Klaas TJEBBES
2025-Apr-16 15:03 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
I don't understand how import parameters from a previously backuped GPO
in RSAT can work on your setup as it clearly does not on ours.
To summarize :
root at addc:~# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=24.04
DISTRIB_CODENAME=noble
DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS"
root at addc:~# cat /etc/samba/smb.conf
[global]
realm = DOMSCRIBE.AC-TEST.FR
workgroup = DOMSCRIBE
netbios name = ADDC
disable netbios = yes
smb ports = 445
map acl inherit = Yes
store dos attributes = Yes
winbind separator = /
server role = active directory domain controller
server services = -dns
tls enabled = yes
tls keyfile = /var/lib/samba/private/tls/key.pem
tls certfile = /var/lib/samba/private/tls/cert.pem
tls cafile usershare max shares = 0
restrict anonymous = 2
interfaces = 192.168.0.30
[netlogon]
comment = Network Logon Service
path = /home/sysvol/domscribe.ac-test.fr/scripts
read only = No
guest ok = yes
[sysvol]
comment = Sysvol Service
path = /home/sysvol
read only = No
guest ok = yes
# Problem 1 #
* I create a GPO in RSAT
* I can then import parameters from a previously backuped GPO
* On Samba DC I run "samba-tool ntacl sysvolreset"
* I can no longer import parameters from a previously backuped GPO, I get :
"""
[Error] The task cannot be completed. An error occurred with the
[Registry] extension. Unable to access the file
[\dc.dom.lan\sysvol\dom.lan\Policies{846F43A0-9299-4791-A16A-7E4AFDE257DF}\MachineStaging\registry.pol].
The following error occurred:
Access denied.
"""
# Problem 2 #
* After using 'samba-tool gpo restore', On a Windows client, from RSAT,
I try to modify this GPO : right clic on the GPO, "Edit..." and
configure some settings. I get an error : "Access denied. HRESULT :
0x80070005 (E_ACCESSDENIED)".
* But in this code, 'samba-tool ntacl sysvolreset' won't execute
(samba-tool ntacl sysvolcheck returns/tells that sysvol ACLs are right) :
if ! samba-tool ntacl sysvolcheck 2>/dev/null
then
echo "* Check sysvol ACL NOK, do sysvolreset, please wait
..."
samba-tool ntacl sysvolreset
fi
* After running 'samba-tool ntacl sysvolreset' by hand, I can again
modify the restored GPO without error. But at that moment I'm
encountering the # Problem 1 #.
# Test done to define Problem 1 #
* Before 'samba-tool ntacl sysvolreset' :
find
/home/sysvol/domscribe.ac-test.fr/Policies/\{407E6044-D8C0-46D6-AF67-0175A6638D6A\}
|while read i; do echo -n "samba-tool ntacl set "; echo -n
\'$(samba-tool ntacl get --as-sddl "${i}")\'; echo "
$i"; done > set_acls.sh
* run 'samba-tool ntacl sysvolreset' and observe that import parameters
in RSAT no longer works
* run :
find
/home/sysvol/domscribe.ac-test.fr/Policies/\{407E6044-D8C0-46D6-AF67-0175A6638D6A\}
|while read i; do echo -n "samba-tool ntacl set "; echo -n
\'$(samba-tool ntacl get --as-sddl "${i}")\'; echo "
$i"; done >
set_BAD_acls.sh
* run './set_acls.sh' and observe that import parameters in RSAT works
again
* run './set_BAD_acls.sh' and observe that import parameters in RSAT no
longer works
# Content of set_acls.sh
samba-tool ntacl set
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}
samba-tool ntacl set
'O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/User
samba-tool ntacl set
'O:BAG:DUD:(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;;FA;;;BA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine
samba-tool ntacl set
'O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine/comment.cmtx
samba-tool ntacl set
'O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine/Registry.pol
samba-tool ntacl set
'O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/gpt.ini
# Content of set_BAD_acls.sh
samba-tool ntacl set
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}
samba-tool ntacl set
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/User
samba-tool ntacl set
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine
samba-tool ntacl set
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine/comment.cmtx
samba-tool ntacl set
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/Machine/Registry.pol
samba-tool ntacl set
'O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)'
/home/sysvol/domscribe.ac-test.fr/Policies/{407E6044-D8C0-46D6-AF67-0175A6638D6A}/gpt.ini
Le 15/04/2025 ? 10:44, Rowland Penny via samba a ?crit?:> On Tue, 15 Apr 2025 10:03:59 +0200
> Klaas TJEBBES via samba <samba at lists.samba.org> wrote:
>
>> Hi Rowland (and others)
>>
>> Here is what you were asking for.
>> As a sidenote, 'samba-tool ntacl get' is a bit buggy on some
pathes.
>> I've left the tracebacks so you can understand what I'm talking
about.
>>
>> But nevertheless, there are some differences between before and after
>> 'samba-tool ntacl sysvolreset'. This command does not set back
the
>> access rights like Windows does.
>>
>>
>> # BEFORE samba-tool ntacl sysvolreset, just after creating a GPO in
>> RSAT
>>
>> root at addc:~# samba-tool ntacl get
>>
/home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
>> --as-sddl
>
> Why is 'sysvol' in '/home' ??
> it should be in /var/lib/samba unless you have self compiled Samba into
> somewhere else (usually /usr/local/samba).
>
>> ERROR(<class 'FileNotFoundError'>): uncaught exception -
[Errno 2] No
>> such file or directory:
>>
'/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}/'
>> File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 279, in _run
>> return self.run(*args, **kwargs)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^
>> File
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 206, in run
>> acl = getntacl(lp,
>> ^^^^^^^^^^^^
>> File "/usr/lib/python3/dist-packages/samba/ntacls.py",
line 125,
>> in getntacl
>> return smbd.get_nt_acl(file,
>> ^^^^^^^^^^^^^^^^^^^^^
>>
>
> I get the same sort of error if I have '/' on the end of the path,
but
> it works if I remove it.
>
>> root at addc:~# cd
>>
/home/sysvol/domscribe.ac-test.fr/Policies/\{A343FF29-C355-44E2-80B9-1CD67B6134E3\}/
>>
>> root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> ls -l
>> total 24
>> -rwxrwx---+ 1 BUILTIN/administrators users 68 avril 15 09:52 GPT.INI
>> drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:53 Machine
>> drwxrwx---+ 2 BUILTIN/administrators users 4096 avril 15 09:52 User
>>
>> root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get . --as-sddl
>>
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(A;OICI;0x1200a9;;;ED)
>>
>> root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get GPT.INI --as-sddl
>>
O:BAG:DUD:(A;;FA;;;DA)(A;;FA;;;EA)(A;;FA;;;BA)(A;;FA;;;SY)(A;;0x1200a9;;;AU)(A;;0x1200a9;;;ED)
>>
>> root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get Machine/ --as-sddl
>> ERROR(<class 'FileNotFoundError'>): uncaught exception -
[Errno 2] No
>> such file or directory: 'Machine/'
>> File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 279, in _run
>> return self.run(*args, **kwargs)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^
>> File
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 206, in run
>> acl = getntacl(lp,
>> ^^^^^^^^^^^^
>> File "/usr/lib/python3/dist-packages/samba/ntacls.py",
line 125,
>> in getntacl
>> return smbd.get_nt_acl(file,
>> ^^^^^^^^^^^^^^^^^^^^^
>>
>>
>> # AFTER samba-tool ntacl sysvolreset
>>
>> root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get . --as-sddl
>>
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>>
>> root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get GPT.INI --as-sddl
>>
O:DAG:DAD:P(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)(A;OICIIO;FA;;;CO)(A;OICI;FA;;;DA)(A;OICI;FA;;;SY)(A;OICI;0x1200a9;;;AU)(OA;OICI;;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;OICI;0x1200a9;;;ED)
>>
>
> They are want I expected and identical to a GPO on one of my DCs.
>
>> root at
addc:/home/sysvol/domscribe.ac-test.fr/Policies/{A343FF29-C355-44E2-80B9-1CD67B6134E3}#
>> samba-tool ntacl get Machine/ --as-sddl
>> ERROR(<class 'FileNotFoundError'>): uncaught exception -
[Errno 2] No
>> such file or directory: 'Machine/'
>> File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
>> line 279, in _run
>> return self.run(*args, **kwargs)
>> ^^^^^^^^^^^^^^^^^^^^^^^^^
>> File
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
>> 206, in run
>> acl = getntacl(lp,
>> ^^^^^^^^^^^^
>> File "/usr/lib/python3/dist-packages/samba/ntacls.py",
line 125,
>> in getntacl
>> return smbd.get_nt_acl(file,
>> ^^^^^^^^^^^^^^^^^^^^^
>
> Try that again but this time without the '/' on the end of
'Machine/'.
>
> Rowland
>
>
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Klaas TJEBBES
- P?le Logiciel Libre (EOLE)
- DSI
- Dijon
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rowland Penny
2025-Apr-16 16:07 UTC
[Samba] Access denied on GPO after "ntacl sysvolreset"
On Wed, 16 Apr 2025 17:03:10 +0200 Klaas TJEBBES via samba <samba at lists.samba.org> wrote:> > I don't understand how import parameters from a previously backuped > GPO in RSAT can work on your setup as it clearly does not on ours. > > > To summarize : > > root at addc:~# cat /etc/lsb-release > DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=24.04 > DISTRIB_CODENAME=noble > DISTRIB_DESCRIPTION="Ubuntu 24.04.2 LTS" > > root at addc:~# cat /etc/samba/smb.conf > [global] > realm = DOMSCRIBE.AC-TEST.FR > workgroup = DOMSCRIBE > netbios name = ADDC > disable netbios = yes > smb ports = 445 > map acl inherit = Yes > store dos attributes = Yes > winbind separator = / > server role = active directory domain controller > server services = -dns > tls enabled = yes > tls keyfile = /var/lib/samba/private/tls/key.pem > tls certfile = /var/lib/samba/private/tls/cert.pem > tls cafile > usershare max shares = 0 > restrict anonymous = 2 > interfaces = 192.168.0.30 > > [netlogon] > comment = Network Logon Service > path = /home/sysvol/domscribe.ac-test.fr/scripts > read only = No > guest ok = yes > > [sysvol] > comment = Sysvol Service > path = /home/sysvol > read only = No > guest ok = yes >I asked this once, but you didn't answer, lets try again: Why are sysvol and netlogon in /home instead of being in /var/lib/samba where it belongs ? Rowland
Maybe Matching Threads
- Access denied on GPO after "ntacl sysvolreset"
- ntacl sysvolreset does not create correct ACL's
- Erro samba-tool ntacl sysvolreset/sysvolcheck
- Samba 4.4.2 "samba-tool ntacl sysvolreset" is not working correctly
- in reply to samba-tool ntacl sysvolreset, - open: error=2 (No such file or directory)