samba - Feb 2025 - ACL problem after sysvolreset (possible bug ?)

On Wed, 26 Feb 2025 18:57:13 +0100
denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> Summary :
> 
> New gpo are created from windows with? explicit rwx user and group
> acls for "Domain admins", which are inherited for every objects
> created, while sysvolreset is changing this to user:group ownership,
> which is not inheritable, and removes the acls for "Domain
Admins".
> 
> Detail :
> 
> I'm facing a weird issue with sysvol acls on all my DC running samba 
> 4.21 : the problem appeared after upgrade from 4.17 to 4.19, and is
> also present with on new? servers provisonned directly with 4.21
> 
> the context :
> 
> First, I'm not running? Samba with rfc2307, and "Domain
Admins"
> doesn't have a gidNumber.
> 
> My smb.conf on DC is? the default one from domain provision.
> 
> 
> # wbinfo --uid-info=3000025
> DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain 
> admins:/bin/false
> 
> # wbinfo --uid-to-sid=3000025
> S-1-5-21-909356044-1599522197-445740120-512
> 
> This group is member of
> 
> # wbinfo --uid-info=3000000
>
BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false
> 
> # wbinfo --uid-to-sid=3000000
> S-1-5-32-544
> 
> The problem? :
> 
> When creating a new gpo from windows GPO management tool with an user 
> member of "Domain Admins" , everything works as expected, GPO can
be
> modified, elements added in...
> 
> After running sysvolreset on DC, GPO is broken, as no new folders can
> be created inside.
> 
> ACL before sysvolreset :
> 
> 
> # getfacl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/
> getfacl?: suppression du premier ??/?? des noms de chemins absolus
> # file: 
>
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/
> # owner: 3000000
> # group: users
> user::rwx
> user:3000002:rwx
> user:3000003:r-x
> user:3000006:rwx
> user:3000009:r-x
> user:3000025:rwx
> group::---
> group:users:---
> group:3000000:rwx
> group:3000002:rwx
> group:3000003:r-x
> group:3000006:rwx
> group:3000009:r-x
> group:3000025:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000000:rwx
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:user:3000006:rwx
> default:user:3000009:r-x
> default:user:3000025:rwx
> default:group::---
> default:group:users:---
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:group:3000006:rwx
> default:group:3000009:r-x
> default:group:3000025:rwx
> default:mask::rwx
> default:other::---
> 
> 
> Created folders or files inside GPO inherit these acls, and
> everything works.
> 
> 
> Acls After sysvolreset :
> 
> # getfacl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon
> getfacl?: suppression du premier ??/?? des noms de chemins absolus
> # file: 
>
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon
> # owner: 3000025
> # group: 3000025
> user::rwx
> user:root:rwx
> user:3000000:rwx
> user:3000001:r-x
> user:3000002:rwx
> user:3000003:r-x
> group::rwx
> group:3000000:rwx
> group:3000001:r-x
> group:3000002:rwx
> group:3000003:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> When creating a new folder inside :
> 
> # getfacl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/test
> getfacl?: suppression du premier ??/?? des noms de chemins absolus
> # file: 
>
var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/test
> # owner: 3000000
> # group: users
> user::rwx
> user:root:rwx??????????? #effective:r-x
> user:3000000:rwx??????? #effective:r-x
> user:3000001:r-x
> user:3000002:rwx??????? #effective:r-x
> user:3000003:r-x
> group::---
> group:3000000:rwx??????? #effective:r-x
> group:3000001:r-x
> group:3000002:rwx??????? #effective:r-x
> group:3000003:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:user:root:rwx
> default:user:3000000:rwx
> default:user:3000001:r-x
> default:user:3000002:rwx
> default:user:3000003:r-x
> default:group::---
> default:group:3000000:rwx
> default:group:3000001:r-x
> default:group:3000002:rwx
> default:group:3000003:r-x
> default:mask::rwx
> default:other::---
> 
> 
> So creating new folders is broken after sysvolreset.? Running 
> sysvolreset allows creation of one level again.
> 
> Same problem using Administrator account from windows. So the only
> way to modify existing gpo is to create a new one and make all
> changes before sysvolreset.
> 
> 
> but when using smbclient, it is OK with Administrator :
> 
> smb: 
>
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
> mkdir test2
> 
> smb: 
>
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
> mkdir test2\test2
> 
> but not with admin (member of "Domain Admins")
> 
> smb: 
>
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\>
> mkdir test2
> NT_STATUS_ACCESS_DENIED making remote directory 
>
\diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\test2
> 
There are three permissions in play here, the normal Unix 'ugo', the EA
you are reading with setfacl and a further one that is set with the
Windows permissions. Can you try to read the latter with:

samba-tool ntacl get <file> --as-sddl

Where '<file>' is the directory or file

For example, on my DC, this:

sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl

Produces this:

O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)

Rowland

Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:
> On Wed, 26 Feb 2025 18:57:13 +0100
> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
>> Hello,
>>
>> Summary :
>>
>> New gpo are created from windows with? explicit rwx user and group
>> acls for "Domain admins", which are inherited for every
objects
>> created, while sysvolreset is changing this to user:group ownership,
>> which is not inheritable, and removes the acls for "Domain
Admins".
>>
>> There are three permissions in play here, the normal Unix
'ugo', the EA
>> you are reading with setfacl and a further one that is set with the
>> Windows permissions. Can you try to read the latter with:
>>
>> samba-tool ntacl get <file> --as-sddl
>>
>> Where '<file>' is the directory or file
>>
>> For example, on my DC, this:
>>
>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>>
>> Produces this:
>>
>>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>
>> Rowland
Hello,

Here are the? ntacls in sddl form :


### New GPO from Windows RSTAT tool, created by an user member of Doman 
Admins group :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

New Folder created in explorer.exe :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

New file :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/logon.txt
O:BAG:DUD:AI(A;ID;FA;;;DA)(A;ID;FA;;;EA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;ED)

### After sysvolreset

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)

SSDL are exactly the same for? all files and folders after sysvolreset


New folder :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2
O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;OICI;0x1200a9;;;ED)

New file :

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2.txt

O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(OA;;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;;0x1200a9;;;ED)

test2 and test2.txt acls's? are not readable in windows explorer, it 
just displays an error message.


setting back? ACLS to the original values (before sysvolreset) is 
working as expected :

# samba-tool ntacl set 
"O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)"
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test3
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)


So the issue is definitely related to sysvolreset.