samba - Apr 2025 - Access denied on GPO after "ntacl sysvolreset"

Thank you for your answer.

Problem is :

root at smbserver:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=24.04
DISTRIB_CODENAME=noble
DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"

There is no most recent Ubuntu LTS. Also we can't afford to recompile 
Samba and maintain it up-to-date, we have to rely on Ubuntu LTS system.

So could you find which recently solved bug you're talking about (I've 
searched for it but could not find it even though I'm using a computer) ?
This way we may be able to submit it to Ubuntu team who could perhaps 
backport the correction.



Le 08/04/2025 ? 18:51, Luis Peromarta via samba a
?crit?:
> I think 4.19 is ageing now as we are on 4.22
> 
> This looks very much like a recently solved bug (can?t find it now I?m on
phone). You need at least 4.21.4
> 
> Try updating and see it it fixes things
> On 8 Apr 2025 at 17:28 +0100, Klaas TJEBBES via samba <samba at
lists.samba.org>, wrote:
>> Hello.
>>
>> samba --version
>> Version 4.19.5-Ubuntu
>>
>> Samba as Active Directory controller.
>>
>> 2 scenarios.
>>
>>
>> # First scenario :
>>
>> * On a Windows client, from RSAT, I create a new GPO named
"firstgpo".
>> * Still in RSAT, I then create a second GPO "scndgpo" with
some
>> parameters that I backup (right clic on the GPO => Backup...).
>> * Then I right clic on "firstgpo" and select "Import
parameters...". I
>> select the backup previously made.
>>
>> Parameters are correctly imported from "scndgpo" to
"firstgpo". So far
>> so good.
>>
>> Here is the problem, after running :
>> samba-tool ntacl sysvolreset
>> I can no longer "Import parameters". I get "Access
denied" :
>>
>> """
>> [Error] The task cannot be completed. An error occurred with the
>> [Registry] extension. Unable to access the file
>>
[\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791-A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
>> The following error occurred:
>> Access denied.
>> """
>>
>>
>> # Second scenario :
>>
>> * I use :
>> samba-tool gpo backup
>> to backup an existing GPO.
>>
>> * From RSAT I delete this GPO.
>> * I run :
>> samba-tool gpo restore
>> to restore from the backup I just made.
>>
>> * At that moments :
>> samba-tool ntacl sysvolcheck
>> returns nothing, says that ACLs on sysvol are correct.
>>
>> On a Windows client, from RSAT, I try to modify this GPO : right clic
on
>> the GPO, "Edit..." and configure some settings. I get an
error : "Access
>> denied. HRESULT : 0x80070005 (E_ACCESSDENIED)".
>>
>> But, after running :
>> samba-tool ntacl sysvolreset
>>
>> I can again modify the restored GPO without error. But at that moment
>> I'm encountering the problem of the first scenario.
>>
>>
>> What is the problem ? Is this a bug ?
>>
>>
>> Kind regards,
>> Klaas
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

- Klaas TJEBBES
- P?le Logiciel Libre (EOLE)
- DSI
- Dijon

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

On Thu, 10 Apr 2025 15:16:52 +0200
Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
> Thank you for your answer.
> 
> Problem is :
> 
> root at smbserver:~# cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=24.04
> DISTRIB_CODENAME=noble
> DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"
> 
> There is no most recent Ubuntu LTS. Also we can't afford to recompile 
> Samba and maintain it up-to-date, we have to rely on Ubuntu LTS
> system.
> 
See here for later Ubuntu Samba packages supplied by the Debian Samba
maintainer:

http://www.corpit.ru/mjt/packages/samba/

Rowland

Hi Klaas,

Luis may have been referring to bug 14213 (Windows Explorer crashes on 
S-1-22-* Unix-SIDs when accessing the Security tab), fixed in version 
4.21.4. This bug also causes gpedit to crash.

You may have a mapping issue with your IDmap on domain controllers.

I wrote a script to display the mapping in a readable form (see the end 
of this post).

