[Samba] Problem sysvolreset

[Edson Tadeu Almeida da Silveira via samba]

Hi guys!

I´m experiencing a problem with samba 4 policies and acl and i don´t known
how it starded to do.

Some problems like copy Policies, edit them, etc. It seems like
permissions, but i´ve checked the list and can´t find a solution.


Here are some outputs that i hope can help to understand:

# Sysvol permissions:
drwxrwxrwx+ 3 root DOMAIN\domain admins 4096 Mar 7 12:17 sysvol


# samba-tool ntacl sysvolreset -d10

Successfully loaded vfs module [acl_xattr] with the new modules system
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service Unknown Service (snum == -1)
vfswrap_fs_capabilities: timestamp resolution of sec available on share
(null), directory /
Segmentation fault (core dumped)



# samba-tool ntacl sysvolcheck -d10

dn: DC=domain,DC=local
objectGUID: 18027d7b-530e-4a6e-8109-722430964df7
objectSid: S-1-5-21-1058002876-845724780-2777320708
fSMORoleOwner: CN=NTDS
Settings,CN=servername,CN=Servers,CN=Default-First-Site-
Name,CN=Sites,CN=Configuration,DC=domain,DC=local

ldb: ldb_trace_response: DONE
error: 0

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on sysvol directory
/usr/local/samba/var/locks/sysvol/domain.local
O:LAG:BAD:AI(A;OICIID;0x001f01ff;;;LA)(A;OICIIOID;0x001f01ff;;;CO)(A;ID;0x00100000;;;BA)(A;OICIIOID;0x00100000;;;CG)(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001f01ff;;;SY)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x00100000;;;WD)(A;OICIID;0x001f01ff;;;BA)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
270, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1728, in checksysvolacl
raise ProvisioningError('%s ACL on sysvol directory %s %s does not
match expected value %s from provision' % (acl_type(direct_db_access),
dir_path, fsacl_sddl, SYSVOL_ACL))



# samba-tool gpo aclcheck -U Administrator

Password for [DOMAIN\Administrator]:
ERROR: Invalid GPO ACL
O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
on path (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)


This last error is happening to all my policies. After each police i
repair, another one shows up with problem and i can´t delete all policies
and recreate to test.

Thanks for your help!


--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Rowland Penny via samba]

On Tue, 7 Mar 2017 12:23:59 -0300
Edson Tadeu Almeida da Silveira via samba <sa...@lists.samba.org> wrote:

>
>
>
> # samba-tool gpo aclcheck -U Administrator
>
> Password for [DOMAIN\Administrator]:
> ERROR: Invalid GPO ACL
> O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> on path
> (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
> should be
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
>
> This last error is happening to all my policies. After each police i
> repair, another one shows up with problem and i can´t delete all
> policies and recreate to test.
>
> Thanks for your help!
>
>

Welcome to the wonderful world of SYSVOL on a Samba4 AD DC ;-)

Have you set a gidNumber for Domain Admins ?
If so remove it, Domain Admins needs to own files and dirs in sysvol
and if the group has a gidNumber it cannot.

Note:
'O:LA' = owner: Local Administrator
'O:DA' = owner: Domain Admins
'G:DA' = group: Domain Admins

Rowland

[Edson Tadeu Almeida da Silveira via samba]

Hi Rowland.

But, samba automaticaly do this mapping.

root@server:/usr/local/src/samba-4.4.10# id 'domain admins'
uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins)
groups=3000008(DOMAIN\domain admins)


Because of this options in smb.conf:

winbind enum users = yes
winbind enum groups = yes

Can i remove this mapping only for domain admin group?

Thanks

--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

[Rowland Penny via samba]

On Tue, 7 Mar 2017 13:16:23 -0300
Edson Tadeu Almeida da Silveira <edson...@gmail.com> wrote:

> Hi Rowland.
>
> But, samba automaticaly do this mapping.
>
> root@server:/usr/local/src/samba-4.4.10# id 'domain admins'
> uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins)
> groups=3000008(DOMAIN\domain admins)
>
>
> Because of this options in smb.conf:
>
> winbind enum users = yes
> winbind enum groups = yes
>
> Can i remove this mapping only for domain admin group?

No and those options aren't doing the mapping. All they do is make
'getent passwd' & 'getent group' show all users and groups, without
them, you will have to do 'getent passwd username' or 'getent group
groupname'. You do not need them for Samba to work.

The problem with the GPOs that you are adding is that Samba seems to
think they should be set differently to what windows sets them to.

Big hint here, don't use sysvolreset if you add any GPOs

[Edson Tadeu Almeida da Silveira via samba]

Can you tell me what are correct permissions to set at sysvol in order to
work and how to solve that problem with 'Domain admins' uid ?

I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to correct
this issue before.

Thanks again Rowland.

--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

[Rowland Penny via samba]

On Tue, 7 Mar 2017 14:21:38 -0300
Edson Tadeu Almeida da Silveira <edson...@gmail.com> wrote:

> Can you tell me what are correct permissions to set at sysvol in
> order to work and how to solve that problem with 'Domain admins' uid ?

It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving
Domain Admins a gidNumber only makes it worse.
How to fix it ? Remove the GPO and then add it again, then NEVER use
sysvolreset again.

>
> I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to
> correct this issue before.

Why stop at 4.4.10 ? 4.6.0 was released today ;-)

[Edson Tadeu Almeida da Silveira via samba]

Hehehehe.

I'm trying to get courage to update to 4.6.

And i saw that version 4.5.x had a change about ntlmv1 and i use it to auth
vpn and wifi users. I need to test before put in production environment.


Thanks!

--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------

[Kris Lou via samba]

On Tue, Mar 7, 2017 at 9:32 AM, Rowland Penny via samba <
sa...@lists.samba.org> wrote:

> It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving
> Domain Admins a gidNumber only makes it worse.
> How to fix it ? Remove the GPO and then add it again, then NEVER use
> sysvolreset again.
>
>

Hang on, can you explain this a little further? I thought that Domain
Admins was issued gidNumber 512 by default. In addition, sysvolreset is not
recommended to fix potential SysVol replication problems with GPO perms?


Kris Lou
kl...@themusiclink.net

[Rowland Penny via samba]

On Tue, 7 Mar 2017 10:26:03 -0800
Kris Lou via samba <sa...@lists.samba.org> wrote:


> Hang on, can you explain this a little further? I thought that Domain
> Admins was issued gidNumber 512 by default. In addition, sysvolreset
> is not recommended to fix potential SysVol replication problems with
> GPO perms?
>

No Domain Admins doesn't get gidNumber 512 by default, it gets the
'RID' 512 by default, bit of a difference there.

Domain Admins gets mapped to an xidNumber in idmap.ldb, but it also
gets mapped as 'ID_TYPE_BOTH', this means that Domain Admins is both a
group and a user and therefore is able to own files etc on Unix.

If you then give Domain Admins a gidNumber, it becomes just a group
and cannot own files as a user does.

Domain Admins needs to own files in sysvol as a user, but sysvolreset
seems to change the ACLs set when a GPO is added on a windows machine.

It is my recommendation to not give Domain Admins a gidNumber and not
to run sysvolreset if you add any GPOs.

[Rowland Penny via samba]

On Tue, 7 Mar 2017 17:17:47 -0300

Edson Tadeu Almeida da Silveira <edson...@gmail.com> wrote:

> Rowland.
>
> I´m having a problem because i can´t remove 2 policy: Default Domain
> Policy and Default Domain Controllers Policy.
>
> Do you know a way to repair this both?
>

They are the default policies, you shouldn't remove these, just any
extra new ones.

[Björn JACKE via samba]

On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:

> It is my recommendation to not give Domain Admins a gidNumber and not
> to run sysvolreset if you add any GPOs.

anybody who uses idmap ad on a samba member server should give domain users and
domain admins a gidnumber actually. This does not affect sysvol on a DC
in any way unless you enable idmap_ldb:use rfc2307, what I would not
recommend to do.

Björn

[Rowland Penny via samba]

On Mon, 20 Mar 2017 15:27:33 +0100
Björn JACKE via samba <sa...@lists.samba.org> wrote:

> On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:
> > It is my recommendation to not give Domain Admins a gidNumber and
> > not to run sysvolreset if you add any GPOs.
>
> anybody who uses idmap ad on a samba member server should give domain
> users and domain admins a gidnumber actually. This does not affect
> sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
> what I would not recommend to do.
>
> Björn
>

Hi Bjorn,
You can recommend not doing something until you are blue in the face,
but you will not stop people doing it. ;-)

If you give Domain Admins a gidNumber, it breaks the mapping in
idmap.ldb and stops Domain Admins being able to own files and dirs in
sysvol and Domain Admins needs to own files and dirs in sysvol.

Rowland

[L.P.H. van Belle via samba]

Im questioning this because of the following.

What is "Domain Admins" doing with rights on SYSVOL anyway.. ??

There should not be any "domain admins" at all on sysvol share and security rights.

But to overcome the problem explained below.

You can use :
acl_xattr:ignore system acls = yes

And make sure sysvol and/or netlogon are windows only shares and not used by any unix/linux/mac clients.

Set : acl_xattr:ignore system acls = yes
In the share sysvol and/or netlogon

Now in addition, as told, if setup correcly,
you dont see any "Domain Admins" on sysvol.

Sysvol Share permissions set to
"Everyone" Read
"Authenticated Users" Full Control.
DOMAIN\Administrators ( same as "BUILDIN\Administrators" ) Full Controll

And for the folder setttings.
CREATOR OWNER Special rights.
Authenticated Users Read
SYSTEM Full control.
DOMAIN\Administrators R&E, LFC, READ, WRITE
DOMAIN\Server Operators R&E, LFC, READ

Now its no problem to give these a gid anymore.
Domain Users
Domain Admins
Domain Guest
Domain Computers
And as bjorn suggested, you do give the groups an id.

And when its all set, DONT run resetsysvol again when you do that, you must set the share and security rights again.

And all my servers run with : idmap_ldb:use rfc2307


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: maandag 20 maart 2017 15:44
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] Problem sysvolreset

[Rowland Penny via samba]

On Mon, 20 Mar 2017 16:36:34 +0100
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:

> Im questioning this because of the following.
>
> What is "Domain Admins" doing with rights on SYSVOL anyway.. ??
>
> There should not be any "domain admins" at all on sysvol share and
> security rights.

If you create a GPO on a 2102R2 DC, you get this on the GUID dir:

"O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)"

O = owner
G = group
DA = Domain Admins

[L.P.H. van Belle via samba]

hi Rowland
I got these of my 2008R2 server.
i'll check your output against mine tomorrow.


greetz,

Louis

[Rowland Penny via samba]

On Tue, 21 Mar 2017 16:24:31 +0100
L.P.H. van Belle <be...@bazuin.nl> wrote:

> Hai Rowland,
>
> Can post your exact command you used, so im sure i dont get different
> outputs.
>

OK, on a windows 21012R2 DC:

Get-Acl
C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-4E270488EDE4}'
| Format-List

NOTE: The above is all one line.

Which leads to this output:

Path :sysvol\DOMAIN.LOCAL\Policies\{5FD30AA2-B678-422C-9C0E-4E270488EDE4}
Owner : HOME\Domain Admins Group : HOME\Domain Admins
Access : CREATOR OWNER Allow FullControl
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow FullControl
HOME\Domain Admins Allow FullControl
HOME\Enterprise Admins Allow FullControl
Audit :
Sddl :
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)

[L.P.H. van Belle via samba]

Hai,

 

Here you go my output of the R2008R2. (64bit)

 

1) original GPO from the install ( the domain controller policy )

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}

Owner  : BUILTIN\Administrators

Group  : NT AUTHORITY\SYSTEM

Access : CREATOR OWNER Allow  268435456

         NT AUTHORITY\Authenticated Users Allow  -1610612736

         NT AUTHORITY\Authenticated Users Allow  ReadAndExecute, Synchronize

         NT AUTHORITY\SYSTEM Allow  268435456

         NT AUTHORITY\SYSTEM Allow  FullControl

         BUILTIN\Administrators Allow  268435456

         BUILTIN\Administrators Allow  Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize

         BUILTIN\Server Operators Allow  ReadAndExecute, Synchronize

Audit  :

Sddl   : O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;G

         A;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)

 

The one with numbers like CREATOR OWNER Allow  268435456

Are users/groups with special rights.

 

 

2) and just now created GPO, didnt touch it at al.

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5}

Owner  : ROTTERDAM\Domain Admins

Group  : ROTTERDAM\Domain Admins

Access : CREATOR OWNER Allow  FullControl

         NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow  ReadAndExecute, Synchronize

         NT AUTHORITY\Authenticated Users Allow  ReadAndExecute, Synchronize

         NT AUTHORITY\SYSTEM Allow  FullControl

         ROTTERDAM\Domain Admins Allow  FullControl

         ROTTERDAM\Enterprise Admins Allow  FullControl

Audit  :

Sddl   : O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;

         OICI;FA;;;EA)

 

 

Greetz,

 

Louis

 

 

 

> -----Oorspronkelijk bericht-----

> Van: Rowland Penny [mailto:rpe...@samba.org]

> Verzonden: dinsdag 21 maart 2017 16:38

> Aan: L.P.H. van Belle

> CC: sa...@lists.samba.org

> Onderwerp: Re: [Samba] Problem sysvolreset

>

[Rowland Penny via samba]

On Tue, 21 Mar 2017 17:09:22 +0100

"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:

> Hai,
>
>  
>
> Here you go my output of the R2008R2. (64bit)
>
>  
>
> 1) original GPO from the install ( the domain controller policy )
>
> Path   :
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
>
> Owner  : BUILTIN\Administrators
>
> Group  : NT AUTHORITY\SYSTEM
>

This is the same as what I found, the default policies get the above
ownership.

>
> 2) and just now created GPO, didnt touch it at al.
>
> Path   :
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5}
>
> Owner  : ROTTERDAM\Domain Admins
>
> Group  : ROTTERDAM\Domain Admins
>
> Access : CREATOR OWNER Allow  FullControl
>
>          NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
> ReadAndExecute, Synchronize
>
>          NT AUTHORITY\Authenticated Users Allow  ReadAndExecute,
> Synchronize
>
>          NT AUTHORITY\SYSTEM Allow  FullControl
>
>          ROTTERDAM\Domain Admins Allow  FullControl
>
>          ROTTERDAM\Enterprise Admins Allow  FullControl
>
> Audit  :
>
> Sddl   :
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)

Now do you believe me when I say Domain Admins shouldn't have a
gidNumber ?