samba - Nov 2014 - DC2 denies access when sa­ving through the Group Po­licy Management Console

Hello list,

I am not sure if this is a bug or known already but I will describe it. I have
two domain controllers running on 4.1.12/sernet which are linked together. I am
using unison for bidirectional sync for the sysvol directory as described on
samba's wiki, although in my opinion the problem I will describe in the
following has nothing to do with the sync process. The sync occurs every 5min.

On a win7 client I open the Group Policy Management Console (run/execute the
command "gpmc.msc"). When i right-click on the left pane onto my
domain name "mydom.example.com" I can choose "Change Domain
Controller...". Inside the window which is opened, on the bottom I see my
two domain controllers which I can choose I'd like to connect to. Whatever I
can configure while connected on DC1, the changes are propagated to DC2 after
max. 5minutes and I can check that the settings are successfully transferred to
DC2.

But ==> Whenever I try to make modifications while connected to DC2 I get
errors like "No permission" or "Error 0x80070005 during the save 
... Access denied" and stuff like that. I cannot modify settings on DC2,
why? Shouldn't it normally work?

Mirco.I think I am approaching the issue. When I am logged in with a domain
admin account on the windows machine and try to access the share \\dc1\sysvol or
\\dc2\sysvol I get access denied. So I did "getfacl
/var/lib/samba/sysvol" on both, DC1 and DC2 and the result is...

# file: sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

As you see, the gid=3000000 is not resolved on my domain controllers, thus
it's explained why my domain admin account cannot access the share. The
strange thing is: why am I able to make modifications on GPOs on DC1 ?? And the
most important question: how do I reset/setup the correct acl parameters for
sysvol? I want to add, that I don't use winbind on DC1 or DC2. Do I really
have to enable winbind also on DC1+DC2? Please give me some advice.

Thank you.
Mirco

On 01/11/14 15:28, ?icro MEGAS wrote:
> Hello list,
>
> I am not sure if this is a bug or known already but I will describe it. I
have two domain controllers running on 4.1.12/sernet which are linked together.
I am using unison for bidirectional sync for the sysvol directory as described
on samba's wiki, although in my opinion the problem I will describe in the
following has nothing to do with the sync process. The sync occurs every 5min.
>
> On a win7 client I open the Group Policy Management Console (run/execute
the command "gpmc.msc"). When i right-click on the left pane onto my
domain name "mydom.example.com" I can choose "Change Domain
Controller...". Inside the window which is opened, on the bottom I see my
two domain controllers which I can choose I'd like to connect to. Whatever I
can configure while connected on DC1, the changes are propagated to DC2 after
max. 5minutes and I can check that the settings are successfully transferred to
DC2.
>
> But ==> Whenever I try to make modifications while connected to DC2 I
get errors like "No permission" or "Error 0x80070005 during the
save  ... Access denied" and stuff like that. I cannot modify settings on
DC2, why? Shouldn't it normally work?
>
> Mirco.I think I am approaching the issue. When I am logged in with a domain
admin account on the windows machine and try to access the share \\dc1\sysvol or
\\dc2\sysvol I get access denied. So I did "getfacl
/var/lib/samba/sysvol" on both, DC1 and DC2 and the result is...
>
> # file: sysvol
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> As you see, the gid=3000000 is not resolved on my domain controllers, thus
it's explained why my domain admin account cannot access the share. The
strange thing is: why am I able to make modifications on GPOs on DC1 ?? And the
most important question: how do I reset/setup the correct acl parameters for
sysvol? I want to add, that I don't use winbind on DC1 or DC2. Do I really
have to enable winbind also on DC1+DC2? Please give me some advice.
>
> Thank you.
> Mirco
The gid is being resolved on the DC, just not in the way that you 
expect, if you open idmap.ldb in ldbedit, you will find that '3000000' 
comes from the well known SID 'S-1-5-32-544', this is the 
'Administrators' group in AD.

The others are:
3000001 S-1-5-32-549 Server Operators
3000002 S-1-5-18 Local System
3000003 S-1-5-11 Authenticated Users

If you need to reset the sysvol ACL's, then there is a command for it:

samba-tool ntacl sysvolreset

You can check the ACL's on sysvol with:

samba-tool ntacl sysvolcheck

You do not need to run either, your ACL's are correct

You are using winbind on the server, it is either built into the samba 
daemon, or if you are running 4.2, it is now called 'winbindd' and is 
started by the samba daemon.

I think that your problem is that when you join another DC to the 
domain, idmap.ldb is not replicated, so when you sync sysvol from the 
first DC to the second the 'xidnumbers' i.e. '3000000' do not
match what
is in idmap.ldb on the second DC, so the permissions are not correct, 
the cure is to copy idmap.ldb from the first DC to any other DC's.

Rowland

> Rowland wrote:
> You can check the ACL's on sysvol with:
> samba-tool ntacl sysvolcheck
Hi Rowland,

when I execute that command on either DC1 or DC2 I get following uncaught
exception error :-(

$ samba-tool ntacl sysvolcheck
ERROR(): uncaught exception - ProvisioningError: DB ACL on GPO file
/var/lib/samba/sysvol/mydom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Documents
& Settings/fdeploy.ini
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line
249, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1726, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1677, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
line 1634, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO file %s %s does not match
expected value %s from GPO object' % (acl_type(direct_db_access),
os.path.join(root, name), fsacl_sddl, acl))

Why that? Do I have to worry about that error? Is this a known bug or something
like that? I am running Samba 4.1.12/sernet on Debian Wheezy.
> You are using winbind on the server, it is either built into the samba 
> daemon, or if you are running 4.2, it is now called 'winbindd' and
is
> started by the samba daemon.
as I am on 4.1.12 I am still using the old built-in version of winbind. My
/etc/default/sernet-samba is set to "ad" mode and "ps aux |grep
-i winbind" return no output, so I don't see any winbind process. I
hope that's ok and normal behaviour.
> I think that your problem is that when you join another DC to the 
> domain, idmap.ldb is not replicated, so when you sync sysvol from the 
> first DC to the second the 'xidnumbers' i.e. '3000000' do
not match what
> is in idmap.ldb on the second DC, so the permissions are not correct, 
> the cure is to copy idmap.ldb from the first DC to any other DC's.
I cannot imagine why, because according to the wiki (I did read it somewhere on
the tutorial when configured DC2) I did manually copy the mentioned idmap.ldb
from dc1 to dc2. But right now I checked the two files, they were different (I
ran "diff idmap.ldb.from.dc1 idmap.ldb.from.dc2" after I copied them
onto a temporary directory). So I again copied the file
dc1:/var/lib/samba/private/idmap.ldb to dc2:/var/lib/samba/private/idmap.ldb to
ensure they are both the same.

After that action I rechecked, but the problem still exists. I can describe the
issue more detailled: I can create a new GPO on DC1 and name it
"new-test-gpo-created-on-dc1". Inside this GPO I choose the setting
"something" and ENABLE it. After 5 minutes this GPO is replicated to
DC2. I see the change there.

When I connect to DC2 through GPMC and create a new GPO called
"new-test-gpo-created-on-dc2" and set the configuration
"foobar" to DISABLE and wait 5minutes, then this GPO
"new-test-gpo-created-on-dc2" cannot be edited on DC1 or DC2. I get
the error "System cannot find the specified path" (Note: I translated
on my own into english, so this might not be the original error message).

I guess that the problem is related to the uniscon bidirection sync I configured
according to https://wiki.samba.org/index.php/SysVol_Bidirectional_Replication
The logfile created by sysvol-sync looks like that:

