denis bonnenfant@sambaedu.org
2025-Feb-26 17:57 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Hello,
Summary :
New gpo are created from windows with? explicit rwx user and group acls
for "Domain admins", which are inherited for every objects created,
while sysvolreset is changing this to user:group ownership, which is not
inheritable, and removes the acls for "Domain Admins".
Detail :
I'm facing a weird issue with sysvol acls on all my DC running samba
4.21 : the problem appeared after upgrade from 4.17 to 4.19, and is also
present with on new? servers provisonned directly with 4.21
the context :
First, I'm not running? Samba with rfc2307, and "Domain Admins"
doesn't
have a gidNumber.
My smb.conf on DC is? the default one from domain provision.
# wbinfo --uid-info=3000025
DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain
admins:/bin/false
# wbinfo --uid-to-sid=3000025
S-1-5-21-909356044-1599522197-445740120-512
This group is member of
# wbinfo --uid-info=3000000
BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false
# wbinfo --uid-to-sid=3000000
S-1-5-32-544
The problem? :
When creating a new gpo from windows GPO management tool with an user
member of "Domain Admins" , everything works as expected, GPO can be
modified, elements added in...
After running sysvolreset on DC, GPO is broken, as no new folders can be
created inside.
ACL before sysvolreset :
# getfacl
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/
getfacl?: suppression du premier ??/?? des noms de chemins absolus
# file:
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/
# owner: 3000000
# group: users
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000009:r-x
user:3000025:rwx
group::---
group:users:---
group:3000000:rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000009:r-x
group:3000025:rwx
mask::rwx
other::---
default:user::rwx
default:user:3000000:rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000009:r-x
default:user:3000025:rwx
default:group::---
default:group:users:---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000009:r-x
default:group:3000025:rwx
default:mask::rwx
default:other::---
Created folders or files inside GPO inherit these acls, and everything
works.
Acls After sysvolreset :
# getfacl
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon
getfacl?: suppression du premier ??/?? des noms de chemins absolus
# file:
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon
# owner: 3000025
# group: 3000025
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
When creating a new folder inside :
# getfacl
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/test
getfacl?: suppression du premier ??/?? des noms de chemins absolus
# file:
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/test
# owner: 3000000
# group: users
user::rwx
user:root:rwx??????????? #effective:r-x
user:3000000:rwx??????? #effective:r-x
user:3000001:r-x
user:3000002:rwx??????? #effective:r-x
user:3000003:r-x
group::---
group:3000000:rwx??????? #effective:r-x
group:3000001:r-x
group:3000002:rwx??????? #effective:r-x
group:3000003:r-x
mask::r-x
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---
So creating new folders is broken after sysvolreset.? Running
sysvolreset allows creation of one level again.
Same problem using Administrator account from windows. So the only way
to modify existing gpo is to create a new one and make all changes
before sysvolreset.
but when using smbclient, it is OK with Administrator :
smb:
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
mkdir test2
smb:
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
mkdir test2\test2
but not with admin (member of "Domain Admins")
smb:
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
mkdir test2
NT_STATUS_ACCESS_DENIED making remote directory
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\test2
Rowland Penny
2025-Feb-26 19:38 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
On Wed, 26 Feb 2025 18:57:13 +0100 denis bonnenfant--- via samba <samba at lists.samba.org> wrote:> Hello, > > Summary : > > New gpo are created from windows with? explicit rwx user and group > acls for "Domain admins", which are inherited for every objects > created, while sysvolreset is changing this to user:group ownership, > which is not inheritable, and removes the acls for "Domain Admins". > > Detail : > > I'm facing a weird issue with sysvol acls on all my DC running samba > 4.21 : the problem appeared after upgrade from 4.17 to 4.19, and is > also present with on new? servers provisonned directly with 4.21 > > the context : > > First, I'm not running? Samba with rfc2307, and "Domain Admins" > doesn't have a gidNumber. > > My smb.conf on DC is? the default one from domain provision. > > > # wbinfo --uid-info=3000025 > DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain > admins:/bin/false > > # wbinfo --uid-to-sid=3000025 > S-1-5-21-909356044-1599522197-445740120-512 > > This group is member of > > # wbinfo --uid-info=3000000 > BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false > > # wbinfo --uid-to-sid=3000000 > S-1-5-32-544 > > The problem? : > > When creating a new gpo from windows GPO management tool with an user > member of "Domain Admins" , everything works as expected, GPO can be > modified, elements added in... > > After running sysvolreset on DC, GPO is broken, as no new folders can > be created inside. > > ACL before sysvolreset : > > > # getfacl > /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/ > getfacl?: suppression du premier ??/?? des noms de chemins absolus > # file: > var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/ > # owner: 3000000 > # group: users > user::rwx > user:3000002:rwx > user:3000003:r-x > user:3000006:rwx > user:3000009:r-x > user:3000025:rwx > group::--- > group:users:--- > group:3000000:rwx > group:3000002:rwx > group:3000003:r-x > group:3000006:rwx > group:3000009:r-x > group:3000025:rwx > mask::rwx > other::--- > default:user::rwx > default:user:3000000:rwx > default:user:3000002:rwx > default:user:3000003:r-x > default:user:3000006:rwx > default:user:3000009:r-x > default:user:3000025:rwx > default:group::--- > default:group:users:--- > default:group:3000002:rwx > default:group:3000003:r-x > default:group:3000006:rwx > default:group:3000009:r-x > default:group:3000025:rwx > default:mask::rwx > default:other::--- > > > Created folders or files inside GPO inherit these acls, and > everything works. > > > Acls After sysvolreset : > > # getfacl > /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon > getfacl?: suppression du premier ??/?? des noms de chemins absolus > # file: > var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon > # owner: 3000025 > # group: 3000025 > user::rwx > user:root:rwx > user:3000000:rwx > user:3000001:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:3000000:rwx > group:3000001:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > When creating a new folder inside : > > # getfacl > /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/test > getfacl?: suppression du premier ??/?? des noms de chemins absolus > # file: > var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/test > # owner: 3000000 > # group: users > user::rwx > user:root:rwx??????????? #effective:r-x > user:3000000:rwx??????? #effective:r-x > user:3000001:r-x > user:3000002:rwx??????? #effective:r-x > user:3000003:r-x > group::--- > group:3000000:rwx??????? #effective:r-x > group:3000001:r-x > group:3000002:rwx??????? #effective:r-x > group:3000003:r-x > mask::r-x > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > > So creating new folders is broken after sysvolreset.? Running > sysvolreset allows creation of one level again. > > Same problem using Administrator account from windows. So the only > way to modify existing gpo is to create a new one and make all > changes before sysvolreset. > > > but when using smbclient, it is OK with Administrator : > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > mkdir test2 > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > mkdir test2\test2 > > but not with admin (member of "Domain Admins") > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > mkdir test2 > NT_STATUS_ACCESS_DENIED making remote directory > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\test2 >There are three permissions in play here, the normal Unix 'ugo', the EA you are reading with setfacl and a further one that is set with the Windows permissions. Can you try to read the latter with: samba-tool ntacl get <file> --as-sddl Where '<file>' is the directory or file For example, on my DC, this: sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl Produces this: O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) Rowland
Gregory Carter
2025-Feb-26 20:17 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Just out of curiosity, is there a reason why you didn't lab these upgrades first and delaying the upgrades until you had solutions to these problems you say, moving from 4.17->4.19? I guess I find it curious a lot of people on this list do not or will not create proper test environments before they upgrade. Maybe the environments are not mission critical. But all my samba installs are mission critical and beyond. :-) On my test environment, I have a Laptop with 64 Gigs of memory and copies of my dovecot-mail/samba-ad/samba-fs virtual machines and can at least do basic upgrades between Fedora versions to see what problems a basic upgrade will do. Same with basic config changes if I discover a better way of managing things and want to put it into production. If I do not have a solution to the problem I encounter to the above upgrades, I just don't do the upgrade or the patches. On Wed, Feb 26, 2025 at 11:15?AM denis bonnenfant--- via samba < samba at lists.samba.org> wrote:> Hello, > > Summary : > > New gpo are created from windows with explicit rwx user and group acls > for "Domain admins", which are inherited for every objects created, > while sysvolreset is changing this to user:group ownership, which is not > inheritable, and removes the acls for "Domain Admins". > > Detail : > > I'm facing a weird issue with sysvol acls on all my DC running samba > 4.21 : the problem appeared after upgrade from 4.17 to 4.19, and is also > present with on new servers provisonned directly with 4.21 > > the context : > > First, I'm not running Samba with rfc2307, and "Domain Admins" doesn't > have a gidNumber. > > My smb.conf on DC is the default one from domain provision. > > > # wbinfo --uid-info=3000025 > DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain > admins:/bin/false > > # wbinfo --uid-to-sid=3000025 > S-1-5-21-909356044-1599522197-445740120-512 > > This group is member of > > # wbinfo --uid-info=3000000 > > BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false > > # wbinfo --uid-to-sid=3000000 > S-1-5-32-544 > > The problem : > > When creating a new gpo from windows GPO management tool with an user > member of "Domain Admins" , everything works as expected, GPO can be > modified, elements added in... > > After running sysvolreset on DC, GPO is broken, as no new folders can be > created inside. > > ACL before sysvolreset : > > > # getfacl > /var/lib/samba/sysvol/ > diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/ > <http://diderot.org/Policies/%5C%7B2094568D-7BAD-4018-834C-13181AFA2514%5C%7D/User/Scripts/Logon/> > getfacl : suppression du premier ? / ? des noms de chemins absolus > # file: > var/lib/samba/sysvol/ > diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/ > <http://diderot.org/Policies/%7B2094568D-7BAD-4018-834C-13181AFA2514%7D/User/Scripts/Logon/> > # owner: 3000000 > # group: users > user::rwx > user:3000002:rwx > user:3000003:r-x > user:3000006:rwx > user:3000009:r-x > user:3000025:rwx > group::--- > group:users:--- > group:3000000:rwx > group:3000002:rwx > group:3000003:r-x > group:3000006:rwx > group:3000009:r-x > group:3000025:rwx > mask::rwx > other::--- > default:user::rwx > default:user:3000000:rwx > default:user:3000002:rwx > default:user:3000003:r-x > default:user:3000006:rwx > default:user:3000009:r-x > default:user:3000025:rwx > default:group::--- > default:group:users:--- > default:group:3000002:rwx > default:group:3000003:r-x > default:group:3000006:rwx > default:group:3000009:r-x > default:group:3000025:rwx > default:mask::rwx > default:other::--- > > > Created folders or files inside GPO inherit these acls, and everything > works. > > > Acls After sysvolreset : > > # getfacl > /var/lib/samba/sysvol/ > diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon > <http://diderot.org/Policies/%5C%7B2094568D-7BAD-4018-834C-13181AFA2514%5C%7D/User/Scripts/Logon> > getfacl : suppression du premier ? / ? des noms de chemins absolus > # file: > var/lib/samba/sysvol/ > diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon > <http://diderot.org/Policies/%7B2094568D-7BAD-4018-834C-13181AFA2514%7D/User/Scripts/Logon> > # owner: 3000025 > # group: 3000025 > user::rwx > user:root:rwx > user:3000000:rwx > user:3000001:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:3000000:rwx > group:3000001:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > When creating a new folder inside : > > # getfacl > /var/lib/samba/sysvol/ > diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/test > <http://diderot.org/Policies/%5C%7B2094568D-7BAD-4018-834C-13181AFA2514%5C%7D/User/Scripts/Logon/test> > getfacl : suppression du premier ? / ? des noms de chemins absolus > # file: > var/lib/samba/sysvol/ > diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/test > <http://diderot.org/Policies/%7B2094568D-7BAD-4018-834C-13181AFA2514%7D/User/Scripts/Logon/test> > # owner: 3000000 > # group: users > user::rwx > user:root:rwx #effective:r-x > user:3000000:rwx #effective:r-x > user:3000001:r-x > user:3000002:rwx #effective:r-x > user:3000003:r-x > group::--- > group:3000000:rwx #effective:r-x > group:3000001:r-x > group:3000002:rwx #effective:r-x > group:3000003:r-x > mask::r-x > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > > So creating new folders is broken after sysvolreset. Running > sysvolreset allows creation of one level again. > > Same problem using Administrator account from windows. So the only way > to modify existing gpo is to create a new one and make all changes > before sysvolreset. > > > but when using smbclient, it is OK with Administrator : > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > > mkdir test2 > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > > mkdir test2\test2 > > but not with admin (member of "Domain Admins") > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > > mkdir test2 > NT_STATUS_ACCESS_DENIED making remote directory > \diderot.org > \Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\test2 > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >