Problem sysvolreset

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem sysvolreset

Samba - General mailing list
Hi guys!

I´m experiencing a problem with samba 4 policies and acl and i don´t known
how it starded to do.

Some problems like copy Policies, edit them, etc. It seems like
permissions, but i´ve checked the list and can´t find a solution.


Here are some outputs that i hope can help to understand:

# Sysvol permissions:
drwxrwxrwx+  3 root DOMAIN\domain admins    4096 Mar  7 12:17 sysvol


# samba-tool ntacl sysvolreset -d10

Successfully loaded vfs module [acl_xattr] with the new modules system
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and
'force unknown acl user = true' for service Unknown Service (snum == -1)
vfswrap_fs_capabilities: timestamp resolution of sec available on share
(null), directory /
Segmentation fault (core dumped)



# samba-tool ntacl sysvolcheck -d10

dn: DC=domain,DC=local
objectGUID: 18027d7b-530e-4a6e-8109-722430964df7
objectSid: S-1-5-21-1058002876-845724780-2777320708
fSMORoleOwner: CN=NTDS
Settings,CN=servername,CN=Servers,CN=Default-First-Site-
 Name,CN=Sites,CN=Configuration,DC=domain,DC=local

ldb: ldb_trace_response: DONE
error: 0

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on sysvol directory
/usr/local/samba/var/locks/sysvol/domain.local
O:LAG:BAD:AI(A;OICIID;0x001f01ff;;;LA)(A;OICIIOID;0x001f01ff;;;CO)(A;ID;0x00100000;;;BA)(A;OICIIOID;0x00100000;;;CG)(A;OICIID;0x001200a9;;;AU)(A;OICIID;0x001f01ff;;;SY)(A;OICIID;0x001200a9;;;SO)(A;OICIID;0x00100000;;;WD)(A;OICIID;0x001f01ff;;;BA)
does not match expected value
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
from provision
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
270, in run
    lp)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1728, in checksysvolacl
    raise ProvisioningError('%s ACL on sysvol directory %s %s does not
match expected value %s from provision' % (acl_type(direct_db_access),
dir_path, fsacl_sddl, SYSVOL_ACL))



# samba-tool gpo aclcheck -U Administrator

Password for [DOMAIN\Administrator]:
ERROR: Invalid GPO ACL
O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
on path (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
should be
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)


This last error is happening to all my policies. After each police i
repair, another one shows up with problem and i can´t delete all policies
and recreate to test.

Thanks for your help!


--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Tue, 7 Mar 2017 12:23:59 -0300
Edson Tadeu Almeida da Silveira via samba <[hidden email]> wrote:

>
>
>
> # samba-tool gpo aclcheck -U Administrator
>
> Password for [DOMAIN\Administrator]:
> ERROR: Invalid GPO ACL
> O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> on path
> (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
> should be
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>
>
> This last error is happening to all my policies. After each police i
> repair, another one shows up with problem and i can´t delete all
> policies and recreate to test.
>
> Thanks for your help!
>
>

Welcome to the wonderful world of SYSVOL on a Samba4 AD DC ;-)

Have you set a gidNumber for Domain Admins ?
If so remove it, Domain Admins needs to own files and dirs in sysvol
and if the group has a gidNumber it cannot.

 Note:
  'O:LA' = owner: Local Administrator
  'O:DA' = owner: Domain Admins
  'G:DA' = group: Domain Admins

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
Hi Rowland.

But, samba automaticaly do this mapping.

root@server:/usr/local/src/samba-4.4.10# id 'domain admins'
uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins)
groups=3000008(DOMAIN\domain admins)


Because of this options in smb.conf:

winbind enum users = yes
winbind enum groups = yes

Can i remove this mapping only for domain admin group?