To reset the mapping on all DCs, here's what I do (note! You need to 
adapt it to your configuration; this is for FreeBSD with a ZFS dataset 
for Sysvol and NFS4ACL) (inspired by the migration of the RFC2703 schema 
to TDB of Tranquil IT: 
https://samba.tranquil.it/doc/en/samba_config_server/samba_rfc_to_tdb.html):

* On the DC that own FSMO  :

** Cleaning mapping :
for i in $(samba-ldbsearch  -H /var/db/samba4/private/idmap.ldb  dn  | 
grep ^dn | awk '{ print $2 }' | grep -v CONFIG) ; do samba-ldbdel -H 
/var/db/samba4/private/idmap.ldb $i ; done

** be sure that Administrator is mapped with uidNumber 0 (root) :
samba-ldbedit -H /var/db/samba4/private/idmap.ldb # and change uidNumber 
of Administrator if need

net cache flush

service samba_server restart

** At this step my script getmapping.sh can help to populate the 
idmap.ldb again or just wait a while

** Reseting sysvol ACL (it's an zfs dataset you need to adapt these 
commands too) :

setfacl -b /var/db/samba4/sysvol
chown -R 'root:BUILTIN\administrators' /var/db/samba4/sysvol
chmod 755 /var/db/samba4/sysvol
samba-tool ntacl sysvolreset

** send new idmap to all others DC :
tdbbackup -s .new$(date +%y%m%d) /var/db/samba4/private/idmap.ldb
scp /var/db/samba4/private/idmap.ldb.new$(date +%y%m%d) 
<Others_DC>:/var/db/samba4/private/idmap.ldb

* On others DC

** flush the cache

net cache flush

service samba_server restart

** wait for synchronization of sysvol for reset ACL (and/or xattr) and 
check ACL

** After that you maybe need to re-apply Delegations in "Group Policy 
Objets" on gpo editor. For me its enough and after that all my 
delegation and ACL in sysvol are okay


Regards,



===== getmapping.sh ====
#!/bin/sh
#
#

#PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /etc/os-release

[ $ID = 'freebsd' ] && ifbsd='samba-' ||
ifbsd=''

showhelp ()
{
	echo -e "Usage : $0 [-d sam|idmap] [-c 1|2|3|4] [-h] [-s {CN=XXX|OU=XXX}]
-d: database to use, sam or idmap for respectively sam.ldb or idmap.ldb
-c: column for sort :
	1: by sid
	2: by name
	3: by type
	4: by uid/gid
-s: scope for sam.ldb database ex: CN=Users"
}

while getopts d:c:s:h option; do
	case $option in
		d)
			if [ "$OPTARG" = "sam" ] || [ "$OPTARG" =
"idmap" ]; then
				dbf=$OPTARG
			else
				echo "Bad argument for -d option"
				showhelp
				exit 1
			fi
			;;
		c)
			if  echo $OPTARG | grep -E '^([1-4])$' 1>/dev/null ; then
				c=$OPTARG
			else
				echo "Bad argument for -s option"
                                 showhelp
                                 exit 1
			fi
			;;
		s)
			s=$OPTARG
			;;
		h)
			showhelp
			exit 0
			;;
		\?)
			echo "wrong parameter"
			showhelp
			exit 1
			;;
	esac
done


if [ ! $dbf ]; then dbf=idmap; fi
if [ ! $c ]; then c=1; fi

rm -f /tmp/smbdynvar
samba -b |grep -E ": \/" | while read v; do
	echo $(echo $v |awk -F ':' '{print $1}')="$(echo $v |awk
-F ' ' '{print
$2}')" >> /tmp/smbdynvar
done

. /tmp/smbdynvar

bdn="$(grep -i realm $CONFIGFILE |awk -F' = ' '{print
"DC="$2}' |sed
's/\./,DC=/g')"

if [ $dbf = "sam" ]; then
	[ $s ] && scope="-b ${s},${bdn}" || scope="-b
CN=Builtin,${bdn}"
fi	

echo "Maping from ${PRIVATE_DIR}/${dbf}.ldb ${scope}:"
for i in $(${ifbsd}ldbsearch -H ${PRIVATE_DIR}/${dbf}.ldb ${scope} 
objectsid  |grep objectSid |awk '{print $2}'); do
	t="${t}
$(echo "$i | $(
		n=$(wbinfo -s $i 2>/dev/null |sed 's/1$/\|\(Domain User\)/g ; 
s/2$/\|\(Domain Group\)/g ; s/3$/\|\(Domain\)/g ; s/4$/\|\(Service 
Group\)/g ; s/5$/\|\(NT Authority Group\)/g')
		[ ! -n "$n" ] && echo '-----|-----' || echo $n
		) | $(wbinfo -S $i 2>/dev/null|| wbinfo -Y $i 2>/dev/null)")"
done

case $c in
	4)
		echo "$t" | sort -t '|' -k $c | column -t -s'|'
		;;
	*)
		echo "$t" | sort -fn -t '|' -k $c | column -t -s'|'
		;;
esac

==============================================================================
Havany

Le 10/04/2025 ? 15:16, Klaas TJEBBES via samba a ?crit?:
> Thank you for your answer.
> 
> Problem is :
> 
> root at smbserver:~# cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=24.04
> DISTRIB_CODENAME=noble
> DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"
> 
> There is no most recent Ubuntu LTS. Also we can't afford to recompile 
> Samba and maintain it up-to-date, we have to rely on Ubuntu LTS system.
> 
> So could you find which recently solved bug you're talking about
(I've
> searched for it but could not find it even though I'm using a computer)
?
> This way we may be able to submit it to Ubuntu team who could perhaps 
> backport the correction.
> 
> 
> 
> Le 08/04/2025 ? 18:51, Luis Peromarta via samba a ?crit?:
>> I think 4.19 is ageing now as we are on 4.22
>>
>> This looks very much like a recently solved bug (can?t find it now I?m 
>> on phone). You need at least 4.21.4
>>
>> Try updating and see it it fixes things
>> On 8 Apr 2025 at 17:28 +0100, Klaas TJEBBES via samba 
>> <samba at lists.samba.org>, wrote:
>>> Hello.
>>>
>>> samba --version
>>> Version 4.19.5-Ubuntu
>>>
>>> Samba as Active Directory controller.
>>>
>>> 2 scenarios.
>>>
>>>
>>> # First scenario :
>>>
>>> * On a Windows client, from RSAT, I create a new GPO named
"firstgpo".
>>> * Still in RSAT, I then create a second GPO "scndgpo"
with some
>>> parameters that I backup (right clic on the GPO => Backup...).
>>> * Then I right clic on "firstgpo" and select "Import
parameters...". I
>>> select the backup previously made.
>>>
>>> Parameters are correctly imported from "scndgpo" to
"firstgpo". So far
>>> so good.
>>>
>>> Here is the problem, after running :
>>> samba-tool ntacl sysvolreset
>>> I can no longer "Import parameters". I get "Access
denied" :
>>>
>>> """
>>> [Error] The task cannot be completed. An error occurred with the
>>> [Registry] extension. Unable to access the file
>>> [\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791- 
>>> A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
>>> The following error occurred:
>>> Access denied.
>>> """
>>>
>>>
>>> # Second scenario :
>>>
>>> * I use :
>>> samba-tool gpo backup
>>> to backup an existing GPO.
>>>
>>> * From RSAT I delete this GPO.
>>> * I run :
>>> samba-tool gpo restore
>>> to restore from the backup I just made.
>>>
>>> * At that moments :
>>> samba-tool ntacl sysvolcheck
>>> returns nothing, says that ACLs on sysvol are correct.
>>>
>>> On a Windows client, from RSAT, I try to modify this GPO : right
clic on
>>> the GPO, "Edit..." and configure some settings. I get an
error : "Access
>>> denied. HRESULT : 0x80070005 (E_ACCESSDENIED)".
>>>
>>> But, after running :
>>> samba-tool ntacl sysvolreset
>>>
>>> I can again modify the restored GPO without error. But at that
moment
>>> I'm encountering the problem of the first scenario.
>>>
>>>
>>> What is the problem ? Is this a bug ?
>>>
>>>
>>> Kind regards,
>>> Klaas
>>>
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>