samba - Apr 2025 - Access denied on GPO after "ntacl sysvolreset"

Hi Klaas,

Luis may have been referring to bug 14213 (Windows Explorer crashes on 
S-1-22-* Unix-SIDs when accessing the Security tab), fixed in version 
4.21.4. This bug also causes gpedit to crash.

You may have a mapping issue with your IDmap on domain controllers.

I wrote a script to display the mapping in a readable form (see the end 
of this post).

To reset the mapping on all DCs, here's what I do (note! You need to 
adapt it to your configuration; this is for FreeBSD with a ZFS dataset 
for Sysvol and NFS4ACL) (inspired by the migration of the RFC2703 schema 
to TDB of Tranquil IT: 
https://samba.tranquil.it/doc/en/samba_config_server/samba_rfc_to_tdb.html):

* On the DC that own FSMO  :

** Cleaning mapping :
for i in $(samba-ldbsearch  -H /var/db/samba4/private/idmap.ldb  dn  | 
grep ^dn | awk '{ print $2 }' | grep -v CONFIG) ; do samba-ldbdel -H 
/var/db/samba4/private/idmap.ldb $i ; done

** be sure that Administrator is mapped with uidNumber 0 (root) :
samba-ldbedit -H /var/db/samba4/private/idmap.ldb # and change uidNumber 
of Administrator if need

net cache flush

service samba_server restart

** At this step my script getmapping.sh can help to populate the 
idmap.ldb again or just wait a while

** Reseting sysvol ACL (it's an zfs dataset you need to adapt these 
commands too) :

setfacl -b /var/db/samba4/sysvol
chown -R 'root:BUILTIN\administrators' /var/db/samba4/sysvol
chmod 755 /var/db/samba4/sysvol
samba-tool ntacl sysvolreset

** send new idmap to all others DC :
tdbbackup -s .new$(date +%y%m%d) /var/db/samba4/private/idmap.ldb
scp /var/db/samba4/private/idmap.ldb.new$(date +%y%m%d) 
<Others_DC>:/var/db/samba4/private/idmap.ldb

* On others DC

** flush the cache

net cache flush

service samba_server restart

** wait for synchronization of sysvol for reset ACL (and/or xattr) and 
check ACL

** After that you maybe need to re-apply Delegations in "Group Policy 
Objets" on gpo editor. For me its enough and after that all my 
delegation and ACL in sysvol are okay


Regards,



===== getmapping.sh ====
#!/bin/sh
#
#

#PATH=/usr/local/samba/bin/:/usr/local/samba/sbin/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /etc/os-release

[ $ID = 'freebsd' ] && ifbsd='samba-' ||
ifbsd=''

showhelp ()
{
	echo -e "Usage : $0 [-d sam|idmap] [-c 1|2|3|4] [-h] [-s {CN=XXX|OU=XXX}]
-d: database to use, sam or idmap for respectively sam.ldb or idmap.ldb
-c: column for sort :
	1: by sid
	2: by name
	3: by type
	4: by uid/gid
-s: scope for sam.ldb database ex: CN=Users"
}

while getopts d:c:s:h option; do
	case $option in
		d)
			if [ "$OPTARG" = "sam" ] || [ "$OPTARG" =
"idmap" ]; then
				dbf=$OPTARG
			else
				echo "Bad argument for -d option"
				showhelp
				exit 1
			fi
			;;
		c)
			if  echo $OPTARG | grep -E '^([1-4])$' 1>/dev/null ; then
				c=$OPTARG
			else
				echo "Bad argument for -s option"
                                 showhelp
                                 exit 1
			fi
			;;
		s)
			s=$OPTARG
			;;
		h)
			showhelp
			exit 0
			;;
		\?)
			echo "wrong parameter"
			showhelp
			exit 1
			;;
	esac
done


if [ ! $dbf ]; then dbf=idmap; fi
if [ ! $c ]; then c=1; fi

rm -f /tmp/smbdynvar
samba -b |grep -E ": \/" | while read v; do
	echo $(echo $v |awk -F ':' '{print $1}')="$(echo $v |awk
-F ' ' '{print
$2}')" >> /tmp/smbdynvar
done

. /tmp/smbdynvar

bdn="$(grep -i realm $CONFIGFILE |awk -F' = ' '{print
"DC="$2}' |sed
's/\./,DC=/g')"

if [ $dbf = "sam" ]; then
	[ $s ] && scope="-b ${s},${bdn}" || scope="-b
CN=Builtin,${bdn}"
fi	

echo "Maping from ${PRIVATE_DIR}/${dbf}.ldb ${scope}:"
for i in $(${ifbsd}ldbsearch -H ${PRIVATE_DIR}/${dbf}.ldb ${scope} 
objectsid  |grep objectSid |awk '{print $2}'); do
	t="${t}
$(echo "$i | $(
		n=$(wbinfo -s $i 2>/dev/null |sed 's/1$/\|\(Domain User\)/g ; 
s/2$/\|\(Domain Group\)/g ; s/3$/\|\(Domain\)/g ; s/4$/\|\(Service 
Group\)/g ; s/5$/\|\(NT Authority Group\)/g')
		[ ! -n "$n" ] && echo '-----|-----' || echo $n
		) | $(wbinfo -S $i 2>/dev/null|| wbinfo -Y $i 2>/dev/null)")"
done

case $c in
	4)
		echo "$t" | sort -t '|' -k $c | column -t -s'|'
		;;
	*)
		echo "$t" | sort -fn -t '|' -k $c | column -t -s'|'
		;;
esac

==============================================================================
Havany

Le 10/04/2025 ? 15:16, Klaas TJEBBES via samba a ?crit?:
> Thank you for your answer.
> 
> Problem is :
> 
> root at smbserver:~# cat /etc/lsb-release
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=24.04
> DISTRIB_CODENAME=noble
> DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"
> 
> There is no most recent Ubuntu LTS. Also we can't afford to recompile 
> Samba and maintain it up-to-date, we have to rely on Ubuntu LTS system.
> 
> So could you find which recently solved bug you're talking about
(I've
> searched for it but could not find it even though I'm using a computer)
?
> This way we may be able to submit it to Ubuntu team who could perhaps 
> backport the correction.
> 
> 
> 
> Le 08/04/2025 ? 18:51, Luis Peromarta via samba a ?crit?:
>> I think 4.19 is ageing now as we are on 4.22
>>
>> This looks very much like a recently solved bug (can?t find it now I?m 
>> on phone). You need at least 4.21.4
>>
>> Try updating and see it it fixes things
>> On 8 Apr 2025 at 17:28 +0100, Klaas TJEBBES via samba 
>> <samba at lists.samba.org>, wrote:
>>> Hello.
>>>
>>> samba --version
>>> Version 4.19.5-Ubuntu
>>>
>>> Samba as Active Directory controller.
>>>
>>> 2 scenarios.
>>>
>>>
>>> # First scenario :
>>>
>>> * On a Windows client, from RSAT, I create a new GPO named
"firstgpo".
>>> * Still in RSAT, I then create a second GPO "scndgpo"
with some
>>> parameters that I backup (right clic on the GPO => Backup...).
>>> * Then I right clic on "firstgpo" and select "Import
parameters...". I
>>> select the backup previously made.
>>>
>>> Parameters are correctly imported from "scndgpo" to
"firstgpo". So far
>>> so good.
>>>
>>> Here is the problem, after running :
>>> samba-tool ntacl sysvolreset
>>> I can no longer "Import parameters". I get "Access
denied" :
>>>
>>> """
>>> [Error] The task cannot be completed. An error occurred with the
>>> [Registry] extension. Unable to access the file
>>> [\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791- 
>>> A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
>>> The following error occurred:
>>> Access denied.
>>> """
>>>
>>>
>>> # Second scenario :
>>>
>>> * I use :
>>> samba-tool gpo backup
>>> to backup an existing GPO.
>>>
>>> * From RSAT I delete this GPO.
>>> * I run :
>>> samba-tool gpo restore
>>> to restore from the backup I just made.
>>>
>>> * At that moments :
>>> samba-tool ntacl sysvolcheck
>>> returns nothing, says that ACLs on sysvol are correct.
>>>
>>> On a Windows client, from RSAT, I try to modify this GPO : right
clic on
>>> the GPO, "Edit..." and configure some settings. I get an
error : "Access
>>> denied. HRESULT : 0x80070005 (E_ACCESSDENIED)".
>>>
>>> But, after running :
>>> samba-tool ntacl sysvolreset
>>>
>>> I can again modify the restored GPO without error. But at that
moment
>>> I'm encountering the problem of the first scenario.
>>>
>>>
>>> What is the problem ? Is this a bug ?
>>>
>>>
>>> Kind regards,
>>> Klaas
>>>
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>

On Fri, 11 Apr 2025 11:27:21 +0200
Havany via samba <samba at lists.samba.org> wrote:
> Hi Klaas,
> 
> Luis may have been referring to bug 14213 (Windows Explorer crashes
> on S-1-22-* Unix-SIDs when accessing the Security tab), fixed in
> version 4.21.4. This bug also causes gpedit to crash.
> 
> You may have a mapping issue with your IDmap on domain controllers.
> 
> I wrote a script to display the mapping in a readable form (see the
> end of this post).
> 
> To reset the mapping on all DCs, here's what I do (note! You need to 
> adapt it to your configuration; this is for FreeBSD with a ZFS
> dataset for Sysvol and NFS4ACL) (inspired by the migration of the
> RFC2703 schema to TDB of Tranquil IT: 
>
https://samba.tranquil.it/doc/en/samba_config_server/samba_rfc_to_tdb.html):
That, in my opinion, isn't actually migrating the RFC2307 schema, the
RFC2307 schema is actually part of the standard AD schema.

There are a few other ways around this problem:

Do not use 'idmap_ldb:use rfc2307  = yes' in the DCs smb.conf , this
will lead to only using the '3000000' xidNumber attributes from
idmap.ldb being used on Samba AD DCs instead of any uidNumber or
gidNumber attributes in AD. This will negate any uidNumber or gidNumber
attributes in AD.

Do not give Domain Admins a gidNumber attribute, you can create another group
similar to Domain Admins (I used to use a group called Unix Admins), give that
group a gidNumber and use that group on Unix instead of Domain Admins.

Do not use RFC2307 attributes and use the rid or autorid idmap backends on Unix
domain members.

If you do use RFC2307 attributes, then you only really need to give the Domain
Users group a gidNumber, along with any groups you create that you want to be
visible on Unix domain members.

As the idmap_ldb backend found on Samba AD DCs is an allocating backend and
different IDS can be allocated to users and groups depending on when they first
come to the DCs notice, you need to sync idmap.ldb between all DCs, however this
doesn't need to be done regularly as the changes that matter only really
happen when a DC first runs.

Rowland