Thanks


2017-03-07 12:51 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Tue, 7 Mar 2017 12:23:59 -0300
> Edson Tadeu Almeida da Silveira via samba <[hidden email]> wrote:
>
> >
> >
> >
> > # samba-tool gpo aclcheck -U Administrator
> >
> > Password for [DOMAIN\Administrator]:
> > ERROR: Invalid GPO ACL
> > O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > on path
> > (cbmerj.local\Policies\{F274A070-5B45-4434-BB7C-75AE1D702A6B}),
> > should be
> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(
> A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;
> 0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >
> >
> > This last error is happening to all my policies. After each police i
> > repair, another one shows up with problem and i can´t delete all
> > policies and recreate to test.
> >
> > Thanks for your help!
> >
> >
>
> Welcome to the wonderful world of SYSVOL on a Samba4 AD DC ;-)
>
> Have you set a gidNumber for Domain Admins ?
> If so remove it, Domain Admins needs to own files and dirs in sysvol
> and if the group has a gidNumber it cannot.
>
>  Note:
>   'O:LA' = owner: Local Administrator
>   'O:DA' = owner: Domain Admins
>   'G:DA' = group: Domain Admins
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Tue, 7 Mar 2017 13:16:23 -0300
Edson Tadeu Almeida da Silveira <[hidden email]> wrote:

> Hi Rowland.
>
> But, samba automaticaly do this mapping.
>
> root@server:/usr/local/src/samba-4.4.10# id 'domain admins'
> uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins)
> groups=3000008(DOMAIN\domain admins)
>
>
> Because of this options in smb.conf:
>
> winbind enum users = yes
> winbind enum groups = yes
>
> Can i remove this mapping only for domain admin group?

No and those options aren't doing the mapping. All they do is make
'getent passwd' & 'getent group' show all users and groups, without
them, you will have to do 'getent passwd username' or 'getent group
groupname'. You do not need them for Samba to work.

The problem with the GPOs that you are adding is that Samba seems to
think they should be set differently to what windows sets them to.

Big hint here, don't use sysvolreset if you add any GPOs

Rowland

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
Can you tell me what are correct permissions to set at sysvol in order to
work and how to solve that problem with 'Domain admins' uid ?

I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to correct
this issue before.

Thanks again Rowland.


2017-03-07 13:34 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Tue, 7 Mar 2017 13:16:23 -0300
> Edson Tadeu Almeida da Silveira <[hidden email]> wrote:
>
> > Hi Rowland.
> >
> > But, samba automaticaly do this mapping.
> >
> > root@server:/usr/local/src/samba-4.4.10# id 'domain admins'
> > uid=3000008(DOMAIN\domain admins) gid=3000008(DOMAIN\domain admins)
> > groups=3000008(DOMAIN\domain admins)
> >
> >
> > Because of this options in smb.conf:
> >
> > winbind enum users = yes
> > winbind enum groups = yes
> >
> > Can i remove this mapping only for domain admin group?
>
> No and those options aren't doing the mapping. All they do is make
> 'getent passwd' & 'getent group' show all users and groups, without
> them, you will have to do 'getent passwd username' or 'getent group
> groupname'. You do not need them for Samba to work.
>
> The problem with the GPOs that you are adding is that Samba seems to
> think they should be set differently to what windows sets them to.
>
> Big hint here, don't use sysvolreset if you add any GPOs
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Tue, 7 Mar 2017 14:21:38 -0300
Edson Tadeu Almeida da Silveira <[hidden email]> wrote:

> Can you tell me what are correct permissions to set at sysvol in
> order to work and how to solve that problem with 'Domain admins' uid ?

It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving
Domain Admins a gidNumber only makes it worse.
How to fix it ? Remove the GPO and then add it again, then NEVER use
sysvolreset again.

>
> I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to
> correct this issue before.

Why stop at 4.4.10 ? 4.6.0 was released today ;-)

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
Hehehehe.

I'm trying to get courage to update to 4.6.

And i saw that version 4.5.x had a change about ntlmv1 and i use it to auth
vpn and wifi users. I need to test before put in production environment.


Thanks!


