samba - Feb 2025 - ACL problem after sysvolreset (possible bug ?)

Le 27/02/2025 ? 09:58, Rowland Penny via samba a ?crit?:
> On Thu, 27 Feb 2025 09:49:47 +0100
> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>
>> Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?:
>>> On Wed, 26 Feb 2025 22:18:44 +0100
>>> denis bonnenfant--- via samba <samba at lists.samba.org>
wrote:
>>>
>>>> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:
>>>>> On Wed, 26 Feb 2025 18:57:13 +0100
>>>>> denis bonnenfant--- via samba <samba at
lists.samba.org> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Summary :
>>>>>>
>>>>>> New gpo are created from windows with? explicit rwx
user and
>>>>>> group acls for "Domain admins", which are
inherited for every
>>>>>> objects created, while sysvolreset is changing this to
user:group
>>>>>> ownership, which is not inheritable, and removes the
acls for
>>>>>> "Domain Admins".
>>>>>>
>>>>>> There are three permissions in play here, the normal
Unix 'ugo',
>>>>>> the EA you are reading with setfacl and a further one
that is set
>>>>>> with the Windows permissions. Can you try to read the
latter
>>>>>> with:
>>>>>>
>>>>>> samba-tool ntacl get <file> --as-sddl
>>>>>>
>>>>>> Where '<file>' is the directory or file
>>>>>>
>>>>>> For example, on my DC, this:
>>>>>>
>>>>>> sudo samba-tool ntacl get /var/lib/samba/sysvol
--as-sddl
>>>>>>
>>>>>> Produces this:
>>>>>>
>>>>>>
O:LAG:BAD:P(A;OICI;FA;;;BA)(A;OICI;0x1200a9;;;SO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)
>>>>>>
>>>>>> Rowland
>>>> Hello,
>>>>
>>>> Here are the? ntacls in sddl form :
>>>>
>>>>
>>>> ### New GPO from Windows RSTAT tool, created by an user member
of
>>>> Doman Admins group :
>>>>
>>>> # samba-tool ntacl get? --as-sddl
>>>>
/var/lib/samba/sysvol/diderot.org/Policies/\{910E2A0C-D2A6-4508-A92B-D0DEBC180CC0\}/User/Scripts/logon
>>>>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>>>>
>>> Let me examine these and get back to you.
>> In addition,? on newly created GPO :
>>
>> jeu. f?vr. 27 09:39:47 root at se4ad.:~
>> # samba-tool ntacl get? --as-sddl
>>
/var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}
>>
O:DAG:DAD:PAI(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
>>
>> # samba-tool ntacl get? --as-sddl
>>
/var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/Machine/Scripts
>>
O:BAG:DUD:AI(A;OICIID;FA;;;DA)(A;OICIID;FA;;;EA)(A;ID;FA;;;BA)(A;OICIIOID;FA;;;CO)(A;OICIID;FA;;;SY)(A;OICIID;0x1200a9;;;AU)(A;OICIID;0x1200a9;;;ED)
>>
>> ACE are different on GPO root and childrens.
>>
>>
>> dsacl on a fresh GPO before sysvolreset :
>>
>> jeu. f?vr. 27 09:39:49 root at se4ad.:~
>> # samba-tool dsacl get
>>
--objectdn='CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org'
>>
>> descriptor for
>>
CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org:
>>
O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> Before I dive into this, can you supply the smb.conf from the DC and
> the Unix permissions from /var/lib/samba/sysvol and
> /var/lib/samba/sysvol/diderot.org
smb;conf :

[global]
 ??? netbios name = se4ad
 ??????? workgroup = DIDEROT
 ??????? realm = DIDEROT.ORG
 ??? dns forwarder = 172.16.1.253
 ??? server role = active directory domain controller

[netlogon]
 ??? path = /var/lib/samba/sysvol/diderot.org/scripts
 ??? read only = No

[sysvol]
 ??? path = /var/lib/samba/sysvol
 ??? read only = No


Unix ACLs :

ID mappings :

jeu. f?vr. 27 10:03:34 root at se4ad.:~
# wbinfo --uid-info=3000006
DIDEROT\enterprise admins:*:3000006:3000006::/home/DIDEROT/enterprise 
admins:/bin/false
jeu. f?vr. 27 10:08:27 root at se4ad.:~
# wbinfo --uid-info=3000009
NT Authority\enterprise domain controllers:*:3000009:3000009::/home/NT 
Authority/enterprise domain controllers:/bin/false
jeu. f?vr. 27 10:08:57 root at se4ad.:~
# wbinfo --uid-info=3000000
BUILTIN\administrators:*:3000000:3000000::/home/BUILTIN/administrators:/bin/false
jeu. f?vr. 27 10:09:35 root at se4ad.:~
# wbinfo --uid-info=3000002
NT Authority\system:*:3000002:3000002::/home/NT Authority/system:/bin/false
jeu. f?vr. 27 10:10:40 root at se4ad.:~
# wbinfo --uid-info=3000003
NT Authority\authenticated users:*:3000003:3000003::/home/NT 
Authority/authenticated users:/bin/false
jeu. f?vr. 27 10:10:48 root at se4ad.:~
# wbinfo --uid-info=3000001
BUILTIN\server operators:*:3000001:3000001::/home/BUILTIN/server 
operators:/bin/false
jeu. f?vr. 27 10:10:56 root at se4ad.:~
# wbinfo --uid-info=30000025
jeu. f?vr. 27 10:11:16 root at se4ad.:~
# wbinfo --uid-info=3000025
DIDEROT\domain admins:*:3000025:3000025::/home/DIDEROT/domain 
admins:/bin/false

getfacl?: suppression du premier ??/?? des noms de chemins absolus
# file: var/lib/samba/sysvol
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

# getfacl /var/lib/samba/sysvol/diderot.org/
getfacl?: suppression du premier ??/?? des noms de chemins absolus
# file: var/lib/samba/sysvol/diderot.org/
# owner: root
# group: 3000000
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---


example of gpo root before sysvolreset :

jeu. f?vr. 27 10:02:19 root at se4ad.:~
# getfacl 
/var/lib/samba/sysvol/diderot.org/Policies/\{3E5EB18B-221D-4173-958D-D913D3C6BFBB\}/
getfacl?: suppression du premier ??/?? des noms de chemins absolus
# file: 
var/lib/samba/sysvol/diderot.org/Policies/{3E5EB18B-221D-4173-958D-D913D3C6BFBB}/
# owner: 3000025
# group: 3000025
user::rwx
user:3000002:rwx
user:3000003:r-x
user:3000006:rwx
user:3000009:r-x
group::rwx
group:3000002:rwx
group:3000003:r-x
group:3000006:rwx
group:3000009:r-x
group:3000025:rwx
mask::rwx
other::---
default:user::rwx
default:user:3000002:rwx
default:user:3000003:r-x
default:user:3000006:rwx
default:user:3000009:r-x
default:user:3000025:rwx
default:group::---
default:group:3000002:rwx
default:group:3000003:r-x
default:group:3000006:rwx
default:group:3000009:r-x
default:group:3000025:rwx
default:mask::rwx
default:other::---


GPO root with sysvolreset :

jeu. f?vr. 27 10:02:48 root at se4ad.:~
# getfacl 
/var/lib/samba/sysvol/diderot.org/Policies/\{F1B4F439-1C9D-4FB0-AD0C-A32CBD0A4512\}/
getfacl?: suppression du premier ??/?? des noms de chemins absolus
# file: 
var/lib/samba/sysvol/diderot.org/Policies/{F1B4F439-1C9D-4FB0-AD0C-A32CBD0A4512}/
# owner: 3000025
# group: 3000025
user::rwx
user:root:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

Le 27/02/2025 ? 10:12, denis bonnenfant--- via samba a
?crit?:
>
> Le 27/02/2025 ? 09:58, Rowland Penny via samba a ?crit?:
>> On Thu, 27 Feb 2025 09:49:47 +0100
>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote:
>>
>>> Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?:
>>>> On Wed, 26 Feb 2025 22:18:44 +0100
>>>> denis bonnenfant--- via samba <samba at lists.samba.org>
wrote:
>>>>
>>>>> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?:
>>>>>> On Wed, 26 Feb 2025 18:57:13 +0100
>>>>>> denis bonnenfant--- via samba <samba at
lists.samba.org> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Summary :
>>>>>>>
>>>>>>> New gpo are created from windows with? explicit rwx
user and
>>>>>>> group acls for "Domain admins", which are
inherited for every
>>>>>>> objects created, while sysvolreset is changing this
to user:group
>>>>>>> ownership, which is not inheritable, and removes
the acls for
>>>>>>> "Domain Admins". descriptor for 
>>>
CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org:
>>>
>>>
O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>
>> Before I dive into this, can you supply the smb.conf from the DC and
>> the Unix permissions from /var/lib/samba/sysvol and
Just for information :

changing? file "/usr/lib/python3/dist-packages/samba/ntacls.py",
lines?
308-309 to


 ?????? if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and 
str(ace.trustee) != security.SID_BUILTIN_PREW2K:

removes problematic ace (the one with uuid), and after that gpo are 
working perfectly. after sysvolreset. It's juste a hack, with probably 
corner effects, but itl isout of my skills to test it....