thr3ads.net - samba - [Samba] ACL problem after sysvolreset (possible bug ?) [Feb 2025]

If this information is useful, please help other people find it:
Share via:

Rowland Penny

2025-Feb-26 21:44 UTC

[Samba] ACL problem after sysvolreset (possible bug ?)

On Wed, 26 Feb 2025 22:18:44 +0100
denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> 
> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:
> > On Wed, 26 Feb 2025 18:57:13 +0100
> > denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
> >
> >> Hello,
> >>
> >> Summary :
> >>
> >> New gpo are created from windows with? explicit rwx user and group
> >> acls for "Domain admins", which are inherited for every
objects
> >> created, while sysvolreset is changing this to user:group
> >> ownership, which is not inheritable, and removes the acls for
> >> "Domain Admins".
> >>
> >> There are three permissions in play here, the normal Unix
'ugo',
> >> the EA you are reading with setfacl and a further one that is set
> >> with the Windows permissions. Can you try to read the latter with:
> >>
> >> samba-tool ntacl get <file> --as-sddl
> >>
> >> Where '<file>' is the directory or file
> >>
> >> For example, on my DC, this:
> >>
> >> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
> >>
> >> Produces this:
> >>
> >>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
> >>
> >> Rowland
> 
> Hello,
> 
> Here are the? ntacls in sddl form :
> 
> 
> ### New GPO from Windows RSTAT tool, created by an user member of
> Doman Admins group :
> 
> # samba-tool ntacl get? --as-sddl 
>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
> 
Let me examine these and get back to you.

Rowland

denis bonnenfant@sambaedu.org

2025-Feb-27 08:49 UTC

head link

[Samba] ACL problem after sysvolreset (possible bug ?)

Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?:> On Wed, 26 Feb 2025 22:18:44 +0100
> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
>> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:
>>> On Wed, 26 Feb 2025 18:57:13 +0100
>>> denis bonnenfant--- via samba <samba at lists.samba.org>
wrote:
>>>
>>>> Hello,
>>>>
>>>> Summary :
>>>>
>>>> New gpo are created from windows with? explicit rwx user and
group
>>>> acls for "Domain admins", which are inherited for
every objects
>>>> created, while sysvolreset is changing this to user:group
>>>> ownership, which is not inheritable, and removes the acls for
>>>> "Domain Admins".
>>>>
>>>> There are three permissions in play here, the normal Unix
'ugo',
>>>> the EA you are reading with setfacl and a further one that is
set
>>>> with the Windows permissions. Can you try to read the latter
with:
>>>>
>>>> samba-tool ntacl get <file> --as-sddl
>>>>
>>>> Where '<file>' is the directory or file
>>>>
>>>> For example, on my DC, this:
>>>>
>>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl
>>>>
>>>> Produces this:
>>>>
>>>>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>>>
>>>> Rowland
>> Hello,
>>
>> Here are the? ntacls in sddl form :
>>
>>
>> ### New GPO from Windows RSTAT tool, created by an user member of
>> Doman Admins group :
>>
>> # samba-tool ntacl get? --as-sddl
>>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
>>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>>
> Let me examine these and get back to you.
In addition,? on newly created GPO :

jeu. f?vr. 27 09:39:47 root at se4ad.:~
# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}
O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)

# samba-tool ntacl get? --as-sddl 
/var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)

ACE are different on GPO root and childrens.


dsacl on a fresh GPO before sysvolreset :

jeu. f?vr. 27 09:39:49 root at se4ad.:~
# samba-tool dsacl get 
--objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org'

descriptor for 
CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org:
O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

samba - Feb 2025 - ACL problem after sysvolreset (possible bug ?)

[Samba] ACL problem after sysvolreset (possible bug ?)

[Samba] ACL problem after sysvolreset (possible bug ?)