denis bonnenfant@sambaedu.org
2025-Feb-27 09:12 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 27/02/2025 ? 09:58, Rowland Penny via samba a ?crit?:> On Thu, 27 Feb 2025 09:49:47 +0100 > denis bonnenfant--- via samba <samba at lists.samba.org> wrote: > >> Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?: >>> On Wed, 26 Feb 2025 22:18:44 +0100 >>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>> >>>> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: >>>>> On Wed, 26 Feb 2025 18:57:13 +0100 >>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> Summary : >>>>>> >>>>>> New gpo are created from windows with? explicit rwx user and >>>>>> group acls for "Domain admins", which are inherited for every >>>>>> objects created, while sysvolreset is changing this to user:group >>>>>> ownership, which is not inheritable, and removes the acls for >>>>>> "Domain Admins". >>>>>> >>>>>> There are three permissions in play here, the normal Unix 'ugo', >>>>>> the EA you are reading with setfacl and a further one that is set >>>>>> with the Windows permissions. Can you try to read the latter >>>>>> with: >>>>>> >>>>>> samba-tool ntacl get <file> --as-sddl >>>>>> >>>>>> Where '<file>' is the directory or file >>>>>> >>>>>> For example, on my DC, this: >>>>>> >>>>>> sudo samba-tool ntacl get /var/lib/samba/sysvol --as-sddl >>>>>> >>>>>> Produces this: >>>>>> >>>>>> O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU) >>>>>> >>>>>> Rowland >>>> Hello, >>>> >>>> Here are the? ntacls in sddl form : >>>> >>>> >>>> ### New GPO from Windows RSTAT tool, created by an user member of >>>> Doman Admins group : >>>> >>>> # samba-tool ntacl get? --as-sddl >>>> /var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon >>>> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) >>>> >>> Let me examine these and get back to you. >> In addition,? on newly created GPO : >> >> jeu. f?vr. 27 09:39:47 root at se4ad.:~ >> # samba-tool ntacl get? --as-sddl >> /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\} >> O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED) >> >> # samba-tool ntacl get? --as-sddl >> /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts >> O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED) >> >> ACE are different on GPO root and childrens. >> >> >> dsacl on a fresh GPO before sysvolreset : >> >> jeu. f?vr. 27 09:39:49 root at se4ad.:~ >> # samba-tool dsacl get >> --objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org' >> >> descriptor for >> CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org: >> O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) > Before I dive into this, can you supply the smb.conf from the DC and > the Unix permissions from /var/lib/samba/sysvol and > /var/lib/samba/sysvol/diderot.orgsmb;conf : [global] ??? netbios name = se4ad ??????? workgroup = DIDEROT ??????? realm = DIDEROT.ORG ??? dns forwarder = 172.16.1.253 ??? server role = active directory domain controller [netlogon] ??? path = /var/lib/samba/sysvol/diderot.org/scripts ??? read only = No [sysvol] ??? path = /var/lib/samba/sysvol ??? read only = No Unix ACLs : ID mappings : jeu. f?vr. 27 10:03:34 root at se4ad.:~ # wbinfo --uid-info=3000006 DIDEROT\enterprise admins:*:3000006:3000006::/home/DIDEROT/enterprise admins:/bin/false jeu. f?vr. 27 10:08:27 root at se4ad.:~ # wbinfo --uid-info=3000009 NT Authority\enterprise domain controllers:*:3000009:3000009::/home/NT Authority/enterprise domain controllers:/bin/false jeu. f?vr. 27 10:08:57 root at se4ad.:~ # wbinfo --uid-info=3000000 BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false jeu. f?vr. 27 10:09:35 root at se4ad.:~ # wbinfo --uid-info=3000002 NT Authority\system:*:3000002:3000002::/home/NT Authority/system:/bin/false jeu. f?vr. 27 10:10:40 root at se4ad.:~ # wbinfo --uid-info=3000003 NT Authority\authenticated users:*:3000003:3000003::/home/NT Authority/authenticated users:/bin/false jeu. f?vr. 27 10:10:48 root at se4ad.:~ # wbinfo --uid-info=3000001 BUILTIN\server operators:*:3000001:3000001::/home/BUILTIN/server operators:/bin/false jeu. f?vr. 27 10:10:56 root at se4ad.:~ # wbinfo --uid-info=30000025 jeu. f?vr. 27 10:11:16 root at se4ad.:~ # wbinfo --uid-info=3000025 DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain admins:/bin/false getfacl?: suppression du premier ??/?? des noms de chemins absolus # file: var/lib/samba/sysvol # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- # getfacl /var/lib/samba/sysvol/diderot.org/ getfacl?: suppression du premier ??/?? des noms de chemins absolus # file: var/lib/samba/sysvol/diderot.org/ # owner: root # group: 3000000 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- example of gpo root before sysvolreset : jeu. f?vr. 27 10:02:19 root at se4ad.:~ # getfacl /var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/ getfacl?: suppression du premier ??/?? des noms de chemins absolus # file: var/lib/samba/sysvol/diderot.org/Policies/{3E5EB18B-221D-4173-958D-D913D3C6BFBB}/ # owner: 3000025 # group: 3000025 user::rwx user:3000002:rwx user:3000003:r-x user:3000006:rwx user:3000009:r-x group::rwx group:3000002:rwx group:3000003:r-x group:3000006:rwx group:3000009:r-x group:3000025:rwx mask::rwx other::--- default:user::rwx default:user:3000002:rwx default:user:3000003:r-x default:user:3000006:rwx default:user:3000009:r-x default:user:3000025:rwx default:group::--- default:group:3000002:rwx default:group:3000003:r-x default:group:3000006:rwx default:group:3000009:r-x default:group:3000025:rwx default:mask::rwx default:other::--- GPO root with sysvolreset : jeu. f?vr. 27 10:02:48 root at se4ad.:~ # getfacl /var/lib/samba/sysvol/diderot.org/Policies/\{F1B4F439-1C9D-4FB0-AD0C-A32CBD0A4512\}/ getfacl?: suppression du premier ??/?? des noms de chemins absolus # file: var/lib/samba/sysvol/diderot.org/Policies/{F1B4F439-1C9D-4FB0-AD0C-A32CBD0A4512}/ # owner: 3000025 # group: 3000025 user::rwx user:root:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::---
denis bonnenfant@sambaedu.org
2025-Feb-27 18:00 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 27/02/2025 ? 10:12, denis bonnenfant--- via samba a ?crit?:> > Le 27/02/2025 ? 09:58, Rowland Penny via samba a ?crit?: >> On Thu, 27 Feb 2025 09:49:47 +0100 >> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >> >>> Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?: >>>> On Wed, 26 Feb 2025 22:18:44 +0100 >>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>>> >>>>> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: >>>>>> On Wed, 26 Feb 2025 18:57:13 +0100 >>>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> Summary : >>>>>>> >>>>>>> New gpo are created from windows with? explicit rwx user and >>>>>>> group acls for "Domain admins", which are inherited for every >>>>>>> objects created, while sysvolreset is changing this to user:group >>>>>>> ownership, which is not inheritable, and removes the acls for >>>>>>> "Domain Admins". descriptor for >>> CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org: >>> >>> O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) >>> >> Before I dive into this, can you supply the smb.conf from the DC and >> the Unix permissions from /var/lib/samba/sysvol andJust for information : changing? file "/usr/lib/python3/dist-packages/samba/ntacls.py", lines? 308-309 to ?????? if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and str(ace.trustee) != security.SID_BUILTIN_PREW2K: removes problematic ace (the one with uuid), and after that gpo are working perfectly. after sysvolreset. It's juste a hack, with probably corner effects, but itl isout of my skills to test it....