Web lists-archives.com

Re: [Samba] sysvolreset doesn't reset all ACLs

On 2017-08-24 12:27, Rowland Penny via samba wrote:
> On Thu, 24 Aug 2017 12:03:42 +0200
> Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>> root@graz-dc-1b:~# samba --version
>>> Version 4.5.8-Debian
>>> root@graz-dc-1b:~# samba-tool ntacl sysvolreset && echo "no error"
>>> no error
>>> root@graz-dc-1b:~# samba-tool ntacl sysvolcheck 
>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>>> exception - ProvisioningError: DB ACL on GPO
>>> directory /var/lib/samba/sysvol/ad.tao.at/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>> does not match expected value
>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>> from GPO object File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
>>> 176, in _run return self.run(*args, **kwargs) File
>>> "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
>>> in run lp) File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1723, in checksysvolacl direct_db_access) File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1674, in check_gpos_acl domainsid, direct_db_access) File
>>> "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
>>> line 1621, in check_dir_acl raise ProvisioningError('%s ACL on GPO
>>> directory %s %s does not match expected value %s from GPO object' %
>>> (acl_type(direct_db_access), path, fsacl_sddl, acl))
>> Where does the error come from, and why doesn't sysvolreset fix it?
> Mainly because (from my testing) sysvolcheck/sysvolreset is broken. I
> do not write 'C' code and the problem seems to be in set_nt_acl from
> source3/smbd/posix_acls.c 
> It doesn't set the correct ACL.
> I have opened a bug for this:
> https://bugzilla.samba.org/show_bug.cgi?id=12924

Ah, crap.

> Even when this gets fixed, the python code will need work, because it
> doesn't do what windows does, also anybody who has set a gidNumber on
> Domain Admins, will need to remove it, the group needs to own things in
> sysvol and with a gidNumber it cannot.

Does this apply only to sysvolreset or also when fixing ACLs from Windows?

> The recommendation at the moment is to not use either sysvolreset or
> sysvolcheck. Do everything from windows.

I presume with this?

> https://support.microsoft.com/en-us/help/2838154/-permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-t

Or some other way?

Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas@xxxxxx | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba