denis bonnenfant@sambaedu.org
2025-Feb-27 18:00 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 27/02/2025 ? 10:12, denis bonnenfant--- via samba a ?crit?:> > Le 27/02/2025 ? 09:58, Rowland Penny via samba a ?crit?: >> On Thu, 27 Feb 2025 09:49:47 +0100 >> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >> >>> Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?: >>>> On Wed, 26 Feb 2025 22:18:44 +0100 >>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>>> >>>>> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: >>>>>> On Wed, 26 Feb 2025 18:57:13 +0100 >>>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> Summary : >>>>>>> >>>>>>> New gpo are created from windows with? explicit rwx user and >>>>>>> group acls for "Domain admins", which are inherited for every >>>>>>> objects created, while sysvolreset is changing this to user:group >>>>>>> ownership, which is not inheritable, and removes the acls for >>>>>>> "Domain Admins". descriptor for >>> CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org: >>> >>> O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) >>> >> Before I dive into this, can you supply the smb.conf from the DC and >> the Unix permissions from /var/lib/samba/sysvol andJust for information : changing? file "/usr/lib/python3/dist-packages/samba/ntacls.py", lines? 308-309 to ?????? if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and str(ace.trustee) != security.SID_BUILTIN_PREW2K: removes problematic ace (the one with uuid), and after that gpo are working perfectly. after sysvolreset. It's juste a hack, with probably corner effects, but itl isout of my skills to test it....
denis bonnenfant@sambaedu.org
2025-Feb-27 18:30 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
Le 27/02/2025 ? 19:00, denis bonnenfant--- via samba a ?crit?:> > Le 27/02/2025 ? 10:12, denis bonnenfant--- via samba a ?crit?: >> >> Le 27/02/2025 ? 09:58, Rowland Penny via samba a ?crit?: >>> On Thu, 27 Feb 2025 09:49:47 +0100 >>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>> >>>> Le 26/02/2025 ? 22:44, Rowland Penny via samba a ?crit?: >>>>> On Wed, 26 Feb 2025 22:18:44 +0100 >>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>>>> >>>>>> Le 26/02/2025 ? 20:38, Rowland Penny via samba a ?crit?: >>>>>>> On Wed, 26 Feb 2025 18:57:13 +0100 >>>>>>> denis bonnenfant--- via samba <samba at lists.samba.org> wrote: >>>>>>> >>>>>>>> Hello, >>>>>>>> >>>>>>>> Summary : >>>>>>>> >>>>>>>> New gpo are created from windows with? explicit rwx user and >>>>>>>> group acls for "Domain admins", which are inherited for every >>>>>>>> objects created, while sysvolreset is changing this to user:group >>>>>>>> ownership, which is not inheritable, and removes the acls for >>>>>>>> "Domain Admins". descriptor for >>>> CN={3E5EB18B-221D-4173-958D-D913D3C6BFBB},CN=Policies,CN=System,DC=diderot,DC=org: >>>> >>>> O:DAG:DAD:P(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;EA)(A;CIIO;CCDCLCSWRPWPDTLOSDRCWDWO;;;CO)(A;;CCDCLCSWRPWPDTLOSDRCWDWO;;;DA)(A;CI;CCDCLCSWRPWPDTLOSDRCWDWO;;;SY)(A;CI;LCRPLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;LCRPLORC;;;ED)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) >>>> >>> Before I dive into this, can you supply the smb.conf from the DC and >>> the Unix permissions from /var/lib/samba/sysvol and > > Just for information : > > changing? file "/usr/lib/python3/dist-packages/samba/ntacls.py", > lines? 308-309 to > > > ?????? if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and > str(ace.trustee) != security.SID_BUILTIN_PREW2K: > > removes problematic ace (the one with uuid), and after that gpo are > working perfectly. after sysvolreset. It's juste a hack, with probably > corner effects, but itl isout of my skills to test it.... > >this uuid is defined as |ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY in gpo.h, but it doesn't seems to be defined in python scripts. Maybe adding some logic to filter out specifically this ACE will be better, but i don't see how... |
Rowland Penny
2025-Feb-27 18:49 UTC
[Samba] ACL problem after sysvolreset (possible bug ?)
On Thu, 27 Feb 2025 19:00:29 +0100 denis bonnenfant--- via samba <samba at lists.samba.org> wrote:> Just for information : > > changing? file "/usr/lib/python3/dist-packages/samba/ntacls.py", > lines 308-309 to > > > ?????? if ace.type == security.SEC_ACE_TYPE_ACCESS_ALLOWED and > str(ace.trustee) != security.SID_BUILTIN_PREW2K: > > removes problematic ace (the one with uuid), and after that gpo are > working perfectly. after sysvolreset. It's juste a hack, with > probably corner effects, but itl isout of my skills to test it.... > >The GPOs are stored in sysvol and in AD (they are in 'CN=Policies,CN=System,DC=samdom,DC=example,DC=com') and the 'nTSecurityDescriptor' attribute from each policy is used by sysvolreset to set the permissions on each policy in sysvol, it seems that this is where the problem comes from. If you compare the output of the following command with the SDDL of the GPO in sysvol, they should be very similar: sudo ldbsearch --cross-ncs -H /var/lib/samba/private/sam.ldb '(distinguishedName=CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com)' nTSecurityDescriptor Where '{6AC1786C-016F-11D2-945F-00C04FB984F9}' is the GPO. Rowland