samba - May 2023 - sysvol maintenance/fix

Rowland Penny via samba <samba at lists.samba.org>
> > I wonder how to fix the ntacl of the three directories?  I don't
know
> > what "samba-tool ntacl sysvolrest" do so I don't want to
execute that
> > command blindly.
> >
>
> What sysvolreset does is basically what it says, it resets the
> permissions on the sysvol directories. It is the fix you require,
> provided the GPO's are there and that idmap.ldb is in sync on all
DC's.
>
> If you still have doubts, just ask and I will go into it in much deeper.
I read the page several times: https://wiki.samba.org/index.php/Sysvolreset
I don't quite understand but it seems "sysvolreset" will do bad
things
under some conditions.
so you mean under normal setup, "sysvolrest" is fine and it will set
up the correct acl?
I also want to ask if the "sysvol" folder is the only samba folder
which need to take care of the extended attribute  and posix_acl?
if I copy/backup the folder without extended attribute & posix_acl ,
will "sysvolrest" restore the correct acl for me?
thanks again for your kindly help!

Regards,
tbskyd










> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 23/05/2023 13:09, d tbsky via samba wrote:
> I read the page several times: https://wiki.samba.org/index.php/Sysvolreset
> I don't quite understand but it seems "sysvolreset" will do
bad things
> under some conditions.
I will rewrite that page sometime today or tomorrow, it isn't that bad :-)
> so you mean under normal setup, "sysvolrest" is fine and it will
set
> up the correct acl?
Yes, provided that all the GPO's are present.

The GPO's are stored on the DC under the 'sysvol' directory, which
on
Debian is /var/lib/samba/sysvol , under that directory is another 
directory named after your dns domain and in that directory there should 
be two other directories:
Policies
scripts

The Policies directories are where the GPO's are stored and are named 
like this:

{31B2F340-016D-11D2-945F-00C04FB984F9}

There should be a minimum of two GPO's, though there can and often is, 
more than this.

So how does 'sysvolreset' know how many GPO's there should be, well,
it
doesn't, it gets that information from AD, where the GPO's are also 
stored. Using the information it gets from AD, sysvolreset 'walks' the 
path of each GPO resetting the permissions on disk.
If a GPO exists in AD, but isn't on disk, you will get an error, if a 
GPO exists on disk but not in AD (unlikely) you will get an error.
This is why you must ensure that sysvol on one DC is kept in sync with 
all other DC's. The other thing to consider is idmap.ldb, this is where 
the DC user and group ID's are stored and these are allocated on a first 
come basis, this means that you can never be certain that a user or 
group will have the same ID on different DC's, that is unless you use 
the 'ad' idmap backend. This however has dangers on DC, because Domain 
Admins should never be given a gidNumber attribute with 'idmap_ldb:use 
rfc2307  = yes' set in a DC's smb.conf.
> I also want to ask if the "sysvol" folder is the only samba
folder
> which need to take care of the extended attribute  and posix_acl?
> if I copy/backup the folder without extended attribute & posix_acl ,
> will "sysvolrest" restore the correct acl for me?
If you are using a DC as a fileserver (not recommended), you must set 
the permissions from a Windows computer. Running 'sysvolreset' will only
affect the permissions on the sysvol directory and the directories and 
files under that.

Rowland