On 2017-08-24 13:00, Rowland Penny via samba wrote:> On Thu, 24 Aug 2017 12:41:36 +0200 > Sven Schwedas via samba <samba at lists.samba.org> wrote: > >> On 2017-08-24 12:27, Rowland Penny via samba wrote: >>> On Thu, 24 Aug 2017 12:03:42 +0200 >>> Sven Schwedas via samba <samba at lists.samba.org> wrote: >>> >>>> >>>> Where does the error come from, and why doesn't sysvolreset fix it? >>>> >>> >>> Mainly because (from my testing) sysvolcheck/sysvolreset is broken. >>> I do not write 'C' code and the problem seems to be in set_nt_acl >>> from source3/smbd/posix_acls.c >>> It doesn't set the correct ACL. >>> >>> I have opened a bug for this: >>> >>> https://bugzilla.samba.org/show_bug.cgi?id=12924 >> >> Ah, crap. > > I actually used worse words when I found out why I couldn't get my work > on the python code to work. ;-) > >> >>> Even when this gets fixed, the python code will need work, because >>> it doesn't do what windows does, also anybody who has set a >>> gidNumber on Domain Admins, will need to remove it, the group needs >>> to own things in sysvol and with a gidNumber it cannot. >> >> Does this apply only to sysvolreset or also when fixing ACLs from >> Windows? > > On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in > idmap.ldb, this makes it able to own files and dirs in sysvol. The > moment you give 'Domain Admins' a gidNumber, you break this mapping and > the group becomes just a group and cannot own anything on a Unix > machine, so my recommendation is to not give the group a gidNumber, > create another group 'Unix Admins' ? give this group a gidNumber and > make this group a member of 'Domain Admins'Does removing the gidNumber retroactively allow it to work? (That is, once I figured out how to reset the ACLs from within Windows.)>>> The recommendation at the moment is to not use either sysvolreset or >>> sysvolcheck. Do everything from windows. >> >> I presume with this? >> >>> https://support.microsoft.com/en-us/help/2838154/-permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-t >> >> Or some other way? >> > > Not sure, I actually don't use GPOs ;-) > Louis is your man, he is the expert here. > > Rowland > > >-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167
On Thu, 24 Aug 2017 14:15:53 +0200 Sven Schwedas via samba <samba at lists.samba.org> wrote:> On 2017-08-24 13:00, Rowland Penny via samba wrote: > > On Thu, 24 Aug 2017 12:41:36 +0200 > > Sven Schwedas via samba <samba at lists.samba.org> wrote: > > > >> On 2017-08-24 12:27, Rowland Penny via samba wrote: > >>> On Thu, 24 Aug 2017 12:03:42 +0200 > >>> Sven Schwedas via samba <samba at lists.samba.org> wrote: > >>> > >>>> > >>>> Where does the error come from, and why doesn't sysvolreset fix > >>>> it? > >>>> > >>> > >>> Mainly because (from my testing) sysvolcheck/sysvolreset is > >>> broken. I do not write 'C' code and the problem seems to be in > >>> set_nt_acl from source3/smbd/posix_acls.c > >>> It doesn't set the correct ACL. > >>> > >>> I have opened a bug for this: > >>> > >>> https://bugzilla.samba.org/show_bug.cgi?id=12924 > >> > >> Ah, crap. > > > > I actually used worse words when I found out why I couldn't get my > > work on the python code to work. ;-) > > > >> > >>> Even when this gets fixed, the python code will need work, because > >>> it doesn't do what windows does, also anybody who has set a > >>> gidNumber on Domain Admins, will need to remove it, the group > >>> needs to own things in sysvol and with a gidNumber it cannot. > >> > >> Does this apply only to sysvolreset or also when fixing ACLs from > >> Windows? > > > > On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in > > idmap.ldb, this makes it able to own files and dirs in sysvol. The > > moment you give 'Domain Admins' a gidNumber, you break this mapping > > and the group becomes just a group and cannot own anything on a Unix > > machine, so my recommendation is to not give the group a gidNumber, > > create another group 'Unix Admins' ? give this group a gidNumber and > > make this group a member of 'Domain Admins' > > Does removing the gidNumber retroactively allow it to work? > > (That is, once I figured out how to reset the ACLs from within > Windows.) >It should, idmap.ldb works on a first come basis, so the next time Domain Admins connects it should get issued with a new xidNumber. Rowland
Hai, To recover from that problem, read : The "Why" i setup like this. http://lists-archives.com/samba/106301-can-t-create-update-group-policy-in-samba-4-6-5.html And howto fix. http://lists-archives.com/samba/106333-can-t-create-update-group-policy-in-samba-4-6-5.html Note on this last link, the part.: A good tip to restore the defaults with samba-tool without errors. move you domain folder out of the /var/lib/samba/sysvol folder. mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else. mkdir /var/lib/samba/sysvol/intern.domain.tld <<<<<<<<<< you must have an empty folder for the next command. And run samba-tool ntacl sysvolreset ---- Good luck, if you need more help, you know where to find us. ;-) ( ps, when its all done, DONT run samba-tool ntacl sysvolreset again, never ever ) Until this bug is fixed. ( more GPO tips, google: https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&source=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: donderdag 24 augustus 2017 14:42 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > > On Thu, 24 Aug 2017 14:15:53 +0200 > Sven Schwedas via samba <samba at lists.samba.org> wrote: > > > On 2017-08-24 13:00, Rowland Penny via samba wrote: > > > On Thu, 24 Aug 2017 12:41:36 +0200 > > > Sven Schwedas via samba <samba at lists.samba.org> wrote: > > > > > >> On 2017-08-24 12:27, Rowland Penny via samba wrote: > > >>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba > > >>> <samba at lists.samba.org> wrote: > > >>> > > >>>> > > >>>> Where does the error come from, and why doesn't > sysvolreset fix > > >>>> it? > > >>>> > > >>> > > >>> Mainly because (from my testing) sysvolcheck/sysvolreset is > > >>> broken. I do not write 'C' code and the problem seems to be in > > >>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the > > >>> correct ACL. > > >>> > > >>> I have opened a bug for this: > > >>> > > >>> https://bugzilla.samba.org/show_bug.cgi?id=12924 > > >> > > >> Ah, crap. > > > > > > I actually used worse words when I found out why I > couldn't get my > > > work on the python code to work. ;-) > > > > > >> > > >>> Even when this gets fixed, the python code will need > work, because > > >>> it doesn't do what windows does, also anybody who has set a > > >>> gidNumber on Domain Admins, will need to remove it, the group > > >>> needs to own things in sysvol and with a gidNumber it cannot. > > >> > > >> Does this apply only to sysvolreset or also when fixing > ACLs from > > >> Windows? > > > > > > On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in > > > idmap.ldb, this makes it able to own files and dirs in > sysvol. The > > > moment you give 'Domain Admins' a gidNumber, you break > this mapping > > > and the group becomes just a group and cannot own > anything on a Unix > > > machine, so my recommendation is to not give the group a > gidNumber, > > > create another group 'Unix Admins' ? give this group a > gidNumber and > > > make this group a member of 'Domain Admins' > > > > Does removing the gidNumber retroactively allow it to work? > > > > (That is, once I figured out how to reset the ACLs from within > > Windows.) > > > > It should, idmap.ldb works on a first come basis, so the next > time Domain Admins connects it should get issued with a new xidNumber. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 2017-08-24 15:13, L.P.H. van Belle via samba wrote:> Hai, > > To recover from that problem, read : > The "Why" i setup like this. > http://lists-archives.com/samba/106301-can-t-create-update-group-policy-in-samba-4-6-5.html > > And howto fix. > http://lists-archives.com/samba/106333-can-t-create-update-group-policy-in-samba-4-6-5.html > Note on this last link, the part.:Okay, I set up `acl_xattr:ignore system acls = yes` and restarted the DC.> A good tip to restore the defaults with samba-tool without errors. > > move you domain folder out of the /var/lib/samba/sysvol folder. > mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else. > mkdir /var/lib/samba/sysvol/intern.domain.tld <<<<<<<<<< you must have an empty folder for the next command. > And run samba-tool ntacl sysvolreset…and did that. Alas:> root at graz-dc-1b:/var/lib/samba# ls -l /var/lib/samba/sysvol/ad.tao.at/ > total 0 > root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset > open: error=2 (No such file or directory) > ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error') > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 239, in run > lp, use_ntvfs=use_ntvfs) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1609, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1502, in set_gpos_acl > use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=SYSVOL_SERVICE) > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 162, in setntacl > smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)Would've been too easy, wouldn't it?> ---- > > > Good luck, if you need more help, you know where to find us. ;-) > ( ps, when its all done, DONT run samba-tool ntacl sysvolreset again, never ever ) > Until this bug is fixed. > > ( more GPO tips, google: https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&source=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) > > > > Greetz, > > Louis > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Rowland Penny via samba >> Verzonden: donderdag 24 augustus 2017 14:42 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs >> >> On Thu, 24 Aug 2017 14:15:53 +0200 >> Sven Schwedas via samba <samba at lists.samba.org> wrote: >> >>> On 2017-08-24 13:00, Rowland Penny via samba wrote: >>>> On Thu, 24 Aug 2017 12:41:36 +0200 >>>> Sven Schwedas via samba <samba at lists.samba.org> wrote: >>>> >>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote: >>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba >>>>>> <samba at lists.samba.org> wrote: >>>>>> >>>>>>> >>>>>>> Where does the error come from, and why doesn't >> sysvolreset fix >>>>>>> it? >>>>>>> >>>>>> >>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is >>>>>> broken. I do not write 'C' code and the problem seems to be in >>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the >>>>>> correct ACL. >>>>>> >>>>>> I have opened a bug for this: >>>>>> >>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924 >>>>> >>>>> Ah, crap. >>>> >>>> I actually used worse words when I found out why I >> couldn't get my >>>> work on the python code to work. ;-) >>>> >>>>> >>>>>> Even when this gets fixed, the python code will need >> work, because >>>>>> it doesn't do what windows does, also anybody who has set a >>>>>> gidNumber on Domain Admins, will need to remove it, the group >>>>>> needs to own things in sysvol and with a gidNumber it cannot. >>>>> >>>>> Does this apply only to sysvolreset or also when fixing >> ACLs from >>>>> Windows? >>>> >>>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in >>>> idmap.ldb, this makes it able to own files and dirs in >> sysvol. The >>>> moment you give 'Domain Admins' a gidNumber, you break >> this mapping >>>> and the group becomes just a group and cannot own >> anything on a Unix >>>> machine, so my recommendation is to not give the group a >> gidNumber, >>>> create another group 'Unix Admins' ? give this group a >> gidNumber and >>>> make this group a member of 'Domain Admins' >>> >>> Does removing the gidNumber retroactively allow it to work? >>> >>> (That is, once I figured out how to reset the ACLs from within >>> Windows.) >>> >> >> It should, idmap.ldb works on a first come basis, so the next >> time Domain Admins connects it should get issued with a new xidNumber. >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167
Ok, rechecked this, your correct. This did work fine. In now at samba 4.6.7, you? This worked untill ( last i checked ) 4.6.5 :-(( now sysvolreset is totaly broken. :-(( New thing for my ToDo list.. Try this script, the rights are my defaults "after a sysvol reset" Place the script somewhere within /var/lib/samba Preffered that location . Run it with : bash script.sh sysvol/ ! Check the group numbers and make sure you match yours. Then at least your rights are correct again. After this, goto you gpo manager, klik ever gpo, you get a message, klik ok. Greetz, Louis ## SCRIPT #!/bin/bash # # backup rights. recursive #getfacl -R /var/www > permissions.acl # restore rights #setfacl --restore=permissions.acl # mkdir -m 700 Manager # setfacl -m d:g:manager:rwx,g:manager:rwx Manager # copy the acl #getfacl basefile | setfacl -b -M - targetfile # other examples: # http://www.calculate-linux.org/main/en/setting_filesystem_acl RIGHTSFILE="default-rights-sysvol.acl" cat << EOF > ${RIGHTSFILE} # file: sysvol # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:BUILTIN\134server\040operators:r-x user:3000002:rwx user:3000003:r-x group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:BUILTIN\134server\040operators:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- EOF if [ -z $1 ]; then echo "You need do assign the folder to set the default rights to" echo "We dont set the rights recursive! that can mess up current websites.." echo "exiting now .. " fi if [ $(echo ${1} | egrep "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc|/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then echo "Warning, detected un safe change, exiting now. " exit 1 fi if [ ! -d $1 ]; then echo "Error, directory does not exist, exiting now." exit 1 else setfacl -R -b --modify-file $RIGHTSFILE $1 setfacl -R -m default:user:root:rwx $1 setfacl -R -m default:group:"BUILTIN\134administrators":rwx $1 fi ## SCRIPT END> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > Schwedas via samba > Verzonden: donderdag 24 augustus 2017 15:53 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > > On 2017-08-24 15:13, L.P.H. van Belle via samba wrote: > > Hai, > > > > To recover from that problem, read : > > The "Why" i setup like this. > > > http://lists-archives.com/samba/106301-can-t-create-update-group-polic > > y-in-samba-4-6-5.html > > > > And howto fix. > > > http://lists-archives.com/samba/106333-can-t-create-update-group-polic > > y-in-samba-4-6-5.html > > Note on this last link, the part.: > > Okay, I set up `acl_xattr:ignore system acls = yes` and > restarted the DC. > > > A good tip to restore the defaults with samba-tool without errors. > > > > move you domain folder out of the /var/lib/samba/sysvol folder. > > mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else. > > mkdir /var/lib/samba/sysvol/intern.domain.tld > <<<<<<<<<< you must have an empty folder for the next command. > > And run samba-tool ntacl sysvolreset > ?and did that. > > Alas: > > > root at graz-dc-1b:/var/lib/samba# ls -l > /var/lib/samba/sysvol/ad.tao.at/ > > total 0 > > root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset > > open: error=2 (No such file or directory) > > ERROR(runtime): uncaught exception - (-1073741823, > 'Undetermined error') > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > line 176, in _run > > return self.run(*args, **kwargs) > > File > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > line 239, in run > > lp, use_ntvfs=use_ntvfs) > > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > , line 1609, in setsysvolacl > > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, > samdb, lp, use_ntvfs, passdb=s4_passdb) > > File > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > , line 1502, in set_gpos_acl > > use_ntvfs=use_ntvfs, skip_invalid_chown=True, > passdb=passdb, service=SYSVOL_SERVICE) > > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > line 162, in setntacl > > smbd.set_nt_acl(file, security.SECINFO_OWNER | > security.SECINFO_GROUP | security.SECINFO_DACL | > security.SECINFO_SACL, sd, service=service) > > Would've been too easy, wouldn't it? > > > ---- > > > > > > Good luck, if you need more help, you know where to find us. ;-) > > ( ps, when its all done, DONT run samba-tool ntacl > sysvolreset again, never ever ) > > Until this bug is fixed. > > > > ( more GPO tips, google: > https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&source=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-> O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 )> > > > > > > > Greetz, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens > >> Rowland Penny via samba > >> Verzonden: donderdag 24 augustus 2017 14:42 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > >> > >> On Thu, 24 Aug 2017 14:15:53 +0200 > >> Sven Schwedas via samba <samba at lists.samba.org> wrote: > >> > >>> On 2017-08-24 13:00, Rowland Penny via samba wrote: > >>>> On Thu, 24 Aug 2017 12:41:36 +0200 > >>>> Sven Schwedas via samba <samba at lists.samba.org> wrote: > >>>> > >>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote: > >>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba > >>>>>> <samba at lists.samba.org> wrote: > >>>>>> > >>>>>>> > >>>>>>> Where does the error come from, and why doesn't > >> sysvolreset fix > >>>>>>> it? > >>>>>>> > >>>>>> > >>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is > >>>>>> broken. I do not write 'C' code and the problem seems to be in > >>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the > >>>>>> correct ACL. > >>>>>> > >>>>>> I have opened a bug for this: > >>>>>> > >>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924 > >>>>> > >>>>> Ah, crap. > >>>> > >>>> I actually used worse words when I found out why I > >> couldn't get my > >>>> work on the python code to work. ;-) > >>>> > >>>>> > >>>>>> Even when this gets fixed, the python code will need > >> work, because > >>>>>> it doesn't do what windows does, also anybody who has set a > >>>>>> gidNumber on Domain Admins, will need to remove it, the group > >>>>>> needs to own things in sysvol and with a gidNumber it cannot. > >>>>> > >>>>> Does this apply only to sysvolreset or also when fixing > >> ACLs from > >>>>> Windows? > >>>> > >>>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in > >>>> idmap.ldb, this makes it able to own files and dirs in > >> sysvol. The > >>>> moment you give 'Domain Admins' a gidNumber, you break > >> this mapping > >>>> and the group becomes just a group and cannot own > >> anything on a Unix > >>>> machine, so my recommendation is to not give the group a > >> gidNumber, > >>>> create another group 'Unix Admins' ? give this group a > >> gidNumber and > >>>> make this group a member of 'Domain Admins' > >>> > >>> Does removing the gidNumber retroactively allow it to work? > >>> > >>> (That is, once I figured out how to reset the ACLs from within > >>> Windows.) > >>> > >> > >> It should, idmap.ldb works on a first come basis, so the next > >> time Domain Admins connects it should get issued with a > new xidNumber. > >> > >> Rowland > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > -- > Mit freundlichen Grüßen, / Best Regards, > Sven Schwedas, Systemadministrator > Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas > TAO Digital | Lendplatz 45 | A8020 Graz > https://www.tao-digital.at | Tel +43 680 301 7167 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >