Ok, rechecked this, your correct. This did work fine.
In now at samba 4.6.7, you?
This worked untill ( last i checked ) 4.6.5 :-(( now sysvolreset is totaly
broken. :-((
New thing for my ToDo list..
Try this script, the rights are my defaults "after a sysvol reset"
Place the script somewhere within /var/lib/samba
Preffered that location .
Run it with : bash script.sh sysvol/
! Check the group numbers and make sure you match yours.
Then at least your rights are correct again.
After this, goto you gpo manager, klik ever gpo, you get a message, klik ok.
Greetz,
Louis
## SCRIPT
#!/bin/bash
#
# backup rights. recursive
#getfacl -R /var/www > permissions.acl
# restore rights
#setfacl --restore=permissions.acl
# mkdir -m 700 Manager
# setfacl -m d:g:manager:rwx,g:manager:rwx Manager
# copy the acl
#getfacl basefile | setfacl -b -M - targetfile
# other examples:
# http://www.calculate-linux.org/main/en/setting_filesystem_acl
RIGHTSFILE="default-rights-sysvol.acl"
cat << EOF > ${RIGHTSFILE}
# file: sysvol
# owner: root
# group: BUILTIN\134administrators
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
EOF
if [ -z $1 ]; then
echo "You need do assign the folder to set the default rights to"
echo "We dont set the rights recursive! that can mess up current
websites.."
echo "exiting now .. "
fi
if [ $(echo ${1} | egrep
"/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc|/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var"
| wc -l ) -gt 0 ]; then
echo "Warning, detected un safe change, exiting now. "
exit 1
fi
if [ ! -d $1 ]; then
echo "Error, directory does not exist, exiting now."
exit 1
else
setfacl -R -b --modify-file $RIGHTSFILE $1
setfacl -R -m default:user:root:rwx $1
setfacl -R -m default:group:"BUILTIN\134administrators":rwx $1
fi
## SCRIPT END
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven
> Schwedas via samba
> Verzonden: donderdag 24 augustus 2017 15:53
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
>
> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote:
> > Hai,
> >
> > To recover from that problem, read :
> > The "Why" i setup like this.
> >
> http://lists-archives.com/samba/106301-can-t-create-update-group-polic
> > y-in-samba-4-6-5.html
> >
> > And howto fix.
> >
> http://lists-archives.com/samba/106333-can-t-create-update-group-polic
> > y-in-samba-4-6-5.html
> > Note on this last link, the part.:
>
> Okay, I set up `acl_xattr:ignore system acls = yes` and
> restarted the DC.
>
> > A good tip to restore the defaults with samba-tool without errors.
> >
> > move you domain folder out of the /var/lib/samba/sysvol folder.
> > mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else.
> > mkdir /var/lib/samba/sysvol/intern.domain.tld
> <<<<<<<<<< you must have an empty folder for
the next command.
> > And run samba-tool ntacl sysvolreset
> ?and did that.
>
> Alas:
>
> > root at graz-dc-1b:/var/lib/samba# ls -l
> /var/lib/samba/sysvol/ad.tao.at/
> > total 0
> > root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset
> > open: error=2 (No such file or directory)
> > ERROR(runtime): uncaught exception - (-1073741823,
> 'Undetermined error')
> > File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 176, in _run
> > return self.run(*args, **kwargs)
> > File
> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
> line 239, in run
> > lp, use_ntvfs=use_ntvfs)
> > File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1609, in setsysvolacl
> > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
> samdb, lp, use_ntvfs, passdb=s4_passdb)
> > File
> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py"
> , line 1502, in set_gpos_acl
> > use_ntvfs=use_ntvfs, skip_invalid_chown=True,
> passdb=passdb, service=SYSVOL_SERVICE)
> > File "/usr/lib/python2.7/dist-packages/samba/ntacls.py",
> line 162, in setntacl
> > smbd.set_nt_acl(file, security.SECINFO_OWNER |
> security.SECINFO_GROUP | security.SECINFO_DACL |
> security.SECINFO_SACL, sd, service=service)
>
> Would've been too easy, wouldn't it?
>
> > ----
> >
> >
> > Good luck, if you need more help, you know where to find us. ;-)
> > ( ps, when its all done, DONT run samba-tool ntacl
> sysvolreset again, never ever )
> > Until this bug is fixed.
> >
> > ( more GPO tips, google:
> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour
ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu->
O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) > >
> >
> >
> > Greetz,
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> >> Rowland Penny via samba
> >> Verzonden: donderdag 24 augustus 2017 14:42
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs
> >>
> >> On Thu, 24 Aug 2017 14:15:53 +0200
> >> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> >>
> >>> On 2017-08-24 13:00, Rowland Penny via samba wrote:
> >>>> On Thu, 24 Aug 2017 12:41:36 +0200
> >>>> Sven Schwedas via samba <samba at lists.samba.org>
wrote:
> >>>>
> >>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
> >>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas
via samba
> >>>>>> <samba at lists.samba.org> wrote:
> >>>>>>
> >>>>>>>
> >>>>>>> Where does the error come from, and why
doesn't
> >> sysvolreset fix
> >>>>>>> it?
> >>>>>>>
> >>>>>>
> >>>>>> Mainly because (from my testing)
sysvolcheck/sysvolreset is
> >>>>>> broken. I do not write 'C' code and the
problem seems to be in
> >>>>>> set_nt_acl from source3/smbd/posix_acls.c It
doesn't set the
> >>>>>> correct ACL.
> >>>>>>
> >>>>>> I have opened a bug for this:
> >>>>>>
> >>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924
> >>>>>
> >>>>> Ah, crap.
> >>>>
> >>>> I actually used worse words when I found out why I
> >> couldn't get my
> >>>> work on the python code to work. ;-)
> >>>>
> >>>>>
> >>>>>> Even when this gets fixed, the python code will
need
> >> work, because
> >>>>>> it doesn't do what windows does, also anybody
who has set a
> >>>>>> gidNumber on Domain Admins, will need to remove
it, the group
> >>>>>> needs to own things in sysvol and with a gidNumber
it cannot.
> >>>>>
> >>>>> Does this apply only to sysvolreset or also when
fixing
> >> ACLs from
> >>>>> Windows?
> >>>>
> >>>> On a Samba AD DC, 'Domain Admins' is mapped to
'ID_TYPE_BOTH' in
> >>>> idmap.ldb, this makes it able to own files and dirs in
> >> sysvol. The
> >>>> moment you give 'Domain Admins' a gidNumber, you
break
> >> this mapping
> >>>> and the group becomes just a group and cannot own
> >> anything on a Unix
> >>>> machine, so my recommendation is to not give the group a
> >> gidNumber,
> >>>> create another group 'Unix Admins' ? give this
group a
> >> gidNumber and
> >>>> make this group a member of 'Domain Admins'
> >>>
> >>> Does removing the gidNumber retroactively allow it to work?
> >>>
> >>> (That is, once I figured out how to reset the ACLs from within
> >>> Windows.)
> >>>
> >>
> >> It should, idmap.ldb works on a first come basis, so the next
> >> time Domain Admins connects it should get issued with a
> new xidNumber.
> >>
> >> Rowland
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >>
> >
> >
>
> --
> Mit freundlichen Grüßen, / Best Regards,
> Sven Schwedas, Systemadministrator
> Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
> TAO Digital | Lendplatz 45 | A8020 Graz
> https://www.tao-digital.at | Tel +43 680 301 7167
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
On Thu, 24 Aug 2017 16:37:26 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Ok, rechecked this, your correct. This did work fine. > > In now at samba 4.6.7, you? > This worked untill ( last i checked ) 4.6.5 :-(( now sysvolreset is > totaly broken. :-(( New thing for my ToDo list.. >It should still work, the python code hasn't changed (as far as I am aware)> > Try this script, the rights are my defaults "after a sysvol reset" > Place the script somewhere within /var/lib/samba > Preffered that location . > Run it with : bash script.sh sysvol/ > ! Check the group numbers and make sure you match yours. > Then at least your rights are correct again. > After this, goto you gpo manager, klik ever gpo, you get a message, > klik ok. >It might help if you said who '3000002' & '3000003' are on your DC ;-) Rowland
On 2017-08-24 16:37, L.P.H. van Belle via samba wrote:> Ok, rechecked this, your correct. This did work fine. > > In now at samba 4.6.7, you?4.5.8 still, but I guess updating won't help?> This worked untill ( last i checked ) 4.6.5 :-(( now sysvolreset is totaly broken. :-(( > New thing for my ToDo list.. > > > Try this script, the rights are my defaults "after a sysvol reset" > Place the script somewhere within /var/lib/samba > Preffered that location . > Run it with : bash script.sh sysvol/ > ! Check the group numbers and make sure you match yours.Which groups are 3000002 and 3000003 supposed to be?> Then at least your rights are correct again. > After this, goto you gpo manager, klik ever gpo, you get a message, klik ok. > > Greetz, > Louis > > > ## SCRIPT > #!/bin/bash > > # > # backup rights. recursive > #getfacl -R /var/www > permissions.acl > > # restore rights > #setfacl --restore=permissions.acl > > # mkdir -m 700 Manager > # setfacl -m d:g:manager:rwx,g:manager:rwx Manager > > # copy the acl > #getfacl basefile | setfacl -b -M - targetfile > > # other examples: > # http://www.calculate-linux.org/main/en/setting_filesystem_acl > > RIGHTSFILE="default-rights-sysvol.acl" > > cat << EOF > ${RIGHTSFILE} > # file: sysvol > # owner: root > # group: BUILTIN\134administrators > user::rwx > user:root:rwx > user:BUILTIN\134administrators:rwx > user:BUILTIN\134server\040operators:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:BUILTIN\134administrators:rwx > group:BUILTIN\134server\040operators:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:BUILTIN\134administrators:rwx > default:user:BUILTIN\134server\040operators:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:BUILTIN\134administrators:rwx > default:group:BUILTIN\134server\040operators:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > EOF > > if [ -z $1 ]; then > echo "You need do assign the folder to set the default rights to" > echo "We dont set the rights recursive! that can mess up current websites.." > echo "exiting now .. " > fi > > if [ $(echo ${1} | egrep "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc|/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then > echo "Warning, detected un safe change, exiting now. " > exit 1 > fi > > if [ ! -d $1 ]; then > echo "Error, directory does not exist, exiting now." > exit 1 > else > setfacl -R -b --modify-file $RIGHTSFILE $1 > setfacl -R -m default:user:root:rwx $1 > setfacl -R -m default:group:"BUILTIN\134administrators":rwx $1 > fi > > ## SCRIPT END > > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven >> Schwedas via samba >> Verzonden: donderdag 24 augustus 2017 15:53 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs >> >> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote: >>> Hai, >>> >>> To recover from that problem, read : >>> The "Why" i setup like this. >>> >> http://lists-archives.com/samba/106301-can-t-create-update-group-polic >>> y-in-samba-4-6-5.html >>> >>> And howto fix. >>> >> http://lists-archives.com/samba/106333-can-t-create-update-group-polic >>> y-in-samba-4-6-5.html >>> Note on this last link, the part.: >> >> Okay, I set up `acl_xattr:ignore system acls = yes` and >> restarted the DC. >> >>> A good tip to restore the defaults with samba-tool without errors. >>> >>> move you domain folder out of the /var/lib/samba/sysvol folder. >>> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else. >>> mkdir /var/lib/samba/sysvol/intern.domain.tld >> <<<<<<<<<< you must have an empty folder for the next command. >>> And run samba-tool ntacl sysvolreset >> ?and did that. >> >> Alas: >> >>> root at graz-dc-1b:/var/lib/samba# ls -l >> /var/lib/samba/sysvol/ad.tao.at/ >>> total 0 >>> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset >>> open: error=2 (No such file or directory) >>> ERROR(runtime): uncaught exception - (-1073741823, >> 'Undetermined error') >>> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >> line 176, in _run >>> return self.run(*args, **kwargs) >>> File >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >> line 239, in run >>> lp, use_ntvfs=use_ntvfs) >>> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" >> , line 1609, in setsysvolacl >>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, >> samdb, lp, use_ntvfs, passdb=s4_passdb) >>> File >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" >> , line 1502, in set_gpos_acl >>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, >> passdb=passdb, service=SYSVOL_SERVICE) >>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >> line 162, in setntacl >>> smbd.set_nt_acl(file, security.SECINFO_OWNER | >> security.SECINFO_GROUP | security.SECINFO_DACL | >> security.SECINFO_SACL, sd, service=service) >> >> Would've been too easy, wouldn't it? >> >>> ---- >>> >>> >>> Good luck, if you need more help, you know where to find us. ;-) >>> ( ps, when its all done, DONT run samba-tool ntacl >> sysvolreset again, never ever ) >>> Until this bug is fixed. >>> >>> ( more GPO tips, google: >> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour > ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-> O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) >>> >>> >>> >>> Greetz, >>> >>> Louis >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >>>> Rowland Penny via samba >>>> Verzonden: donderdag 24 augustus 2017 14:42 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs >>>> >>>> On Thu, 24 Aug 2017 14:15:53 +0200 >>>> Sven Schwedas via samba <samba at lists.samba.org> wrote: >>>> >>>>> On 2017-08-24 13:00, Rowland Penny via samba wrote: >>>>>> On Thu, 24 Aug 2017 12:41:36 +0200 >>>>>> Sven Schwedas via samba <samba at lists.samba.org> wrote: >>>>>> >>>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote: >>>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba >>>>>>>> <samba at lists.samba.org> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> Where does the error come from, and why doesn't >>>> sysvolreset fix >>>>>>>>> it? >>>>>>>>> >>>>>>>> >>>>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is >>>>>>>> broken. I do not write 'C' code and the problem seems to be in >>>>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the >>>>>>>> correct ACL. >>>>>>>> >>>>>>>> I have opened a bug for this: >>>>>>>> >>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924 >>>>>>> >>>>>>> Ah, crap. >>>>>> >>>>>> I actually used worse words when I found out why I >>>> couldn't get my >>>>>> work on the python code to work. ;-) >>>>>> >>>>>>> >>>>>>>> Even when this gets fixed, the python code will need >>>> work, because >>>>>>>> it doesn't do what windows does, also anybody who has set a >>>>>>>> gidNumber on Domain Admins, will need to remove it, the group >>>>>>>> needs to own things in sysvol and with a gidNumber it cannot. >>>>>>> >>>>>>> Does this apply only to sysvolreset or also when fixing >>>> ACLs from >>>>>>> Windows? >>>>>> >>>>>> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in >>>>>> idmap.ldb, this makes it able to own files and dirs in >>>> sysvol. The >>>>>> moment you give 'Domain Admins' a gidNumber, you break >>>> this mapping >>>>>> and the group becomes just a group and cannot own >>>> anything on a Unix >>>>>> machine, so my recommendation is to not give the group a >>>> gidNumber, >>>>>> create another group 'Unix Admins' ? give this group a >>>> gidNumber and >>>>>> make this group a member of 'Domain Admins' >>>>> >>>>> Does removing the gidNumber retroactively allow it to work? >>>>> >>>>> (That is, once I figured out how to reset the ACLs from within >>>>> Windows.) >>>>> >>>> >>>> It should, idmap.ldb works on a first come basis, so the next >>>> time Domain Admins connects it should get issued with a >> new xidNumber. >>>> >>>> Rowland >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> >> >> -- >> Mit freundlichen Grüßen, / Best Regards, >> Sven Schwedas, Systemadministrator >> Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas >> TAO Digital | Lendplatz 45 | A8020 Graz >> https://www.tao-digital.at | Tel +43 680 301 7167 >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167
Ah, yes, oeps sorry, and i did run out of the office yesterday, so didnt see this.. 3000002:rwx 3000003:r-x wbinfo --uid-to-sid=3000003 S-1-5-11 wbinfo --uid-to-sid=3000002 S-1-5-18 wbinfo --sid-to-name=S-1-5-11 NT AUTHORITY\Authenticated Users 5 wbinfo --sid-to-name=S-1-5-18 NT AUTHORITY\SYSTEM 5 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > Schwedas via samba > Verzonden: donderdag 24 augustus 2017 17:00 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > > On 2017-08-24 16:37, L.P.H. van Belle via samba wrote: > > Ok, rechecked this, your correct. This did work fine. > > > > In now at samba 4.6.7, you? > > 4.5.8 still, but I guess updating won't help? > > > This worked untill ( last i checked ) 4.6.5 :-(( now > sysvolreset is > > totaly broken. :-(( New thing for my ToDo list.. > > > > > > Try this script, the rights are my defaults "after a sysvol reset" > > Place the script somewhere within /var/lib/samba Preffered that > > location . > > Run it with : bash script.sh sysvol/ > > ! Check the group numbers and make sure you match yours. > > Which groups are 3000002 and 3000003 supposed to be? > > > Then at least your rights are correct again. > > After this, goto you gpo manager, klik ever gpo, you get a > message, klik ok. > > > > Greetz, > > Louis > > > > > > ## SCRIPT > > #!/bin/bash > > > > # > > # backup rights. recursive > > #getfacl -R /var/www > permissions.acl > > > > # restore rights > > #setfacl --restore=permissions.acl > > > > # mkdir -m 700 Manager > > # setfacl -m d:g:manager:rwx,g:manager:rwx Manager > > > > # copy the acl > > #getfacl basefile | setfacl -b -M - targetfile > > > > # other examples: > > # http://www.calculate-linux.org/main/en/setting_filesystem_acl > > > > RIGHTSFILE="default-rights-sysvol.acl" > > > > cat << EOF > ${RIGHTSFILE} > > # file: sysvol > > # owner: root > > # group: BUILTIN\134administrators > > user::rwx > > user:root:rwx > > user:BUILTIN\134administrators:rwx > > user:BUILTIN\134server\040operators:r-x > > user:3000002:rwx > > user:3000003:r-x > > group::rwx > > group:BUILTIN\134administrators:rwx > > group:BUILTIN\134server\040operators:r-x > > group:3000002:rwx > > group:3000003:r-x > > mask::rwx > > other::--- > > default:user::rwx > > default:user:root:rwx > > default:user:BUILTIN\134administrators:rwx > > default:user:BUILTIN\134server\040operators:r-x > > default:user:3000002:rwx > > default:user:3000003:r-x > > default:group::--- > > default:group:BUILTIN\134administrators:rwx > > default:group:BUILTIN\134server\040operators:r-x > > default:group:3000002:rwx > > default:group:3000003:r-x > > default:mask::rwx > > default:other::--- > > EOF > > > > if [ -z $1 ]; then > > echo "You need do assign the folder to set the default > rights to" > > echo "We dont set the rights recursive! that can mess > up current websites.." > > echo "exiting now .. " > > fi > > > > if [ $(echo ${1} | egrep > "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc > |/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then > > echo "Warning, detected un safe change, exiting now. " > > exit 1 > > fi > > > > if [ ! -d $1 ]; then > > echo "Error, directory does not exist, exiting now." > > exit 1 > > else > > setfacl -R -b --modify-file $RIGHTSFILE $1 > > setfacl -R -m default:user:root:rwx $1 > > setfacl -R -m > default:group:"BUILTIN\134administrators":rwx $1 fi > > > > ## SCRIPT END > > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > >> Schwedas via samba > >> Verzonden: donderdag 24 augustus 2017 15:53 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > >> > >> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote: > >>> Hai, > >>> > >>> To recover from that problem, read : > >>> The "Why" i setup like this. > >>> > >> > http://lists-archives.com/samba/106301-can-t-create-update-group-poli > >> c > >>> y-in-samba-4-6-5.html > >>> > >>> And howto fix. > >>> > >> > http://lists-archives.com/samba/106333-can-t-create-update-group-poli > >> c > >>> y-in-samba-4-6-5.html > >>> Note on this last link, the part.: > >> > >> Okay, I set up `acl_xattr:ignore system acls = yes` and > restarted the > >> DC. > >> > >>> A good tip to restore the defaults with samba-tool > without errors. > >>> > >>> move you domain folder out of the /var/lib/samba/sysvol folder. > >>> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else. > >>> mkdir /var/lib/samba/sysvol/intern.domain.tld > >> <<<<<<<<<< you must have an empty folder for the next command. > >>> And run samba-tool ntacl sysvolreset > >> ?and did that. > >> > >> Alas: > >> > >>> root at graz-dc-1b:/var/lib/samba# ls -l > >> /var/lib/samba/sysvol/ad.tao.at/ > >>> total 0 > >>> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset > >>> open: error=2 (No such file or directory) > >>> ERROR(runtime): uncaught exception - (-1073741823, > >> 'Undetermined error') > >>> File > >> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > >> line 176, in _run > >>> return self.run(*args, **kwargs) > >>> File > >> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > >> line 239, in run > >>> lp, use_ntvfs=use_ntvfs) > >>> File > >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > >> , line 1609, in setsysvolacl > >>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, > >> samdb, lp, use_ntvfs, passdb=s4_passdb) > >>> File > >> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > >> , line 1502, in set_gpos_acl > >>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, > >> passdb=passdb, service=SYSVOL_SERVICE) > >>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > >> line 162, in setntacl > >>> smbd.set_nt_acl(file, security.SECINFO_OWNER | > >> security.SECINFO_GROUP | security.SECINFO_DACL | > >> security.SECINFO_SACL, sd, service=service) > >> > >> Would've been too easy, wouldn't it? > >> > >>> ---- > >>> > >>> > >>> Good luck, if you need more help, you know where to find > us. ;-) ( > >>> ps, when its all done, DONT run samba-tool ntacl > >> sysvolreset again, never ever ) > >>> Until this bug is fixed. > >>> > >>> ( more GPO tips, google: > >> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour > > ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-> > > O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) > >>> > >>> > >>> > >>> Greetz, > >>> > >>> Louis > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland > >>>> Penny via samba > >>>> Verzonden: donderdag 24 augustus 2017 14:42 > >>>> Aan: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > >>>> > >>>> On Thu, 24 Aug 2017 14:15:53 +0200 > >>>> Sven Schwedas via samba <samba at lists.samba.org> wrote: > >>>> > >>>>> On 2017-08-24 13:00, Rowland Penny via samba wrote: > >>>>>> On Thu, 24 Aug 2017 12:41:36 +0200 Sven Schwedas via samba > >>>>>> <samba at lists.samba.org> wrote: > >>>>>> > >>>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote: > >>>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba > >>>>>>>> <samba at lists.samba.org> wrote: > >>>>>>>> > >>>>>>>>> > >>>>>>>>> Where does the error come from, and why doesn't > >>>> sysvolreset fix > >>>>>>>>> it? > >>>>>>>>> > >>>>>>>> > >>>>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is > >>>>>>>> broken. I do not write 'C' code and the problem > seems to be in > >>>>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the > >>>>>>>> correct ACL. > >>>>>>>> > >>>>>>>> I have opened a bug for this: > >>>>>>>> > >>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924 > >>>>>>> > >>>>>>> Ah, crap. > >>>>>> > >>>>>> I actually used worse words when I found out why I > >>>> couldn't get my > >>>>>> work on the python code to work. ;-) > >>>>>> > >>>>>>> > >>>>>>>> Even when this gets fixed, the python code will need > >>>> work, because > >>>>>>>> it doesn't do what windows does, also anybody who has set