[...]
2014/11/01 20:10:02 [27755] .d..t......
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/
2014/11/01 20:10:02 [27755] cd+++++++++
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Documents
& Settings/
2014/11/01 20:10:02 [27755] cd+++++++++
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/
2014/11/01 20:10:02 [27755] cd+++++++++
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/Logoff/
2014/11/01 20:10:02 [27755] cd+++++++++
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Scripts/Logon/
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents
& Settings
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents
& Settings
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:10:02 [27755] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
2014/11/01 20:10:02 [27755] sent 7802 bytes  received 50 bytes  5234.67
bytes/sec
2014/11/01 20:10:02 [27755] total size is 0  speedup is 0.00
UNISON 2.40.65 started propagating changes at 20:10:02.45 on 01 Nov 2014
[CONFLICT] Skipping
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
[CONFLICT] Skipping
sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
[CONFLICT] Skipping
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
[BGN] Updating file
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
from /var/lib/samba to //dc2//var/lib/samba
[END] Updating file
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
[BGN] Copying
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol
from /var/lib/samba to //dc2//var/lib/samba
/usr/bin/rsync -XAavz --rsh='ssh -p 22' --inplace --compress
'/var/lib/samba/sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol'
'root at
dc2:'\''/var/lib/samba/sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/.unison.Registry.pol.a3c7ed9ae723707cd04ca2e02a97e300.unison.tmp'\'''
[END] Copying
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/Registry.pol
UNISON 2.40.65 finished propagating changes at 20:10:02.60 on 01 Nov 2014
Synchronization complete at 20:10:02  (2 items transferred, 3 skipped, 0 failed)
  skipped:
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
  skipped:
sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
  skipped:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:15:02 [27956] building file list
2014/11/01 20:15:02 [27956] done
2014/11/01 20:15:02 [27956] .d..t......
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/
2014/11/01 20:15:02 [27956] .d..t......
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/User/
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents
& Settings
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User/Documents
& Settings
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/User
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}/Adm
2014/11/01 20:15:02 [27956] cannot delete non-empty directory:
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
2014/11/01 20:15:02 [27956] sent 5902 bytes  received 18 bytes  3946.67
bytes/sec
2014/11/01 20:15:02 [27956] total size is 0  speedup is 0.00
UNISON 2.40.65 started propagating changes at 20:15:02.29 on 01 Nov 2014
[CONFLICT] Skipping
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
[CONFLICT] Skipping
sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
[CONFLICT] Skipping
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}
[BGN] Updating file
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
from /var/lib/samba to //dc2//var/lib/samba
[END] Updating file
sysvol/mydom.example.com/Policies/{C670A447-2A80-4FDC-8940-BA241597F9E5}/GPT.INI
UNISON 2.40.65 finished propagating changes at 20:15:02.30 on 01 Nov 2014
Synchronization complete at 20:15:02  (1 item transferred, 3 skipped, 0 failed)
  skipped:
sysvol/mydom.example.com/Policies/{4C5FB83F-069E-4446-9A5D-C1E5E6706262}
  skipped:
sysvol/mydom.example.com/Policies/{58DC2B52-5E0C-4B07-9BC5-F0FFB708F94F}/Machine/Registry.pol
  skipped:
sysvol/mydom.example.com/Policies/{E8294D7B-A78B-4260-9D9F-167211E09018}

Mirco.

Am 01.11.2014 16:28, schrieb ?icro MEGAS:
> Hello list,
>
> I am not sure if this is a bug or known already but I will describe it. I
have two domain controllers running on 4.1.12/sernet which are linked together.
I am using unison for bidirectional sync for the sysvol directory as described
on samba's wiki, although in my opinion the problem I will describe in the
following has nothing to do with the sync process. The sync occurs every 5min.
>
> On a win7 client I open the Group Policy Management Console (run/execute
the command "gpmc.msc"). When i right-click on the left pane onto my
domain name "mydom.example.com" I can choose "Change Domain
Controller...". Inside the window which is opened, on the bottom I see my
two domain controllers which I can choose I'd like to connect to. Whatever I
can configure while connected on DC1, the changes are propagated to DC2 after
max. 5minutes and I can check that the settings are successfully transferred to
DC2.
>
> But ==> Whenever I try to make modifications while connected to DC2 I
get errors like "No permission" or "Error 0x80070005 during the
save  ... Access denied" and stuff like that. I cannot modify settings on
DC2, why? Shouldn't it normally work?
>
> Mirco.I think I am approaching the issue. When I am logged in with a domain
admin account on the windows machine and try to access the share \\dc1\sysvol or
\\dc2\sysvol I get access denied. So I did "getfacl
/var/lib/samba/sysvol" on both, DC1 and DC2 and the result is...
>
> # file: sysvol
> # owner: root
> # group: 3000000
> user::rwx
> user:root:rwx
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
>
> As you see, the gid=3000000 is not resolved on my domain controllers, thus
it's explained why my domain admin account cannot access the share. The
strange thing is: why am I able to make modifications on GPOs on DC1 ?? And the
most important question: how do I reset/setup the correct acl parameters for
sysvol? I want to add, that I don't use winbind on DC1 or DC2. Do I really
have to enable winbind also on DC1+DC2? Please give me some advice.
>
> Thank you.
> Mirco
Do things work if you test as "Administrator" (root) ?

achim~