir.
3. The result is that the GPO-root-dir has expected ACLs but everything
below is unchanged and contains now unwanted and invalid ACLS,
leading to insufficient permissions when accessed over smb (even as
a domain admin user).
The main difference is the order of creation. It is not specific to the
use of samba-tool gpo create, the same scenario applies when the
GPO-root-dir, subdirs and files are created by smbclient.
Explicitly applied ACLs on the GPO-root-dir (output of smbcacls) is the
same as above, therefor output is not repeated here.
ACLs as visible on a subdir ("user"):
REVISION:1
CONTROL:SR|DP
OWNER:SAMDOM\Domain Admins
GROUP:SAMDOM\Domain Admins
ACL:NT AUTHORITY\Authenticated Users:5/OI|CI/
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Domain Admins:ALLOWED/0x0/FULL
ACL:SAMDOM\Domain Admins:ALLOWED/OI|CI/FULL
ACL:SAMDOM\Enterprise Admins:ALLOWED/OI|CI/FULL
ACL:SAMDOM\acl-permission-two:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|I/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/OI|CI|I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
ACL:SAMDOM\Domain Admins:ALLOWED/OI|CI|I/FULL
ACL:SAMDOM\Domain Computers:ALLOWED/OI|CI|I/READ
ACL:SAMDOM\Enterprise Admins:ALLOWED/OI|CI|I/FULL
ACL:SAMDOM\Group Policy Creator Owners:ALLOWED/OI|CI|I/FULL
ACL:SAMDOM\acl-permission-one:ALLOWED/OI|CI|I/READ
ACL:SAMDOM\acl-permission-two:ALLOWED/OI|CI|I/FULL
The main difference here are ACEs with /OI|CI|I/ in the flags field,
which in most cases a duplicate of an identical ACE with flags /OI|CI/.
And further the control field differs CONTROL:SR|DP instead of expected
CONTROL:SR|PD|DR|DP
ACLS as visible on file ("gpt.ini"):
REVISION:1
CONTROL:SR|DP
OWNER:SAMDOM\Domain Admins
GROUP:SAMDOM\Domain Admins
ACL:NT AUTHORITY\Authenticated Users:5/0x0/
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/0x0/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x0/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/0x0/FULL
ACL:SAMDOM\Domain Admins:ALLOWED/0x0/FULL
ACL:SAMDOM\Enterprise Admins:ALLOWED/0x0/FULL
ACL:SAMDOM\acl-permission-two:ALLOWED/0x0/FULL
ACL:CREATOR OWNER:ALLOWED/I/FULL
ACL:NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS:ALLOWED/I/READ
ACL:NT AUTHORITY\Authenticated Users:ALLOWED/I/READ
ACL:NT AUTHORITY\SYSTEM:ALLOWED/I/FULL
ACL:SAMDOM\Domain Admins:ALLOWED/I/FULL
ACL:SAMDOM\Domain Computers:ALLOWED/I/READ
ACL:SAMDOM\Enterprise Admins:ALLOWED/I/FULL
ACL:SAMDOM\Group Policy Creator Owners:ALLOWED/I/FULL
ACL:SAMDOM\acl-permission-one:ALLOWED/I/READ
ACL:SAMDOM\acl-permission-two:ALLOWED/I/FULL
The main difference here are ACEs with /0x0/ in the flags field, which
seems to indicate explicit permissions on the object. And the control
field differs CONTROL:SR|DP? instead of expected CONTROL:SR|PD|DP
The question is how can I reset ACLs on files and dirs in the subtree
(using smbcacls) so that ACLs on objects in scenario 2 become identical
to how it is in scenario 1?
- Kees.