2017-03-07 14:32 GMT-03:00 Rowland Penny via samba <[hidden email]>:

> On Tue, 7 Mar 2017 14:21:38 -0300
> Edson Tadeu Almeida da Silveira <[hidden email]> wrote:
>
> > Can you tell me what are correct permissions to set at sysvol in
> > order to work and how to solve that problem with 'Domain admins' uid ?
>
> It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving
> Domain Admins a gidNumber only makes it worse.
> How to fix it ? Remove the GPO and then add it again, then NEVER use
> sysvolreset again.
>
> >
> > I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to
> > correct this issue before.
>
> Why stop at 4.4.10 ? 4.6.0 was released today ;-)
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>



--

-------------------------------------------
Edson Tadeu Almeida Silveira
http://sites.google.com/site/edsontadeu/
-------------------------------------------
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Tue, Mar 7, 2017 at 9:32 AM, Rowland Penny via samba <
[hidden email]> wrote:

> It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving
> Domain Admins a gidNumber only makes it worse.
> How to fix it ? Remove the GPO and then add it again, then NEVER use
> sysvolreset again.
>
>
Hang on, can you explain this a little further?  I thought that Domain
Admins was issued gidNumber 512 by default. In addition, sysvolreset is not
recommended to fix potential SysVol replication problems with GPO perms?


Kris Lou
[hidden email]

On Tue, Mar 7, 2017 at 9:42 AM, Edson Tadeu Almeida da Silveira via samba <
[hidden email]> wrote:

> Hehehehe.
>
> I'm trying to get courage to update to 4.6.
>
> And i saw that version 4.5.x had a change about ntlmv1 and i use it to auth
> vpn and wifi users. I need to test before put in production environment.
>
>
> Thanks!
>
>
> 2017-03-07 14:32 GMT-03:00 Rowland Penny via samba <[hidden email]
> >:
>
> > On Tue, 7 Mar 2017 14:21:38 -0300
> > Edson Tadeu Almeida da Silveira <[hidden email]> wrote:
> >
> > > Can you tell me what are correct permissions to set at sysvol in
> > > order to work and how to solve that problem with 'Domain admins' uid ?
> >
> > It isn't really a 'uid' problem, it is a 'sysvolreset' problem, giving
> > Domain Admins a gidNumber only makes it worse.
> > How to fix it ? Remove the GPO and then add it again, then NEVER use
> > sysvolreset again.
> >
> > >
> > > I´m using samba 4.4.6 and i will upgrade to 4.4.10 but i´d like to
> > > correct this issue before.
> >
> > Why stop at 4.4.10 ? 4.6.0 was released today ;-)
> >
> > Rowland
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
>
>
>
> --
>
> -------------------------------------------
> Edson Tadeu Almeida Silveira
> http://sites.google.com/site/edsontadeu/
> -------------------------------------------
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Tue, 7 Mar 2017 10:26:03 -0800
Kris Lou via samba <[hidden email]> wrote:


> Hang on, can you explain this a little further?  I thought that Domain
> Admins was issued gidNumber 512 by default. In addition, sysvolreset
> is not recommended to fix potential SysVol replication problems with
> GPO perms?
>

No Domain Admins doesn't get gidNumber 512 by default, it gets the
'RID' 512 by default, bit of a difference there.

Domain Admins gets mapped to an xidNumber in idmap.ldb, but it also
gets mapped as 'ID_TYPE_BOTH', this means that Domain Admins is both a
group and a user and therefore is able to own files etc on Unix.

If you then give Domain Admins a gidNumber, it becomes just a group
and cannot own files as a user does.

Domain Admins needs to own files in sysvol as a user, but sysvolreset
seems to change the ACLs set when a GPO is added on a windows machine.

It is my recommendation to not give Domain Admins a gidNumber and not
to run sysvolreset if you add any GPOs.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Tue, 7 Mar 2017 17:17:47 -0300
Edson Tadeu Almeida da Silveira <[hidden email]> wrote:

> Rowland.
>
> I´m having a problem because i can´t remove 2 policy:  Default Domain
> Policy and Default Domain Controllers Policy.
>
> Do you know a way to repair this both?
>
 
They are the default policies, you shouldn't remove these, just any
extra new ones.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:
> It is my recommendation to not give Domain Admins a gidNumber and not
> to run sysvolreset if you add any GPOs.

anybody who uses idmap ad on a samba member server should give domain users and
domain admins a gidnumber actually. This does not affect sysvol on a DC
in any way unless you enable idmap_ldb:use rfc2307, what I would not
recommend to do.

Björn

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Mon, 20 Mar 2017 15:27:33 +0100
Björn JACKE via samba <[hidden email]> wrote:

> On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:
> > It is my recommendation to not give Domain Admins a gidNumber and
> > not to run sysvolreset if you add any GPOs.
>
> anybody who uses idmap ad on a samba member server should give domain
> users and domain admins a gidnumber actually. This does not affect
> sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
> what I would not recommend to do.
>
> Björn
>

Hi Bjorn,
You can recommend not doing something until you are blue in the face,
but you will not stop people doing it. ;-)

If you give Domain Admins a gidNumber, it breaks the mapping in
idmap.ldb and stops Domain Admins being able to own files and dirs in
sysvol and Domain Admins needs to own files and dirs in sysvol.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
Im questioning this because of the following.

What is "Domain Admins" doing with rights on SYSVOL anyway.. ??

There should not be any "domain admins" at all on sysvol share and security rights.

But to overcome the problem explained below.

You can use :
acl_xattr:ignore system acls = yes

And make sure sysvol and/or netlogon are windows only shares and not used by any unix/linux/mac clients.

Set : acl_xattr:ignore system acls = yes
In the share sysvol and/or netlogon

Now in addition, as told, if setup correcly,
you dont see any "Domain Admins" on sysvol.

Sysvol Share permissions set to
"Everyone" Read
"Authenticated Users" Full Control.
DOMAIN\Administrators ( same as "BUILDIN\Administrators" ) Full Controll

And for the folder setttings.
CREATOR OWNER         Special rights.
Authenticated Users   Read
SYSTEM                Full control.
DOMAIN\Administrators   R&E, LFC, READ, WRITE
DOMAIN\Server Operators R&E, LFC, READ

Now its no problem to give these a gid anymore.
Domain Users
Domain Admins
Domain Guest
Domain Computers
And as bjorn suggested, you do give the groups an id.

And when its all set, DONT run resetsysvol again when you do that, you must set the share and security rights again.

And all my servers run with : idmap_ldb:use rfc2307


Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:[hidden email]] Namens Rowland Penny via
> samba
> Verzonden: maandag 20 maart 2017 15:44
> Aan: [hidden email]
> Onderwerp: Re: [Samba] Problem sysvolreset
>
> On Mon, 20 Mar 2017 15:27:33 +0100
> Björn JACKE via samba <[hidden email]> wrote:
>
> > On 2017-03-07 at 18:48 +0000 Rowland Penny via samba sent off:
> > > It is my recommendation to not give Domain Admins a gidNumber and
> > > not to run sysvolreset if you add any GPOs.
> >
> > anybody who uses idmap ad on a samba member server should give domain
> > users and domain admins a gidnumber actually. This does not affect
> > sysvol on a DC in any way unless you enable idmap_ldb:use rfc2307,
> > what I would not recommend to do.
> >
> > Björn
> >
>
> Hi Bjorn,
> You can recommend not doing something until you are blue in the face,
> but you will not stop people doing it. ;-)
>
> If you give Domain Admins a gidNumber, it breaks the mapping in
> idmap.ldb and stops Domain Admins being able to own files and dirs in
> sysvol and Domain Admins needs to own files and dirs in sysvol.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Mon, 20 Mar 2017 16:36:34 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Im questioning this because of the following.
>
> What is "Domain Admins" doing with rights on SYSVOL anyway.. ??
>
> There should not be any "domain admins" at all on sysvol share and
> security rights.

If you create a GPO on a 2102R2 DC, you get this on the GUID dir:

"O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)"

O = owner
G = group
DA = Domain Admins

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
hi Rowland
I got these of my 2008R2 server.
i'll check your output against mine tomorrow.


greetz,

Louis




> Op 20 mrt. 2017 om 17:26 heeft Rowland Penny <[hidden email]> het volgende geschreven:
>
> On Mon, 20 Mar 2017 16:36:34 +0100
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
>> Im questioning this because of the following.
>>
>> What is "Domain Admins" doing with rights on SYSVOL anyway.. ??
>>
>> There should not be any "domain admins" at all on sysvol share and
>> security rights.
>
> If you create a GPO on a 2102R2 DC, you get this on the GUID dir:
>
> "O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)"
>
> O = owner
> G = group
> DA = Domain Admins
>
> Rowland
>


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Tue, 21 Mar 2017 16:24:31 +0100
L.P.H. van Belle <[hidden email]> wrote:

> Hai Rowland,
>
> Can post your exact command you used, so im sure i dont get different
> outputs.
>

OK, on a windows 21012R2 DC:

Get-Acl
C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-4E270488EDE4}'
| Format-List

NOTE: The above is all one line.

Which leads to this output:

Path   :sysvol\DOMAIN.LOCAL\Policies\{5FD30AA2-B678-422C-9C0E-4E270488EDE4}
Owner  : HOME\Domain Admins Group  : HOME\Domain Admins
Access : CREATOR OWNER Allow  FullControl
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute, Synchronize
NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
NT AUTHORITY\SYSTEM Allow  FullControl
HOME\Domain Admins Allow FullControl
HOME\Enterprise Admins Allow  FullControl
Audit  :
Sddl   :
O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-4157658249-429813502-519)

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
Hai,

 

Here you go my output of the R2008R2. (64bit)

 

1) original GPO from the install ( the domain controller policy )

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}

Owner  : BUILTIN\Administrators

Group  : NT AUTHORITY\SYSTEM

Access : CREATOR OWNER Allow  268435456

         NT AUTHORITY\Authenticated Users Allow  -1610612736

         NT AUTHORITY\Authenticated Users Allow  ReadAndExecute, Synchronize

         NT AUTHORITY\SYSTEM Allow  268435456

         NT AUTHORITY\SYSTEM Allow  FullControl

         BUILTIN\Administrators Allow  268435456

         BUILTIN\Administrators Allow  Write, ReadAndExecute, ChangePermissions, TakeOwnership, Synchronize

         BUILTIN\Server Operators Allow  ReadAndExecute, Synchronize

Audit  :

Sddl   : O:BAG:SYD:PAI(A;OICIIO;GA;;;CO)(A;OICIIO;GXGR;;;AU)(A;;0x1200a9;;;AU)(A;OICIIO;GA;;;SY)(A;;FA;;;SY)(A;OICIIO;G

         A;;;BA)(A;;0x1e01bf;;;BA)(A;OICIIO;GXGR;;;SO)(A;;0x1200a9;;;SO)

 

The one with numbers like CREATOR OWNER Allow  268435456

Are users/groups with special rights.

 

 

2) and just now created GPO, didnt touch it at al.

Path   : Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5}

Owner  : ROTTERDAM\Domain Admins

Group  : ROTTERDAM\Domain Admins

Access : CREATOR OWNER Allow  FullControl

         NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow  ReadAndExecute, Synchronize

         NT AUTHORITY\Authenticated Users Allow  ReadAndExecute, Synchronize

         NT AUTHORITY\SYSTEM Allow  FullControl

         ROTTERDAM\Domain Admins Allow  FullControl

         ROTTERDAM\Enterprise Admins Allow  FullControl

Audit  :

Sddl   : O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;

         OICI;FA;;;EA)

 

 

Greetz,

 

Louis

 

 

 

> -----Oorspronkelijk bericht-----

> Van: Rowland Penny [mailto:[hidden email]]

> Verzonden: dinsdag 21 maart 2017 16:38

> Aan: L.P.H. van Belle

> CC: [hidden email]

> Onderwerp: Re: [Samba] Problem sysvolreset

>

> On Tue, 21 Mar 2017 16:24:31 +0100

> L.P.H. van Belle <[hidden email]> wrote:

>

> > Hai Rowland,

> >

> > Can post your exact command you used, so im sure i dont get different

> > outputs.

> >

>

> OK, on a windows 21012R2 DC:

>

> Get-Acl

> C:|Windows\SYSVOL\sysvol\domain.local\Policies\'{5FD30AA2-B678-422C-9C0E-

> 4E270488EDE4}'

> | Format-List

>

> NOTE: The above is all one line.

>

> Which leads to this output:

>

> Path   :sysvol\DOMAIN.LOCAL\Policies\{5FD30AA2-B678-422C-9C0E-

> 4E270488EDE4}

> Owner  : HOME\Domain Admins Group  : HOME\Domain Admins

> Access : CREATOR OWNER Allow  FullControl

> NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow ReadAndExecute,

> Synchronize

> NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize

> NT AUTHORITY\SYSTEM Allow  FullControl

> HOME\Domain Admins Allow FullControl

> HOME\Enterprise Admins Allow  FullControl

> Audit  :

> Sddl   :

> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU

> )(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;S-1-5-21-2695348288-

> 4157658249-429813502-519)

>

> Rowland

>

 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Tue, 21 Mar 2017 17:09:22 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> Hai,
>
>  
>
> Here you go my output of the R2008R2. (64bit)
>
>  
>
> 1) original GPO from the install ( the domain controller policy )
>
> Path   :
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
>
> Owner  : BUILTIN\Administrators
>
> Group  : NT AUTHORITY\SYSTEM
>

This is the same as what I found, the default policies get the above
ownership.

>
> 2) and just now created GPO, didnt touch it at al.
>
> Path   :
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{EDC26216-625D-42D7-8443-9003D427DEF5}
>
> Owner  : ROTTERDAM\Domain Admins
>
> Group  : ROTTERDAM\Domain Admins
>
> Access : CREATOR OWNER Allow  FullControl
>
>          NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
> ReadAndExecute, Synchronize
>
>          NT AUTHORITY\Authenticated Users Allow  ReadAndExecute,
> Synchronize
>
>          NT AUTHORITY\SYSTEM Allow  FullControl
>
>          ROTTERDAM\Domain Admins Allow  FullControl
>
>          ROTTERDAM\Enterprise Admins Allow  FullControl
>
> Audit  :
>
> Sddl   :
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU)(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)

Now do you believe me when I say Domain Admins shouldn't have a
gidNumber ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
No,

I dont agree/believe you.. ... because of my setup.

On the a samba member.  ( 4.5/4.6)
getent group "Domain Admins"
domain admins:x:10001:admin,administrator
I run more then a year like this.

On the Samba DC ( 4.5.3)
NTDOM\domain admins:x:3000008
All others are ok on the dc.
BAZRTD\domain users:x:10000
BAZRTD\domain guests:x:10002:

It works fine here, this is what i want.
 Yes the ID on the DC and Members are different, but that i dont mind,

This is on my samba DC.
# file: var/lib/samba/sysvol/som.dome.tld/Policies/{12347FD-61B1-446E-ACEA-907BCA12E0E1}/
# owner: root
# group: BAZRTD\134domain\040admins
user::rwx
user:root:rwx
user:BUILTIN\134administrators:rwx
user:BUILTIN\134server\040operators:r-x
user:3000002:rwx
user:3000003:r-x
group::---
group:BUILTIN\134administrators:rwx
group:BUILTIN\134server\040operators:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\134administrators:rwx
default:user:BUILTIN\134server\040operators:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:BUILTIN\134administrators:rwx
default:group:BUILTIN\134server\040operators:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

so again why not?
It works as it should, at least for me.

I only have one problem( ok 2 ... ) on my dc.
GID 300002 and GID 300003
One should be "NT AUTORITY\SYSTEM" this is my biggest problem.
Some GPO's are not working correclty due to mismatch in sid/rids with the users SYSTEM.  But i saw all the hard work the devs are doing im amazed by it so i'll wait until thats fixed, i have my workaround..

For me its very simple, i never ever run sysvolreset.
And if i must run sysvolreset, yes it happend one or 2 times,
i have the steps to setup again like above, yes bit more work but it reflects the windows defaults better imho.
And acl_xattr:ignore system acls = yes   is my friend here..

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: Rowland Penny [mailto:[hidden email]]
> Verzonden: dinsdag 21 maart 2017 17:27
> Aan: [hidden email]
> CC: L.P.H. van Belle
> Onderwerp: Re: [Samba] Problem sysvolreset
>
> On Tue, 21 Mar 2017 17:09:22 +0100
> "L.P.H. van Belle via samba" <[hidden email]> wrote:
>
> > Hai,
> >
> >
> >
> > Here you go my output of the R2008R2. (64bit)
> >
> >
> >
> > 1) original GPO from the install ( the domain controller policy )
> >
> > Path   :
> >
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{6
> AC1786C-016F-11D2-945F-00C04fB984F9}
> >
> > Owner  : BUILTIN\Administrators
> >
> > Group  : NT AUTHORITY\SYSTEM
> >
>
> This is the same as what I found, the default policies get the above
> ownership.
>
> >
> > 2) and just now created GPO, didnt touch it at al.
> >
> > Path   :
> >
> Microsoft.PowerShell.Core\FileSystem::C:\Windows\SYSVOL\domain\Policies\{E
> DC26216-625D-42D7-8443-9003D427DEF5}
> >
> > Owner  : ROTTERDAM\Domain Admins
> >
> > Group  : ROTTERDAM\Domain Admins
> >
> > Access : CREATOR OWNER Allow  FullControl
> >
> >          NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Allow
> > ReadAndExecute, Synchronize
> >
> >          NT AUTHORITY\Authenticated Users Allow  ReadAndExecute,
> > Synchronize
> >
> >          NT AUTHORITY\SYSTEM Allow  FullControl
> >
> >          ROTTERDAM\Domain Admins Allow  FullControl
> >
> >          ROTTERDAM\Enterprise Admins Allow  FullControl
> >
> > Audit  :
> >
> > Sddl   :
> >
> O:DAG:DAD:PAI(A;OICIIO;FA;;;CO)(A;OICI;0x1200a9;;;ED)(A;OICI;0x1200a9;;;AU
> )(A;OICI;FA;;;SY)(A;OICI;FA;;;DA)(A;OICI;FA;;;EA)
>
> Now do you believe me when I say Domain Admins shouldn't have a
> gidNumber ?
>
> Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Problem sysvolreset

Samba - General mailing list
On Wed, 22 Mar 2017 08:09:31 +0100
"L.P.H. van Belle via samba" <[hidden email]> wrote:

> No,
>
> I dont agree/believe you.. ... because of my setup.

As long as you don't run sysvolreset, you won't have a problem, you
also seem to be working around the fact that sysvolreset is totally (in
my opinion) borked.

>
> On the a samba member.  ( 4.5/4.6)
> getent group "Domain Admins"
> domain admins:x:10001:admin,administrator
> I run more then a year like this.

I use a group called 'Unix Admins' joined to 'Domain Admins' and give
this group a gidNumber.


>
> I only have one problem( ok 2 ... ) on my dc.
> GID 300002 and GID 300003
> One should be "NT AUTORITY\SYSTEM" this is my biggest problem.
> Some GPO's are not working correclty due to mismatch in sid/rids with
> the users SYSTEM.  But i saw all the hard work the devs are doing im
> amazed by it so i'll wait until thats fixed, i have my workaround..
>
> For me its very simple, i never ever run sysvolreset.
> And if i must run sysvolreset, yes it happend one or 2 times,

At least you have found running sysvolreset isn't a good idea ;-)

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba