samba - Apr 2021 - Sysvol permission issue - how to repair permanently?

Hi all,

I decided to split this topic away from my other thread with the
subject "Failed to prepare gensec: NT_STATUS_INVALID_SERVER_STATE"
because I really think, I should focus on the Sysvol permissions first.

Also I am focussing on DC1 now, without rsync/unison replication because
first of all, it has to work smoothly on DC1 alone.

After a "sysvolreset" I have a structure where "sysvolcheck"
succeeds
and where a "Test Policy" GPO e.g. has the following permissions:

# file:
/var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
# owner: 3000008
# group: 3000008
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000010:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000008:rwx
group:3000010:r-x
mask::rwx
other::---

After I edit the GPO from Windows' Group Policy Management / Group
Policy Management Editor with user DS\Administrator (see below), I have
the following permissions on the file:

# file:
/var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
# owner: 3000000
# group: 100
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000008:rwx
user:3000010:r-x
group::---
group:100:---
group:3000000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000008:rwx
group:3000010:r-x
mask::rwx
other::---

i.e. the following diff:

 # file:
/var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
 -# owner: 3000008
 -# group: 3000008
+# owner: 3000000
+# group: 100
 user::rwx
 user:3000002:rwx
 user:3000003:r-x
 user:3000006:rwx
+user:3000008:rwx
 user:3000010:r-x
-group::rwx
+group::---
+group:100:---
+group:3000000:rwx
 group:3000002:rwx
 group:3000003:r-x
 group:3000006:rwx

And as a consequence, "sysvolcheck" fails with:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO file
/var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
443, in run
    provision.checksysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1893, in checksysvolacl
    check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1843, in check_gpos_acl
    check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
line 1798, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO file %s %s does not match
    expected value %s from GPO object' % (acl_type(direct_db_access),
    os.path.join(root, name), fsacl_sddl, acl))

After a "sysvolreset" the permissions are restored to the previous
state as shown above and "sysvolcheck" consequently works again -
until
the next GPO edit in Windows.

ID mapping is as follows:

ID '3000000' Has SID 'S-1-5-32-544' with the name
'BUILTIN\Administrators 4'
ID '3000001' Has SID 'S-1-5-32-549' with the name
'BUILTIN\Server Operators 4'
ID '3000002' Has SID 'S-1-5-18' with the name 'NT
AUTHORITY\SYSTEM 5'
ID '3000003' Has SID 'S-1-5-11' with the name 'NT
AUTHORITY\Authenticated Users 5'
ID '3000004' Has SID
'S-1-5-21-37643267-2172530850-1818422998-520' with the name
'DS\Group Policy Creator Owners 2'
ID '3000006' Has SID
'S-1-5-21-37643267-2172530850-1818422998-519' with the name
'DS\Enterprise Admins 2'
ID '3000008' Has SID
'S-1-5-21-37643267-2172530850-1818422998-512' with the name
'DS\Domain Admins 2'
ID '3000010' Has SID 'S-1-5-9' with the name 'NT
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5'
ID '100' Has SID 'S-1-5-21-37643267-2172530850-1818422998-1118'
with the name 'DS\developers 2'

I really don't understand what I am seeing there.

What do I have to change in my setup in order to be able to edit GPOs
from Windows RSAT without breaking permissions on the Sysvol share?

Any help is greatly appreciated.

Greetings,
Stefan

-- 
Stefan Bellon

On 03/04/2021 10:26, Stefan Bellon via samba wrote:
> Hi all,
>
> I decided to split this topic away from my other thread with the
> subject "Failed to prepare gensec:
NT_STATUS_INVALID_SERVER_STATE"
> because I really think, I should focus on the Sysvol permissions first.
>
> Also I am focussing on DC1 now, without rsync/unison replication because
> first of all, it has to work smoothly on DC1 alone.
>
> After a "sysvolreset" I have a structure where
"sysvolcheck" succeeds
> and where a "Test Policy" GPO e.g. has the following permissions:
>
>
> And as a consequence, "sysvolcheck" fails with:
>
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: DB ACL on GPO file
/var/lib/samba/sysvol/xxx/Policies/{F9E5E9AC-B120-454C-9F5E-AD7A32DF180F}/Machine/Registry.pol
O:BAG:DUD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)
does not match expected value
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object

What version of Windows are you using ?

If you look closely at the above , you will see that it is expected that 
the ownership will be ' O:DAG:DA', but you have 'O:BAG:DU'

'O' = owner

'G' = group

'DA' = Domain Admins'

'BA' = BUILTIN\Administrators

'DU' = Domain Users

I seem to remember that you have given Domain Admins a gidNumber, this 
will stop the group owning anything.
> ID mapping is as follows:
>
> ID '3000000' Has SID 'S-1-5-32-544' with the name
'BUILTIN\Administrators 4'
> ID '3000001' Has SID 'S-1-5-32-549' with the name
'BUILTIN\Server Operators 4'
> ID '3000002' Has SID 'S-1-5-18' with the name 'NT
AUTHORITY\SYSTEM 5'
> ID '3000003' Has SID 'S-1-5-11' with the name 'NT
AUTHORITY\Authenticated Users 5'
> ID '3000004' Has SID
'S-1-5-21-37643267-2172530850-1818422998-520' with the name
'DS\Group Policy Creator Owners 2'
> ID '3000006' Has SID
'S-1-5-21-37643267-2172530850-1818422998-519' with the name
'DS\Enterprise Admins 2'
> ID '3000008' Has SID
'S-1-5-21-37643267-2172530850-1818422998-512' with the name
'DS\Domain Admins 2'
> ID '3000010' Has SID 'S-1-5-9' with the name 'NT
AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS 5'

The above are all 'Well Known SID's'

see here: 
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab
> ID '100' Has SID
'S-1-5-21-37643267-2172530850-1818422998-1118' with the name
'DS\developers 2'

This is interesting, '100' is the Unix ID for the 'users' group
and is
usually mapped to Domain Users in idmap.ldb, I take it you created 
'developers', but did you give it a gidNumber attribute ?
>
> I really don't understand what I am seeing there.

Fairly simple, the 'ID' is the Unix ID, the SID, is well the objects 
domain SID , finally the 'name' is the objects name.
> What do I have to change in my setup in order to be able to edit GPOs
> from Windows RSAT without breaking permissions on the Sysvol share?

Not sure, because I don't know how you got in this position in the first 
place, have you got any notes on how you installed the DC's, if so, send 
me a copy and I will see if there is something wrong.

Rowland

>
> Any help is greatly appreciated.
>
> Greetings,
> Stefan
>