samba - Oct 2020 - GPO fail and sysvol perm errors

On 25/10/2020 20:37, Sonic wrote:
> The reset allowed the current GPO to take effect, but right after
> adding a new GPO (just named it, no editing, or linking) the
> sysvolcheck fails:
> # samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception
> - ProvisioningError: DB ACL on GPO directory
>
/usr/local/samba/var/locks/sysvol/hq.theauditors.com/Policies/{4409F67D-97F1-4241-9243-02058C6E3FE6}
>
O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> does not match expected value
>
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> from GPO object
>    File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
> line 186, in _run
>      return self.run(*args, **kwargs)
>    File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py",
> line 446, in run
>      lp)
>    File
"/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py",
> line 1894, in checksysvolacl
>      direct_db_access)
>    File
"/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py",
> line 1844, in check_gpos_acl
>      domainsid, direct_db_access)
>    File
"/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py",
> line 1786, in check_dir_acl
>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))
its a bit like 'wack a mole', just keep running sysvolreset :-D

Rowland

On Sun, Oct 25, 2020 at 4:41 PM Rowland penny via samba
<samba at lists.samba.org> wrote:
> its a bit like 'wack a mole', just keep running sysvolreset :-D
It's needed after every GPO addition and edit. There must be a root
cause to hunt down somewhere. Or is it a bug in 4.13.0 ?

On 25/10/2020 20:59, Sonic wrote:
> On Sun, Oct 25, 2020 at 4:41 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
>> its a bit like 'wack a mole', just keep running sysvolreset :-D
> It's needed after every GPO addition and edit. There must be a root
> cause to hunt down somewhere. Or is it a bug in 4.13.0 ?
OK, yes there is a bug, but not only that, the bug has a bug :-D

I have tried numerous times to fix this, but without success (obviously).

One of the problems is that, in my opinion, Samba has never used the 
correct ACL's on sysvol, they are different to the ones Windows uses on 
2012R2

Now you have prompted me, I might just take a run at it again.

One other potential problem is that Windows allows groups to 'own' 
things, something that only a user can do on Unix, so if you use the 
winbind 'ad' backend on Unix domain members, you must never give the 
Domain Admins a gidNumber, if you do it just becomes a group and then 
cannot own anything in sysvol.

Rowland

> It's needed after every GPO addition and edit. There must be a root
> cause to hunt down somewhere. Or is it a bug in 4.13.0 ?
Yes, and no. 

Yes, its a bug. 
No, in my opionion its an old setting thats just needs some updating. 


Try this. 
samba-tool ntacl set
"O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01
ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"
/var/lib/samba/sysvol/$(hostname -d)/Policies/

Now create a new policy. Are the rights ok, yes. 
Then fix/verify the share and security rights on sysvol again. 

No,.. Uhh... Thats not what im expecting.. ;-) 

After you have corrected the share and security rights. 
DONT use sysvolreset anymore. 

These are my outputs. 
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f
f;;;SY)(A;OICI;0x001200a9;;;AU)

samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname -d)/
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f
f;;;SY)(A;OICI;0x001200a9;;;AU)

samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname
-d)/Policies/
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01f
f;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)

getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/sysvol/my.domain.tld/Policies/
# owner: root
# group: BUILTIN\\administrators
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:BUILTIN\\server\040operators:r-x
user:NT\040AUTHORITY\\system:rwx
user:NT\040AUTHORITY\\authenticated\040users:r-x
user:ADDOM\\group\040policy\040creator\040owners:rwx
group::rwx
group:BUILTIN\\administrators:rwx
group:BUILTIN\\server\040operators:r-x
group:NT\040AUTHORITY\\system:rwx
group:NT\040AUTHORITY\\authenticated\040users:r-x
group:ADDOM\\group\040policy\040creator\040owners:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040AUTHORITY\\system:rwx
default:user:NT\040AUTHORITY\\authenticated\040users:r-x
default:user:ADDOM\\group\040policy\040creator\040owners:rwx
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040AUTHORITY\\system:rwx
default:group:NT\040AUTHORITY\\authenticated\040users:r-x
default:group:ADDOM\\group\040policy\040creator\040owners:rwx
default:mask::rwx
default:other::---


Do you also have/see:
default:group:ADDOM\\group\040policy\040creator\040owners:rwx 
And are the needed users in there? 


Now my tip here is, 
1) before you reset any rights, run : 

mkdir ~/before && cd ~/before
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ > sysvol.sddl
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname
-d)/Policies/ > sysvol.dom.Policies.sddl
getfacl /var/lib/samba/sysvol/ > sysvol.facl
getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ >
sysvol.dom.Policies.facl


How does it look in windows, under Advanced right settings. 

2) after you reset the rigth, rerun above 
mkdir ~/after && cd ~/after
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ > sysvol.sddl
samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/$(hostname
-d)/Policies/ > sysvol.dom.Policies.sddl
getfacl /var/lib/samba/sysvol/ > sysvol.facl
getfacl /var/lib/samba/sysvol/$(hostname -d)/Policies/ >
sysvol.dom.Policies.facl

And how does it look in windows, under Advanced right settings now. 


So few things to get passed you problems. 
Small sight note, you might need to remove all acl's en extended attributs
first and reapply it all. 

I saying this because, after my fileservers move, and restored some files
from backups. 
The old UID/GID where restored also. 

A part of a new script i have, how i reset all folder and files. 
It focues on a userhomedir here but it shows what i did. 
The might be a faster/better way for it, but this worked for me. 
You might want/need to transform that to the sysvol folders. 

FindUser is the username found by the script. 
SAMBA_SHARE_USERS is the path the the users share (in this case its
/srv/samba/users)


            # Remove old ACL's.
            echo "Removing old ACL's for: ${FindUser}"
            setfacl --recursive --remove-all
"${SAMBA_SHARE_USERS}/${FindUser}"

            # Make sure we removed Other (everyone) from all files and
folders.
            echo "Recursively removing access for other (everyone) for:
${FindUser}"
            chmod -R o-rwx "${SAMBA_SHARE_USERS}/${FindUser}/"

            # Set basic POSIX Rights
            # set all owner rights to root:root (= Administrator:Domain
Admins )
            # without it, migrated files might still have there old UID/GIDs
on them.
            echo "Re-apply root:root on the user homedir (recursivly) for:
${FindUser}"
            chown -R root:root "${SAMBA_SHARE_USERS}/${FindUser}"

            # We set the user files and subfolders like how that SDDL is
setup.
            echo "Re-apply ${FindUser}:domain users on CONTENT IN the user
homedir for: ${FindUser}"
            chown -R "${FindUser}":"domain users"
"${SAMBA_SHARE_USERS}/${FindUser}/"

            # restore owner:group defaults
            echo "Recursively re-apply-ing rights 770 access for:
${FindUser}"
            chmod -R 770 "${SAMBA_SHARE_USERS}/${FindUser}/"

            # Set the correct right on the folder.
            echo "Re-apply SDDL with samba-tool for user: ${FindUser}"
            samba-tool ntacl set
"O:S-1-22-1-0G:S-1-22-2-0D:AI(A;OICI;0x001301bf;;;${NAME2SID})(A;ID;0x001200
a9;;;S-1-22-2-0)(A;OICIIOID;0x001200a9;;;CG)(A;OICIID;0x001f01ff;;;LA)(A;OIC
IID;0x001f01ff;;;DA)" "${SAMBA_SHARE_USERS}/${FindUser}"

            # but we can not set recursive with samba-tool. (as far i
found), so we use setfacl.
            echo "Recursivly re-apply with setfacl enforceing user defaults
for user: ${FindUser}"
            setfacl --recursive --modify
user:"${FindUser}":rwX,default:user:"${FindUser}":rwX
"${SAMBA_SHARE_USERS}/${FindUser}/"

Small sidenote on above part. 
ls -al /srv/samba/users/*   will show for all users. 
drwxrwx---+ 14 root root  4096 Oct  9 10:03 anyuser
Which is : 

getfacl /home/users/anyuser
getfacl: Removing leading '/' from absolute path names
# file: home/users/anyuser
# owner: root
# group: root
user::rwx
user:root:rwx
user:anyuser:rwx
group::r-x
group:root:r-x
group:domain\040admins:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:anyuser:rwx
default:group::r-x
default:group:root:r-x
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

Resulting in, users see and can only access there own folder. 
Any new file/folder created IN the users folder gets rights :
username:"domain users" 
You need the users as owner on new folders if you use GPO's and folder
redirecting to the user homedir.

Enjoy, you have something todo today. ;-) 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Sonic via samba
> Verzonden: zondag 25 oktober 2020 21:59
> Aan: Rowland penny
> CC: sambalist
> Onderwerp: Re: [Samba] GPO fail and sysvol perm errors
> 
> On Sun, Oct 25, 2020 at 4:41 PM Rowland penny via samba
> <samba at lists.samba.org> wrote:
> > its a bit like 'wack a mole', just keep running sysvolreset
:-D
> 
> It's needed after every GPO addition and edit. There must be a root
> cause to hunt down somewhere. Or is it a bug in 4.13.0 ?
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>