samba - Nov 2016 - Everyone ACL problem

to fix this, try the following

remove the content in the sysvol folder (move it away)
run samba-tool with sysvol reset

copy the content back
with now setfacl copy the acl recursive to the 'domain folder' in vol
back.

 now on a windows open group policy editor 
klik on the gp objects. if needed , it say i needs some right fix.

when this is done dont sysvol reset anymore.

this is a small bug in 4.4.5

greetz 
louis
> Op 26 nov. 2016 om 14:04 heeft Rowland Penny via samba <samba at
lists.samba.org> het volgende geschreven:
> 
> On Sat, 26 Nov 2016 12:28:19 +0100
> Kévin GUERINEAU <kevin.guerineau at infolix.fr> wrote:
> 
>> Yes, I have. But nothing change...
>> 
>> Kevin
>> 
>>> Le 26/11/2016 à 12:08, Rowland Penny via samba a écrit :
>>> On Sat, 26 Nov 2016 11:44:50 +0100
>>> Kévin GUERINEAU via samba <samba at lists.samba.org> wrote:
>>> 
>>>> Hello list,
>>>> 
>>>> I have problems with my PDC Samba Servers and all file servers.
>>>> All DC Server have a compiled Samba 4.4.5. File servers have
Samba
>>>> Debian packages.
>>>> 
>>>> In all shared folders, the ACL has the group
"Everyone" and I can't
>>>> remove it.
>>>> The biggest problem concern SYSVOL, I can't modify GPO, I
have an
>>>> error in MMC.
>>>> I have tried to resolv the problem with the "samba-tool
ntacl
>>>> sysvolreset" command but it didn't resolv anything.
>>>> 
>>>> 
>>>> #samba-tool ntacl sysvolcheck
>>>> ERROR(<class
'samba.provision.ProvisioningError'>): uncaught
>>>> exception - ProvisioningError: DB ACL on GPO file
>>>>
//usr/local/samba/var/locks/sysvol/campuslr.cma17/Policies//{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Preferences/Groups/Groups.xml
>>>>
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
>>>> does not match expected value
>>>>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>> from GPO object
>>>>    File
>>>>
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
>>>> line 175, in _run
>>>>      return self.run(*args, **kwargs)
>>>>    File
>>>>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>> line 270, in run
>>>>      lp)
>>>>    File
>>>>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>>>> line 1732, in checksysvolacl
>>>>      direct_db_access)
>>>>    File
>>>>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>>>> line 1683, in check_gpos_acl
>>>>      domainsid, direct_db_access)
>>>>    File
>>>>
"//usr/local/samba/lib/python2.7/site-packages/samba/provision//__init__.py",
>>>> line 1640, in check_dir_acl
>>>>      raise ProvisioningError('%s ACL on GPO file %s %s does
not
>>>> match expected value %s from GPO object' %
>>>> (acl_type(direct_db_access), os.path.join(root, name),
fsacl_sddl,
>>>> acl))
>>>> 
>>>> # samba-tool dbcheck
>>>> Checking 2591 objects
>>>> Checked 2591 objects (0 errors)
>>>> 
>>>> # samba-tool gpo aclcheck
>>>> ERROR(<type 'exceptions.KeyError'>): uncaught
exception - 'No such
>>>> element' File
>>>>
"//usr/local/samba/lib/python2.7/site-packages/samba/netcmd//__init__.py",
>>>> line 175, in _run
>>>>      return self.run(*args, **kwargs)
>>>>    File
>>>>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
>>>> line 1150, in run
>>>>      ds_sd_ndr = m['nTSecurityDescriptor'][0]
>>>> 
>>>> 
>>>> I tried to reinstall DC2, but then the problem extended itself
to
>>>> DC2. I have the same problem on the fileservers.
>>>> I don't know where is the problem. Moreover I have a second
Samba
>>>> domain without this problem.
>>>> 
>>>> Best regards,
>>>> Kevin
>>> Have you tried 'samba-tool ntacl sysvolreset'
>>> 
>>> Rowland
>>> 
>>> PS Don't refer to your AD DC as a PDC, that is something else
>>> entirely ;-)
>>> 
>> 
> 
> From the looks of it, you have modified one of the default Policies,
> this is not recommended. Try putting things back to the way they were
> and then create a new Policy.
> 
> Rowland
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On Sun, 27 Nov 2016 10:38:39 +0100
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> to fix this, try the following
> 
> remove the content in the sysvol folder (move it away)
> run samba-tool with sysvol reset
> 
> copy the content back
> with now setfacl copy the acl recursive to the 'domain folder' in
vol
> back.
> 
>  now on a windows open group policy editor 
> klik on the gp objects. if needed , it say i needs some right fix.
> 
> when this is done dont sysvol reset anymore.
> 
> this is a small bug in 4.4.5
> 
> greetz 
> louis
> 
As I said, the OP has modified one of the default policies, the
'Domain {31B2F340-016D-11D2-945F-00C04FB984F9} GPO' to be precise. This
goes against Microsoft best practice and the result is that the 'Group'
is now 'Domain Users' instead of 'BUILTIN Administrators'.

This is one of the problems with sysvolreset/check, the default GPOs
belong to Local Administrtor:BUILTIN Administrators, any other GPOs will
belong to the same owner:group. This is actually wrong, the main
folders should all belong to Builtin Administrators:SYSTEM

This is not a small bug, it is a big bug

Rowland