Web lists-archives.com

Re: [Samba] sysvolreset doesn't reset all ACLs




On 2017-08-24 13:00, Rowland Penny via samba wrote:
> On Thu, 24 Aug 2017 12:41:36 +0200
> Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
>> On 2017-08-24 12:27, Rowland Penny via samba wrote:
>>> On Thu, 24 Aug 2017 12:03:42 +0200
>>> Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:
>>>
>>>>
>>>> Where does the error come from, and why doesn't sysvolreset fix it?
>>>>
>>>
>>> Mainly because (from my testing) sysvolcheck/sysvolreset is broken.
>>> I do not write 'C' code and the problem seems to be in set_nt_acl
>>> from source3/smbd/posix_acls.c 
>>> It doesn't set the correct ACL.
>>>
>>> I have opened a bug for this:
>>>
>>> https://bugzilla.samba.org/show_bug.cgi?id=12924
>>
>> Ah, crap.
> 
> I actually used worse words when I found out why I couldn't get my work
> on the python code to work. ;-)
> 
>>
>>> Even when this gets fixed, the python code will need work, because
>>> it doesn't do what windows does, also anybody who has set a
>>> gidNumber on Domain Admins, will need to remove it, the group needs
>>> to own things in sysvol and with a gidNumber it cannot.
>>
>> Does this apply only to sysvolreset or also when fixing ACLs from
>> Windows?
> 
> On a Samba AD DC, 'Domain Admins' is mapped to 'ID_TYPE_BOTH' in
> idmap.ldb, this makes it able to own files and dirs in sysvol. The
> moment you give 'Domain Admins' a gidNumber, you break this mapping and
> the group becomes just a group and cannot own anything on a Unix
> machine, so my recommendation is to not give the group a gidNumber,
> create another group 'Unix Admins' ? give this group a gidNumber and
> make this group a member of 'Domain Admins'

Does removing the gidNumber retroactively allow it to work?

(That is, once I figured out how to reset the ACLs from within Windows.)

>>> The recommendation at the moment is to not use either sysvolreset or
>>> sysvolcheck. Do everything from windows.
>>
>> I presume with this?
>>
>>> https://support.microsoft.com/en-us/help/2838154/-permissions-for-this-gpo-in-the-sysvol-folder-are-inconsistent-with-t
>>
>> Or some other way?
>>
> 
> Not sure, I actually don't use GPOs ;-)
> Louis is your man, he is the expert here.
> 
> Rowland
>  
> 
> 

-- 
Mit freundlichen Grüßen, / Best Regards,
Sven Schwedas, Systemadministrator
Mail/XMPP sven.schwedas@xxxxxx | Skype sven.schwedas
TAO Digital | Lendplatz 45 | A8020 Graz
https://www.tao-digital.at | Tel +43 680 301 7167

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba