denis bonnenfant@sambaedu.org
2025-Feb-27 08:49 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?:> On Wed, 26 Feb 2025 22:18:44 +0100 > denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > >> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: >>> On Wed, 26 Feb 2025 18:57:13 +0100 >>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>> >>>> Hello, >>>> >>>> Summary : >>>> >>>> New gpo are created from windows with? explicit rwx user and group >>>> acls for "Domain admins", which are inherited for every objects >>>> created, while sysvolreset is changing this to user:group >>>> ownership, which is not inheritable, and removes the acls for >>>> "Domain Admins". >>>> >>>> There are three permissions in play here, the normal Unix 'ugo', >>>> the EA you are reading with setfacl and a further one that is set >>>> with the Windows permissions. Can you try to read the latter with: >>>> >>>> samba-tool ntacl get <file> --as-sddl >>>> >>>> Where '<file>' is the directory or file >>>> >>>> For example, on my DC, this: >>>> >>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl >>>> >>>> Produces this: >>>> >>>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) >>>> >>>> Rowland >> Hello, >> >> Here are the? ntacls in sddl form : >> >> >> ### New GPO from Windows RSTAT tool, created by an user member of >> Doman Admins group : >> >> # samba-tool ntacl get? --as-sddl >> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon >> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) >> > Let me examine these and get back to you.In addition,? on newly created GPO : jeu. f?vr. 27 09:39:47 root at se4ad.:~ # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\} O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED) # samba-tool ntacl get? --as-sddl /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) ACE are different on GPO root and childrens. dsacl on a fresh GPO before sysvolreset : jeu. f?vr. 27 09:39:49 root at se4ad.:~ # samba-tool dsacl get --objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org' descriptor for CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org: O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
Rowland Penny
2025-Feb-27 08:58 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
On Thu, 27 Feb 2025 09:49:47 +0100 denis bonnenfant--- via samba <samba at lists.samba.org> wrote:> > Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?: > > On Wed, 26 Feb 2025 22:18:44 +0100 > > denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > > > >> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: > >>> On Wed, 26 Feb 2025 18:57:13 +0100 > >>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > >>> > >>>> Hello, > >>>> > >>>> Summary : > >>>> > >>>> New gpo are created from windows with? explicit rwx user and > >>>> group acls for "Domain admins", which are inherited for every > >>>> objects created, while sysvolreset is changing this to user:group > >>>> ownership, which is not inheritable, and removes the acls for > >>>> "Domain Admins". > >>>> > >>>> There are three permissions in play here, the normal Unix 'ugo', > >>>> the EA you are reading with setfacl and a further one that is set > >>>> with the Windows permissions. Can you try to read the latter > >>>> with: > >>>> > >>>> samba-tool ntacl get <file> --as-sddl > >>>> > >>>> Where '<file>' is the directory or file > >>>> > >>>> For example, on my DC, this: > >>>> > >>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl > >>>> > >>>> Produces this: > >>>> > >>>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) > >>>> > >>>> Rowland > >> Hello, > >> > >> Here are the? ntacls in sddl form : > >> > >> > >> ### New GPO from Windows RSTAT tool, created by an user member of > >> Doman Admins group : > >> > >> # samba-tool ntacl get? --as-sddl > >> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon > >> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) > >> > > Let me examine these and get back to you. > > In addition,? on newly created GPO : > > jeu. f?vr. 27 09:39:47 root at se4ad.:~ > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\} > O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED) > > # samba-tool ntacl get? --as-sddl > /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts > O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) > > ACE are different on GPO root and childrens. > > > dsacl on a fresh GPO before sysvolreset : > > jeu. f?vr. 27 09:39:49 root at se4ad.:~ > # samba-tool dsacl get > --objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org' > > descriptor for > CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org: > O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)Before I dive into this, can you supply the smb.conf from the DC and the Unix permissions from /var/lib/samba/sysvol and /var/lib/samba/sysvol/diderot.org Rowland