a > >>>>>>>> gidNumber on Domain Admins, will need to remove it, > the group > >>>>>>>> needs to own things in sysvol and with a gidNumber it cannot. > >>>>>>> > >>>>>>> Does this apply only to sysvolreset or also when fixing > >>>> ACLs from > >>>>>>> Windows? > >>>>>> > >>>>>> On a Samba AD DC, 'Domain Admins' is mapped to > 'ID_TYPE_BOTH' in > >>>>>> idmap.ldb, this makes it able to own files and dirs in > >>>> sysvol. The > >>>>>> moment you give 'Domain Admins' a gidNumber, you break > >>>> this mapping > >>>>>> and the group becomes just a group and cannot own > >>>> anything on a Unix > >>>>>> machine, so my recommendation is to not give the group a > >>>> gidNumber, > >>>>>> create another group 'Unix Admins' ? give this group a > >>>> gidNumber and > >>>>>> make this group a member of 'Domain Admins' > >>>>> > >>>>> Does removing the gidNumber retroactively allow it to work? > >>>>> > >>>>> (That is, once I figured out how to reset the ACLs from within > >>>>> Windows.) > >>>>> > >>>> > >>>> It should, idmap.ldb works on a first come basis, so the > next time > >>>> Domain Admins connects it should get issued with a > >> new xidNumber. > >>>> > >>>> Rowland > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL > and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>> > >>> > >> > >> -- > >> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, > >> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype > >> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz > >> https://www.tao-digital.at | Tel +43 680 301 7167 > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > -- > Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, > Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype > sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz > https://www.tao-digital.at | Tel +43 680 301 7167 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
> root at graz-dc-sem.ad.tao.at# wbinfo --sid-to-name=S-1-5-11 > failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup sid S-1-5-11So how fucked is my domain? On 2017-08-25 08:09, L.P.H. van Belle via samba wrote:> Ah, yes, oeps sorry, and i did run out of the office yesterday, so didnt see this.. > > 3000002:rwx > 3000003:r-x > > wbinfo --uid-to-sid=3000003 > S-1-5-11 > wbinfo --uid-to-sid=3000002 > S-1-5-18 > > wbinfo --sid-to-name=S-1-5-11 > NT AUTHORITY\Authenticated Users 5 > > wbinfo --sid-to-name=S-1-5-18 > NT AUTHORITY\SYSTEM 5 > > Greetz, > > Louis > > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven >> Schwedas via samba >> Verzonden: donderdag 24 augustus 2017 17:00 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs >> >> On 2017-08-24 16:37, L.P.H. van Belle via samba wrote: >>> Ok, rechecked this, your correct. This did work fine. >>> >>> In now at samba 4.6.7, you? >> >> 4.5.8 still, but I guess updating won't help? >> >>> This worked untill ( last i checked ) 4.6.5 :-(( now >> sysvolreset is >>> totaly broken. :-(( New thing for my ToDo list.. >>> >>> >>> Try this script, the rights are my defaults "after a sysvol reset" >>> Place the script somewhere within /var/lib/samba Preffered that >>> location . >>> Run it with : bash script.sh sysvol/ >>> ! Check the group numbers and make sure you match yours. >> >> Which groups are 3000002 and 3000003 supposed to be? >> >>> Then at least your rights are correct again. >>> After this, goto you gpo manager, klik ever gpo, you get a >> message, klik ok. >>> >>> Greetz, >>> Louis >>> >>> >>> ## SCRIPT >>> #!/bin/bash >>> >>> # >>> # backup rights. recursive >>> #getfacl -R /var/www > permissions.acl >>> >>> # restore rights >>> #setfacl --restore=permissions.acl >>> >>> # mkdir -m 700 Manager >>> # setfacl -m d:g:manager:rwx,g:manager:rwx Manager >>> >>> # copy the acl >>> #getfacl basefile | setfacl -b -M - targetfile >>> >>> # other examples: >>> # http://www.calculate-linux.org/main/en/setting_filesystem_acl >>> >>> RIGHTSFILE="default-rights-sysvol.acl" >>> >>> cat << EOF > ${RIGHTSFILE} >>> # file: sysvol >>> # owner: root >>> # group: BUILTIN\134administrators >>> user::rwx >>> user:root:rwx >>> user:BUILTIN\134administrators:rwx >>> user:BUILTIN\134server\040operators:r-x >>> user:3000002:rwx >>> user:3000003:r-x >>> group::rwx >>> group:BUILTIN\134administrators:rwx >>> group:BUILTIN\134server\040operators:r-x >>> group:3000002:rwx >>> group:3000003:r-x >>> mask::rwx >>> other::--- >>> default:user::rwx >>> default:user:root:rwx >>> default:user:BUILTIN\134administrators:rwx >>> default:user:BUILTIN\134server\040operators:r-x >>> default:user:3000002:rwx >>> default:user:3000003:r-x >>> default:group::--- >>> default:group:BUILTIN\134administrators:rwx >>> default:group:BUILTIN\134server\040operators:r-x >>> default:group:3000002:rwx >>> default:group:3000003:r-x >>> default:mask::rwx >>> default:other::--- >>> EOF >>> >>> if [ -z $1 ]; then >>> echo "You need do assign the folder to set the default >> rights to" >>> echo "We dont set the rights recursive! that can mess >> up current websites.." >>> echo "exiting now .. " >>> fi >>> >>> if [ $(echo ${1} | egrep >> "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc >> |/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then >>> echo "Warning, detected un safe change, exiting now. " >>> exit 1 >>> fi >>> >>> if [ ! -d $1 ]; then >>> echo "Error, directory does not exist, exiting now." >>> exit 1 >>> else >>> setfacl -R -b --modify-file $RIGHTSFILE $1 >>> setfacl -R -m default:user:root:rwx $1 >>> setfacl -R -m >> default:group:"BUILTIN\134administrators":rwx $1 fi >>> >>> ## SCRIPT END >>> >>> >>> >>>> -----Oorspronkelijk bericht----- >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven >>>> Schwedas via samba >>>> Verzonden: donderdag 24 augustus 2017 15:53 >>>> Aan: samba at lists.samba.org >>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs >>>> >>>> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote: >>>>> Hai, >>>>> >>>>> To recover from that problem, read : >>>>> The "Why" i setup like this. >>>>> >>>> >> http://lists-archives.com/samba/106301-can-t-create-update-group-poli >>>> c >>>>> y-in-samba-4-6-5.html >>>>> >>>>> And howto fix. >>>>> >>>> >> http://lists-archives.com/samba/106333-can-t-create-update-group-poli >>>> c >>>>> y-in-samba-4-6-5.html >>>>> Note on this last link, the part.: >>>> >>>> Okay, I set up `acl_xattr:ignore system acls = yes` and >> restarted the >>>> DC. >>>> >>>>> A good tip to restore the defaults with samba-tool >> without errors. >>>>> >>>>> move you domain folder out of the /var/lib/samba/sysvol folder. >>>>> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else. >>>>> mkdir /var/lib/samba/sysvol/intern.domain.tld >>>> <<<<<<<<<< you must have an empty folder for the next command. >>>>> And run samba-tool ntacl sysvolreset >>>> ?and did that. >>>> >>>> Alas: >>>> >>>>> root at graz-dc-1b:/var/lib/samba# ls -l >>>> /var/lib/samba/sysvol/ad.tao.at/ >>>>> total 0 >>>>> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset >>>>> open: error=2 (No such file or directory) >>>>> ERROR(runtime): uncaught exception - (-1073741823, >>>> 'Undetermined error') >>>>> File >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >>>> line 176, in _run >>>>> return self.run(*args, **kwargs) >>>>> File >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", >>>> line 239, in run >>>>> lp, use_ntvfs=use_ntvfs) >>>>> File >>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" >>>> , line 1609, in setsysvolacl >>>>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, >>>> samdb, lp, use_ntvfs, passdb=s4_passdb) >>>>> File >>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" >>>> , line 1502, in set_gpos_acl >>>>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, >>>> passdb=passdb, service=SYSVOL_SERVICE) >>>>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", >>>> line 162, in setntacl >>>>> smbd.set_nt_acl(file, security.SECINFO_OWNER | >>>> security.SECINFO_GROUP | security.SECINFO_DACL | >>>> security.SECINFO_SACL, sd, service=service) >>>> >>>> Would've been too easy, wouldn't it? >>>> >>>>> ---- >>>>> >>>>> >>>>> Good luck, if you need more help, you know where to find >> us. ;-) ( >>>>> ps, when its all done, DONT run samba-tool ntacl >>>> sysvolreset again, never ever ) >>>>> Until this bug is fixed. >>>>> >>>>> ( more GPO tips, google: >>>> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour >>> ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-> >>> O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) >>>>> >>>>> >>>>> >>>>> Greetz, >>>>> >>>>> Louis >>>>> >>>>>> -----Oorspronkelijk bericht----- >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland >>>>>> Penny via samba >>>>>> Verzonden: donderdag 24 augustus 2017 14:42 >>>>>> Aan: samba at lists.samba.org >>>>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs >>>>>> >>>>>> On Thu, 24 Aug 2017 14:15:53 +0200 >>>>>> Sven Schwedas via samba <samba at lists.samba.org> wrote: >>>>>> >>>>>>> On 2017-08-24 13:00, Rowland Penny via samba wrote: >>>>>>>> On Thu, 24 Aug 2017 12:41:36 +0200 Sven Schwedas via samba >>>>>>>> <samba at lists.samba.org> wrote: >>>>>>>> >>>>>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote: >>>>>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba >>>>>>>>>> <samba at lists.samba.org> wrote: >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Where does the error come from, and why doesn't >>>>>> sysvolreset fix >>>>>>>>>>> it? >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Mainly because (from my testing) sysvolcheck/sysvolreset is >>>>>>>>>> broken. I do not write 'C' code and the problem >> seems to be in >>>>>>>>>> set_nt_acl from source3/smbd/posix_acls.c It doesn't set the >>>>>>>>>> correct ACL. >>>>>>>>>> >>>>>>>>>> I have opened a bug for this: >>>>>>>>>> >>>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924 >>>>>>>>> >>>>>>>>> Ah, crap. >>>>>>>> >>>>>>>> I actually used worse words when I found out why I >>>>>> couldn't get my >>>>>>>> work on the python code to work. ;-) >>>>>>>> >>>>>>>>> >>>>>>>>>> Even when this gets fixed, the python code will need >>>>>> work, because >>>>>>>>>> it doesn't do what windows does, also anybody who has set a >>>>>>>>>> gidNumber on Domain Admins, will need to remove it, >> the group >>>>>>>>>> needs to own things in sysvol and with a gidNumber it cannot. >>>>>>>>> >>>>>>>>> Does this apply only to sysvolreset or also when fixing >>>>>> ACLs from >>>>>>>>> Windows? >>>>>>>> >>>>>>>> On a Samba AD DC, 'Domain Admins' is mapped to >> 'ID_TYPE_BOTH' in >>>>>>>> idmap.ldb, this makes it able to own files and dirs in >>>>>> sysvol. The >>>>>>>> moment you give 'Domain Admins' a gidNumber, you break >>>>>> this mapping >>>>>>>> and the group becomes just a group and cannot own >>>>>> anything on a Unix >>>>>>>> machine, so my recommendation is to not give the group a >>>>>> gidNumber, >>>>>>>> create another group 'Unix Admins' ? give this group a >>>>>> gidNumber and >>>>>>>> make this group a member of 'Domain Admins' >>>>>>> >>>>>>> Does removing the gidNumber retroactively allow it to work? >>>>>>> >>>>>>> (That is, once I figured out how to reset the ACLs from within >>>>>>> Windows.) >>>>>>> >>>>>> >>>>>> It should, idmap.ldb works on a first come basis, so the >> next time >>>>>> Domain Admins connects it should get issued with a >>>> new xidNumber. >>>>>> >>>>>> Rowland >>>>>> >>>>>> -- >>>>>> To unsubscribe from this list go to the following URL >> and read the >>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>> >>>>> >>>>> >>>> >>>> -- >>>> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, >>>> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype >>>> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz >>>> https://www.tao-digital.at | Tel +43 680 301 7167 >>>> >>>> -- >>>> To unsubscribe from this list go to the following URL and read the >>>> instructions: https://lists.samba.org/mailman/options/samba >>>> >>> >>> >> >> -- >> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, >> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype >> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz >> https://www.tao-digital.at | Tel +43 680 301 7167 >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz https://www.tao-digital.at | Tel +43 680 301 7167
Hai, Can you post your smb.conf of the DC. Lets have a checkup. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > Schwedas via samba > Verzonden: vrijdag 25 augustus 2017 10:32 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > > > root at graz-dc-sem.ad.tao.at# wbinfo --sid-to-name=S-1-5-11 failed to > > call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup sid > > S-1-5-11 > > So how fucked is my domain? > > On 2017-08-25 08:09, L.P.H. van Belle via samba wrote: > > Ah, yes, oeps sorry, and i did run out of the office > yesterday, so didnt see this.. > > > > 3000002:rwx > > 3000003:r-x > > > > wbinfo --uid-to-sid=3000003 > > S-1-5-11 > > wbinfo --uid-to-sid=3000002 > > S-1-5-18 > > > > wbinfo --sid-to-name=S-1-5-11 > > NT AUTHORITY\Authenticated Users 5 > > > > wbinfo --sid-to-name=S-1-5-18 > > NT AUTHORITY\SYSTEM 5 > > > > Greetz, > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > >> Schwedas via samba > >> Verzonden: donderdag 24 augustus 2017 17:00 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > >> > >> On 2017-08-24 16:37, L.P.H. van Belle via samba wrote: > >>> Ok, rechecked this, your correct. This did work fine. > >>> > >>> In now at samba 4.6.7, you? > >> > >> 4.5.8 still, but I guess updating won't help? > >> > >>> This worked untill ( last i checked ) 4.6.5 :-(( now > >> sysvolreset is > >>> totaly broken. :-(( New thing for my ToDo list.. > >>> > >>> > >>> Try this script, the rights are my defaults "after a > sysvol reset" > >>> Place the script somewhere within /var/lib/samba Preffered that > >>> location . > >>> Run it with : bash script.sh sysvol/ ! Check the group > numbers and > >>> make sure you match yours. > >> > >> Which groups are 3000002 and 3000003 supposed to be? > >> > >>> Then at least your rights are correct again. > >>> After this, goto you gpo manager, klik ever gpo, you get a > >> message, klik ok. > >>> > >>> Greetz, > >>> Louis > >>> > >>> > >>> ## SCRIPT > >>> #!/bin/bash > >>> > >>> # > >>> # backup rights. recursive > >>> #getfacl -R /var/www > permissions.acl > >>> > >>> # restore rights > >>> #setfacl --restore=permissions.acl > >>> > >>> # mkdir -m 700 Manager > >>> # setfacl -m d:g:manager:rwx,g:manager:rwx Manager > >>> > >>> # copy the acl > >>> #getfacl basefile | setfacl -b -M - targetfile > >>> > >>> # other examples: > >>> # http://www.calculate-linux.org/main/en/setting_filesystem_acl > >>> > >>> RIGHTSFILE="default-rights-sysvol.acl" > >>> > >>> cat << EOF > ${RIGHTSFILE} > >>> # file: sysvol > >>> # owner: root > >>> # group: BUILTIN\134administrators > >>> user::rwx > >>> user:root:rwx > >>> user:BUILTIN\134administrators:rwx > >>> user:BUILTIN\134server\040operators:r-x > >>> user:3000002:rwx > >>> user:3000003:r-x > >>> group::rwx > >>> group:BUILTIN\134administrators:rwx > >>> group:BUILTIN\134server\040operators:r-x > >>> group:3000002:rwx > >>> group:3000003:r-x > >>> mask::rwx > >>> other::--- > >>> default:user::rwx > >>> default:user:root:rwx > >>> default:user:BUILTIN\134administrators:rwx > >>> default:user:BUILTIN\134server\040operators:r-x > >>> default:user:3000002:rwx > >>> default:user:3000003:r-x > >>> default:group::--- > >>> default:group:BUILTIN\134administrators:rwx > >>> default:group:BUILTIN\134server\040operators:r-x > >>> default:group:3000002:rwx > >>> default:group:3000003:r-x > >>> default:mask::rwx > >>> default:other::--- > >>> EOF > >>> > >>> if [ -z $1 ]; then > >>> echo "You need do assign the folder to set the default > >> rights to" > >>> echo "We dont set the rights recursive! that can mess > >> up current websites.." > >>> echo "exiting now .. " > >>> fi > >>> > >>> if [ $(echo ${1} | egrep > >> "/bin|/boot|/dev|/etc|/home|/lib|/lib64|/media|/mnt|/opt|/proc > >> |/root|/run|/sbin|/srv|/sys|/tmp|/usr|/var" | wc -l ) -gt 0 ]; then > >>> echo "Warning, detected un safe change, exiting now. " > >>> exit 1 > >>> fi > >>> > >>> if [ ! -d $1 ]; then > >>> echo "Error, directory does not exist, exiting now." > >>> exit 1 > >>> else > >>> setfacl -R -b --modify-file $RIGHTSFILE $1 > >>> setfacl -R -m default:user:root:rwx $1 > >>> setfacl -R -m > >> default:group:"BUILTIN\134administrators":rwx $1 fi > >>> > >>> ## SCRIPT END > >>> > >>> > >>> > >>>> -----Oorspronkelijk bericht----- > >>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Sven > >>>> Schwedas via samba > >>>> Verzonden: donderdag 24 augustus 2017 15:53 > >>>> Aan: samba at lists.samba.org > >>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > >>>> > >>>> On 2017-08-24 15:13, L.P.H. van Belle via samba wrote: > >>>>> Hai, > >>>>> > >>>>> To recover from that problem, read : > >>>>> The "Why" i setup like this. > >>>>> > >>>> > >> > http://lists-archives.com/samba/106301-can-t-create-update-group-poli > >>>> c > >>>>> y-in-samba-4-6-5.html > >>>>> > >>>>> And howto fix. > >>>>> > >>>> > >> > http://lists-archives.com/samba/106333-can-t-create-update-group-poli > >>>> c > >>>>> y-in-samba-4-6-5.html > >>>>> Note on this last link, the part.: > >>>> > >>>> Okay, I set up `acl_xattr:ignore system acls = yes` and > >> restarted the > >>>> DC. > >>>> > >>>>> A good tip to restore the defaults with samba-tool > >> without errors. > >>>>> > >>>>> move you domain folder out of the /var/lib/samba/sysvol folder. > >>>>> mv /var/lib/samba/sysvol/intern.domain.tld to_somewhere else. > >>>>> mkdir /var/lib/samba/sysvol/intern.domain.tld > >>>> <<<<<<<<<< you must have an empty folder for the next command. > >>>>> And run samba-tool ntacl sysvolreset > >>>> ?and did that. > >>>> > >>>> Alas: > >>>> > >>>>> root at graz-dc-1b:/var/lib/samba# ls -l > >>>> /var/lib/samba/sysvol/ad.tao.at/ > >>>>> total 0 > >>>>> root at graz-dc-1b:/var/lib/samba# samba-tool ntacl sysvolreset > >>>>> open: error=2 (No such file or directory) > >>>>> ERROR(runtime): uncaught exception - (-1073741823, > >>>> 'Undetermined error') > >>>>> File > >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", > >>>> line 176, in _run > >>>>> return self.run(*args, **kwargs) > >>>>> File > >>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", > >>>> line 239, in run > >>>>> lp, use_ntvfs=use_ntvfs) > >>>>> File > >>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > >>>> , line 1609, in setsysvolacl > >>>>> set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, > >>>> samdb, lp, use_ntvfs, passdb=s4_passdb) > >>>>> File > >>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py" > >>>> , line 1502, in set_gpos_acl > >>>>> use_ntvfs=use_ntvfs, skip_invalid_chown=True, > >>>> passdb=passdb, service=SYSVOL_SERVICE) > >>>>> File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", > >>>> line 162, in setntacl > >>>>> smbd.set_nt_acl(file, security.SECINFO_OWNER | > >>>> security.SECINFO_GROUP | security.SECINFO_DACL | > >>>> security.SECINFO_SACL, sd, service=service) > >>>> > >>>> Would've been too easy, wouldn't it? > >>>> > >>>>> ---- > >>>>> > >>>>> > >>>>> Good luck, if you need more help, you know where to find > >> us. ;-) ( > >>>>> ps, when its all done, DONT run samba-tool ntacl > >>>> sysvolreset again, never ever ) > >>>>> Until this bug is fixed. > >>>>> > >>>>> ( more GPO tips, google: > >>>> https://www.google.nl/search?q=samba+L.P.H.+van+belle+GPO&sour > >>> ce=lnt&tbs=qdr:y&sa=X&ved=0ahUKEwiknfbu-> > >>> O_VAhXFh7QKHTa6DGoQpwUIHg&biw=1680&bih=853 ) > >>>>> > >>>>> > >>>>> > >>>>> Greetz, > >>>>> > >>>>> Louis > >>>>> > >>>>>> -----Oorspronkelijk bericht----- > >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] > Namens Rowland > >>>>>> Penny via samba > >>>>>> Verzonden: donderdag 24 augustus 2017 14:42 > >>>>>> Aan: samba at lists.samba.org > >>>>>> Onderwerp: Re: [Samba] sysvolreset doesn't reset all ACLs > >>>>>> > >>>>>> On Thu, 24 Aug 2017 14:15:53 +0200 Sven Schwedas via samba > >>>>>> <samba at lists.samba.org> wrote: > >>>>>> > >>>>>>> On 2017-08-24 13:00, Rowland Penny via samba wrote: > >>>>>>>> On Thu, 24 Aug 2017 12:41:36 +0200 Sven Schwedas via samba > >>>>>>>> <samba at lists.samba.org> wrote: > >>>>>>>> > >>>>>>>>> On 2017-08-24 12:27, Rowland Penny via samba wrote: > >>>>>>>>>> On Thu, 24 Aug 2017 12:03:42 +0200 Sven Schwedas via samba > >>>>>>>>>> <samba at lists.samba.org> wrote: > >>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Where does the error come from, and why doesn't > >>>>>> sysvolreset fix > >>>>>>>>>>> it? > >>>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Mainly because (from my testing) > sysvolcheck/sysvolreset is > >>>>>>>>>> broken. I do not write 'C' code and the problem > >> seems to be in > >>>>>>>>>> set_nt_acl from source3/smbd/posix_acls.c It > doesn't set the > >>>>>>>>>> correct ACL. > >>>>>>>>>> > >>>>>>>>>> I have opened a bug for this: > >>>>>>>>>> > >>>>>>>>>> https://bugzilla.samba.org/show_bug.cgi?id=12924 > >>>>>>>>> > >>>>>>>>> Ah, crap. > >>>>>>>> > >>>>>>>> I actually used worse words when I found out why I > >>>>>> couldn't get my > >>>>>>>> work on the python code to work. ;-) > >>>>>>>> > >>>>>>>>> > >>>>>>>>>> Even when this gets fixed, the python code will need > >>>>>> work, because > >>>>>>>>>> it doesn't do what windows does, also anybody who > has set a > >>>>>>>>>> gidNumber on Domain Admins, will need to remove it, > >> the group > >>>>>>>>>> needs to own things in sysvol and with a gidNumber > it cannot. > >>>>>>>>> > >>>>>>>>> Does this apply only to sysvolreset or also when fixing > >>>>>> ACLs from > >>>>>>>>> Windows? > >>>>>>>> > >>>>>>>> On a Samba AD DC, 'Domain Admins' is mapped to > >> 'ID_TYPE_BOTH' in > >>>>>>>> idmap.ldb, this makes it able to own files and dirs in > >>>>>> sysvol. The > >>>>>>>> moment you give 'Domain Admins' a gidNumber, you break > >>>>>> this mapping > >>>>>>>> and the group becomes just a group and cannot own > >>>>>> anything on a Unix > >>>>>>>> machine, so my recommendation is to not give the group a > >>>>>> gidNumber, > >>>>>>>> create another group 'Unix Admins' ? give this group a > >>>>>> gidNumber and > >>>>>>>> make this group a member of 'Domain Admins' > >>>>>>> > >>>>>>> Does removing the gidNumber retroactively allow it to work? > >>>>>>> > >>>>>>> (That is, once I figured out how to reset the ACLs from within > >>>>>>> Windows.) > >>>>>>> > >>>>>> > >>>>>> It should, idmap.ldb works on a first come basis, so the > >> next time > >>>>>> Domain Admins connects it should get issued with a > >>>> new xidNumber. > >>>>>> > >>>>>> Rowland > >>>>>> > >>>>>> -- > >>>>>> To unsubscribe from this list go to the following URL > >> and read the > >>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>> > >>>>> > >>>>> > >>>> > >>>> -- > >>>> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, > >>>> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype > >>>> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz > >>>> https://www.tao-digital.at | Tel +43 680 301 7167 > >>>> > >>>> -- > >>>> To unsubscribe from this list go to the following URL > and read the > >>>> instructions: https://lists.samba.org/mailman/options/samba > >>>> > >>> > >>> > >> > >> -- > >> Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, > >> Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype > >> sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz > >> https://www.tao-digital.at | Tel +43 680 301 7167 > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > >> > > > > > > -- > Mit freundlichen Grüßen, / Best Regards, Sven Schwedas, > Systemadministrator Mail/XMPP sven.schwedas at tao.at | Skype > sven.schwedas TAO Digital | Lendplatz 45 | A8020 Graz > https://www.tao-digital.at | Tel +43 680 301 7167 > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >