Rowland Penny
2025-Feb-26 19:38 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
On Wed, 26 Feb 2025 18:57:13 +0100 denis bonnenfant--- via samba <samba at lists.samba.org> wrote:> Hello, > > Summary : > > New gpo are created from windows with? explicit rwx user and group > acls for "Domain admins", which are inherited for every objects > created, while sysvolreset is changing this to user:group ownership, > which is not inheritable, and removes the acls for "Domain Admins". > > Detail : > > I'm facing a weird issue with sysvol acls on all my DC running samba > 4.21 : the problem appeared after upgrade from 4.17 to 4.19, and is > also present with on new? servers provisonned directly with 4.21 > > the context : > > First, I'm not running? Samba with rfc2307, and "Domain Admins" > doesn't have a gidNumber. > > My smb.conf on DC is? the default one from domain provision. > > > # wbinfo --uid-info=3000025 > DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain > admins:/bin/false > > # wbinfo --uid-to-sid=3000025 > S-1-5-21-909356044-1599522197-445740120-512 > > This group is member of > > # wbinfo --uid-info=3000000 > BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false > > # wbinfo --uid-to-sid=3000000 > S-1-5-32-544 > > The problem? : > > When creating a new gpo from windows GPO management tool with an user > member of "Domain Admins" , everything works as expected, GPO can be > modified, elements added in... > > After running sysvolreset on DC, GPO is broken, as no new folders can > be created inside. > > ACL before sysvolreset : > > > # getfacl > /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/ > getfacl?: suppression du premier ??/?? des noms de chemins absolus > # file: > var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/ > # owner: 3000000 > # group: users > user::rwx > user:3000002:rwx > user:3000003:r-x > user:3000006:rwx > user:3000009:r-x > user:3000025:rwx > group::--- > group:users:--- > group:3000000:rwx > group:3000002:rwx > group:3000003:r-x > group:3000006:rwx > group:3000009:r-x > group:3000025:rwx > mask::rwx > other::--- > default:user::rwx > default:user:3000000:rwx > default:user:3000002:rwx > default:user:3000003:r-x > default:user:3000006:rwx > default:user:3000009:r-x > default:user:3000025:rwx > default:group::--- > default:group:users:--- > default:group:3000002:rwx > default:group:3000003:r-x > default:group:3000006:rwx > default:group:3000009:r-x > default:group:3000025:rwx > default:mask::rwx > default:other::--- > > > Created folders or files inside GPO inherit these acls, and > everything works. > > > Acls After sysvolreset : > > # getfacl > /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon > getfacl?: suppression du premier ??/?? des noms de chemins absolus > # file: > var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon > # owner: 3000025 > # group: 3000025 > user::rwx > user:root:rwx > user:3000000:rwx > user:3000001:r-x > user:3000002:rwx > user:3000003:r-x > group::rwx > group:3000000:rwx > group:3000001:r-x > group:3000002:rwx > group:3000003:r-x > mask::rwx > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > When creating a new folder inside : > > # getfacl > /var/lib/samba/sysvol/diderot.org/Policies/\{2094568D-7BAD-4018-834C-13181AFA2514\}/User/Scripts/Logon/test > getfacl?: suppression du premier ??/?? des noms de chemins absolus > # file: > var/lib/samba/sysvol/diderot.org/Policies/{2094568D-7BAD-4018-834C-13181AFA2514}/User/Scripts/Logon/test > # owner: 3000000 > # group: users > user::rwx > user:root:rwx??????????? #effective:r-x > user:3000000:rwx??????? #effective:r-x > user:3000001:r-x > user:3000002:rwx??????? #effective:r-x > user:3000003:r-x > group::--- > group:3000000:rwx??????? #effective:r-x > group:3000001:r-x > group:3000002:rwx??????? #effective:r-x > group:3000003:r-x > mask::r-x > other::--- > default:user::rwx > default:user:root:rwx > default:user:3000000:rwx > default:user:3000001:r-x > default:user:3000002:rwx > default:user:3000003:r-x > default:group::--- > default:group:3000000:rwx > default:group:3000001:r-x > default:group:3000002:rwx > default:group:3000003:r-x > default:mask::rwx > default:other::--- > > > So creating new folders is broken after sysvolreset.? Running > sysvolreset allows creation of one level again. > > Same problem using Administrator account from windows. So the only > way to modify existing gpo is to create a new one and make all > changes before sysvolreset. > > > but when using smbclient, it is OK with Administrator : > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > mkdir test2 > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > mkdir test2\test2 > > but not with admin (member of "Domain Admins") > > smb: > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\> > mkdir test2 > NT_STATUS_ACCESS_DENIED making remote directory > \diderot.org\Policies\{2094568D-7BAD-4018-834C-13181AFA2514}\Machine\Scripts\Startup\test2 >There are three permissions in play here, the normal Unix 'ugo', the EA you are reading with setfacl and a further one that is set with the Windows permissions. Can you try to read the latter with: samba-tool ntacl get <file> --as-sddl Where '<file>' is the directory or file For example, on my DC, this: sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl Produces this: O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) Rowland
denis bonnenfant@sambaedu.org
2025-Feb-26 21:18 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:> On Wed, 26 Feb 2025 18:57:13 +0100 > denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > >> Hello, >> >> Summary : >> >> New gpo are created from windows with? explicit rwx user and group >> acls for "Domain admins", which are inherited for every objects >> created, while sysvolreset is changing this to user:group ownership, >> which is not inheritable, and removes the acls for "Domain Admins". >> >> There are three permissions in play here, the normal Unix 'ugo', the EA >> you are reading with setfacl and a further one that is set with the >> Windows permissions. Can you try to read the latter with: >> >> samba-tool ntacl get <file> --as-sddl >> >> Where '<file>' is the directory or file >> >> For example, on my DC, this: >> >> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl >> >> Produces this: >> >> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) >> >> RowlandHello, Here are the? ntacls in sddl form : ### New GPO from Windows RSTAT tool, created by an user member of Doman Admins group : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) New Folder created in explorer.exe : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) New file : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/logon.txt O:BAG:DUD:AI(A;ID;FA;;;DA)(A;ID;FA;;;EA)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;AU)(A;ID;0x1200a9;;;ED) ### After sysvolreset # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED) SSDL are exactly the same for? all files and folders after sysvolreset New folder : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2 O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;OICI;0x1200a9;;;ED) New file : # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test2.txt O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(OA;;;00000175-0000-0000-2451-75e363550000;00000179-0000-0000-9e52-75e363550000;AU)(A;;0x1200a9;;;ED) test2 and test2.txt acls's? are not readable in windows explorer, it just displays an error message. setting back? ACLS to the original values (before sysvolreset) is working as expected : # samba-tool ntacl set "O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)" /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/Logon/test3 O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) So the issue is definitely related to sysvolreset.