samba - Aug 2017 - sysvolreset doesn't reset all ACLs

> root at graz-dc-1b:~# samba --version
> Version 4.5.8-Debian
> root at graz-dc-1b:~# samba-tool ntacl sysvolreset && echo "no
error"
> no error
> root at graz-dc-1b:~# samba-tool ntacl sysvolcheck 
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/ad.tao.at/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176,
in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line 270, in run
>     lp)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1723, in checksysvolacl
>     direct_db_access)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1674, in check_gpos_acl
>     domainsid, direct_db_access)
>   File
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
1621, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
Where does the error come from, and why doesn't sysvolreset fix it?

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

On Thu, 24 Aug 2017 12:03:42 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:
> > root at graz-dc-1b:~# samba --version
> > Version 4.5.8-Debian
> > root at graz-dc-1b:~# samba-tool ntacl sysvolreset && echo
"no error"
> > no error
> > root at graz-dc-1b:~# samba-tool ntacl sysvolcheck 
> > ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught
> > exception - ProvisioningError: DB ACL on GPO
> > directory
/var/lib/samba/sysvol/ad.tao.at/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > does not match expected value
> >
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > from GPO object File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line
> > 176, in _run return self.run(*args, **kwargs) File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line 270,
> > in run lp) File
> >
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> > line 1723, in checksysvolacl direct_db_access) File
> >
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> > line 1674, in check_gpos_acl domainsid, direct_db_access) File
> >
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> > line 1621, in check_dir_acl raise ProvisioningError('%s ACL on GPO
> > directory %s %s does not match expected value %s from GPO object'
%
> > (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> Where does the error come from, and why doesn't sysvolreset fix it?
> 
Mainly because (from my testing) sysvolcheck/sysvolreset is broken. I
do not write 'C' code and the problem seems to be in set_nt_acl from
source3/smbd/posix_acls.c 
It doesn't set the correct ACL.

I have opened a bug for this:

https://bugzilla.samba.org/show_bug.cgi?id=12924

Even when this gets fixed, the python code will need work, because it
doesn't do what windows does, also anybody who has set a gidNumber on
Domain Admins, will need to remove it, the group needs to own things in
sysvol and with a gidNumber it cannot.

The recommendation at the moment is to not use either sysvolreset or
sysvolcheck. Do everything from windows.

Rowland

On 2017-08-24 12:27, Rowland Penny via samba wrote:
> On Thu, 24 Aug 2017 12:03:42 +0200
> Sven Schwedas via samba <samba at lists.samba.org> wrote:
> 
>>> root at graz-dc-1b:~# samba --version
>>> Version 4.5.8-Debian
>>> root at graz-dc-1b:~# samba-tool ntacl sysvolreset && echo
"no error"
>>> no error
>>> root at graz-dc-1b:~# samba-tool ntacl sysvolcheck 
>>> ERROR(<class 'samba.provision.ProvisioningError'>):
uncaught
>>> exception - ProvisioningError: DB ACL on GPO
>>> directory
/var/lib/samba/sysvol/ad.tao.at/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>
O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>> does not match expected value
>>>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>> from GPO object File
>>>
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>> 176, in _run return self.run(*args, **kwargs) File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py",
line 270,
>>> in run lp) File
>>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1723, in checksysvolacl direct_db_access) File
>>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1674, in check_gpos_acl domainsid, direct_db_access) File
>>>
"/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1621, in check_dir_acl raise ProvisioningError('%s ACL on
GPO
>>> directory %s %s does not match expected value %s from GPO
object' %
>>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>>
>> Where does the error come from, and why doesn't sysvolreset fix it?
>>
> 
> Mainly because (from my testing) sysvolcheck/sysvolreset is broken. I
> do not write 'C' code and the problem seems to be in set_nt_acl
from
> source3/smbd/posix_acls.c 
> It doesn't set the correct ACL.
> 
> I have opened a bug for this:
> 
> https://bugzilla.samba.org/show_bug.cgi?id=12924
Ah, crap.
> Even when this gets fixed, the python code will need work, because it
> doesn't do what windows does, also anybody who has set a gidNumber on
> Domain Admins, will need to remove it, the group needs to own things in
> sysvol and with a gidNumber it cannot.
Does this apply only to sysvolreset or also when fixing ACLs from Windows?
> The recommendation at the moment is to not use either sysvolreset or
> sysvolcheck. Do everything from windows.
I presume with this?
>
https://support.microsoft.com/en-us/help/2838154/-permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-t
Or some other way?


-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

Time to take a step back: My original problem is that clients can no
longer read or update their GPOs.


gpupdate fails on the default domain policy, claiming it can't read some
files. If I open said file via Explorer on the same user account, it
works – with \\domain\sysvol\… as well as when browsing every single DC
individually via \\foo-dc\sysvol\…

It's hard to tell (I'm running tail -f on 4 different DCs in parallel on
a production domain, so lots of noise), but as far as I can see, even at
debug level 8 there's no error message when running gpupdate on clients.
I get debug log info indicating that the machines log in successfully,
nothing else.


On one client (my personal Windows 7 VM, logged in with a domain admin)
I don't even get that far, and get an "user could not be resolved"
error
instead (paraphrased, German Windows 7).


sysvolreset, as mentioned, doesn't work, neither on a blank directory
(fails with file not found), nor on a full directory (no error, but no
effect either). Restoring permissions via GPMC snap-in doesn't give an
error either, and is no longer offered, apparently there's no
inconsistency it can detect.

Domain Admins used to have a gid set, this was corrected before my last
attempt to restore permissions via GPMC. (A dummy `Unix Domain Admins`
group was added to take over the NIS members.)

Enterprise Admin used to have a gid set, too. By the time I realized it,
GPMC no longer complained about wrong permissions, and I can't request
it to fix the permissions.


Testparm output is attached.


Out of sheer boredom I ended up trying a modified script to change POSIX
ACLs:
> #! /bin/bash
> chown -R root:root sysvol
> setfacl -bR sysvol
> 
> setfacl -Rm  'g:Domain Users:rX' sysvol
> setfacl -Rm  'g:Domain Computers:rX' sysvol
> setfacl -Rm  'g:Unix Domain Admins:rwX' sysvol
> 
> setfacl -dRm 'g:Domain Users:rX' sysvol
> setfacl -dRm 'g:Domain Computers:rX' sysvol
> setfacl -dRm 'g:Unix Domain Admins:rwX' sysvol
After running this, regular clients can now run GPOs, *despite* all DCs
running with `acl_xattr:ignore system acls = yes` on sysvol!


This obviously makes no bloody sense whatsoever, but it works.


Only remaining stubborn client is my VM, which still can't find…
something. I'm not sure if it's even related to this issue, or an
unrelated trust relationship issue.

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas at tao.at | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167
-------------- next part --------------
[global]
	realm = AD.TAO.AT
	workgroup = AD
	dns forwarder = 85.214.20.141
	ldap server require strong auth = No
	ldap ssl ads = Yes
	logging = syslog
	disable spoolss = Yes
	load printers = No
	printcap name = /dev/null
	kerberos method = system keytab
	passdb backend = samba_dsdb
	server role = active directory domain controller
	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
	tls certfile = /etc/ssl/certs/graz-dc.ad.tao.at.crt
	tls keyfile = /etc/ssl/private/graz-dc.ad.tao.at.key
	template homedir = /home/%U
	template shell = /bin/zsh
	rpc_server:tcpip = no
	rpc_daemon:spoolssd = embedded
	rpc_server:spoolss = embedded
	rpc_server:winreg = embedded
	rpc_server:ntsvcs = embedded
	rpc_server:eventlog = embedded
	rpc_server:srvsvc = embedded
	rpc_server:svcctl = embedded
	rpc_server:default = external
	winbindd:use external pipes = true
	dsdb:schema update allowed = true
	idmap_ldb:use rfc2307 = yes
	idmap config * : backend = tdb
	map archive = No
	map readonly = no
	store dos attributes = Yes
	include = /etc/samba/site.conf
	printing = bsd
	vfs objects = dfs_samba4 acl_xattr


[homes]
	msdfs proxy = \\graz-file\homes
	msdfs root = Yes


[netlogon]
	path = /var/lib/samba/sysvol/ad.tao.at/scripts
	read only = No
	acl_xattr:ignore system acls = yes


[sysvol]
	path = /var/lib/samba/sysvol
	read only = No
	acl_xattr:ignore system acls = yes

On Fri, 25 Aug 2017 11:32:23 +0200
Sven Schwedas via samba <samba at lists.samba.org> wrote:
> Time to take a step back: My original problem is that clients can no
> longer read or update their GPOs.
> 
> 
> Domain Admins used to have a gid set, this was corrected before my
> last attempt to restore permissions via GPMC. (A dummy `Unix Domain
> Admins` group was added to take over the NIS members.)
> 
> Enterprise Admin used to have a gid set, too. By the time I realized
> it, GPMC no longer complained about wrong permissions, and I can't
> request it to fix the permissions.
Really the only Windows group that needs a a gidNumber is 'Domain
Users'. There may be special cases for other groups having a gidNumber,
but I cannot think of any.
> 
> 
> Testparm output is attached.
> 
> 
> Only remaining stubborn client is my VM, which still can't find…
> something. I'm not sure if it's even related to this issue, or an
> unrelated trust relationship issue.
> 
Can I suggest you try this smb.conf on your DC (preferably when
everybody has logged off)

 [global]
	realm = AD.TAO.AT
	workgroup = AD
	dns forwarder = 85.214.20.141
	ldap server require strong auth = No
	logging = syslog
	disable spoolss = Yes
	load printers = No
	printcap name = /dev/null
	server role = active directory domain controller
	tls cafile = /usr/local/share/ca-certificates/tao-ad-ca.crt
	tls certfile = /etc/ssl/certs/graz-dc.ad.tao.at.crt
	tls keyfile = /etc/ssl/private/graz-dc.ad.tao.at.key
	template homedir = /home/%U
	template shell = /bin/zsh
	idmap_ldb:use rfc2307 = yes
	include = /etc/samba/site.conf
	printing = bsd

It is yours without all the unrequired lines.

Rowland