Rowland Penny
2025-Feb-26 21:44 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
On Wed, 26 Feb 2025 22:18:44 +0100 denis bonnenfant--- via samba <samba at lists.samba.org> wrote:> > Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: > > On Wed, 26 Feb 2025 18:57:13 +0100 > > denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > > > >> Hello, > >> > >> Summary : > >> > >> New gpo are created from windows with? explicit rwx user and group > >> acls for "Domain admins", which are inherited for every objects > >> created, while sysvolreset is changing this to user:group > >> ownership, which is not inheritable, and removes the acls for > >> "Domain Admins". > >> > >> There are three permissions in play here, the normal Unix 'ugo', > >> the EA you are reading with setfacl and a further one that is set > >> with the Windows permissions. Can you try to read the latter with: > >> > >> samba-tool ntacl get <file> --as-sddl > >> > >> Where '<file>' is the directory or file > >> > >> For example, on my DC, this: > >> > >> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl > >> > >> Produces this: > >> > >> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) > >> > >> Rowland > > Hello, > > Here are the? ntacls in sddl form : > > > ### New GPO from Windows RSTAT tool, created by an user member of > Doman Admins group : > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon > O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) >Let me examine these and get back to you. Rowland
denis bonnenfant@sambaedu.org
2025-Feb-27 08:49 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?:> On Wed, 26 Feb 2025 22:18:44 +0100 > denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > >> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: >>> On Wed, 26 Feb 2025 18:57:13 +0100 >>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>> >>>> Hello, >>>> >>>> Summary : >>>> >>>> New gpo are created from windows with? explicit rwx user and group >>>> acls for "Domain admins", which are inherited for every objects >>>> created, while sysvolreset is changing this to user:group >>>> ownership, which is not inheritable, and removes the acls for >>>> "Domain Admins". >>>> >>>> There are three permissions in play here, the normal Unix 'ugo', >>>> the EA you are reading with setfacl and a further one that is set >>>> with the Windows permissions. Can you try to read the latter with: >>>> >>>> samba-tool ntacl get <file> --as-sddl >>>> >>>> Where '<file>' is the directory or file >>>> >>>> For example, on my DC, this: >>>> >>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl >>>> >>>> Produces this: >>>> >>>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) >>>> >>>> Rowland >> Hello, >> >> Here are the? ntacls in sddl form : >> >> >> ### New GPO from Windows RSTAT tool, created by an user member of >> Doman Admins group : >> >> # samba-tool ntacl get? --as-sddl >> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon >> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) >> > Let me examine these and get back to you.In addition,? on newly created GPO : jeu. f?vr. 27 09:39:47 root at se4ad.:~ # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\} O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED) # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) ACE are different on GPO root and childrens. dsacl on a fresh GPO before sysvolreset : jeu. f?vr. 27 09:39:49 root at se4ad.:~ # samba-tool dsacl get --objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org' descriptor for CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org: O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)