Univention Bugzilla – Bug 43120
samba-tool ntacl sysvolcheck error due to Samba writing non-standard DSACL flags
Last modified: 2019-01-03 07:18:37 CET
The LDAP nTSecurityDescriptor written by Samba/AD (function level 2008 R2) for GPOs differs from the one written by a native MS AD of the same function level. MS AD: ========================================================================== # Default Domain Policy dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=w2k8r2d2,DC=ar nTSecurityDescriptor: O:DAG:DAD:PAI(A;;RPWPCCLCLORCWOWDSW;;;DA)(A;CIIO;RPWPCCD CLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCCLCLORCWOWDSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWD SDDTSW;;;EA)(A;;RPWPCCLCLORCWOWDSW;;;DA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO )(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-f fb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3 bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) # Some new GPO dn: CN={72D82FAB-D1FB-484E-9DEA-CB39A09397F9},CN=Policies,CN=System,DC=w2k8r2d2,DC=ar nTSecurityDescriptor: O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f 939;;AU)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA )(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CI;RPLCLORC;;;ED)(A;CI;RPLCLORC;;;AU) (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)S:A I(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30 e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU ;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00a a003049e2;WD) ========================================================================== Samba/AD (without active S4-Connector): ========================================================================== # Default Domain Policy dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ar41i1,DC=qa nTSecurityDescriptor: O:DAG:DAD:P(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPW PCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPWPCCDC LCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU )(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI( OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-0 0aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5- 0de6-11d0-a285-00aa003049e2;WD) # Some new GPO dn: CN={7977A05C-350E-43BC-8F9E-1576CB8C4814},CN=Policies,CN=System,DC=ar41i1,DC=qa nTSecurityDescriptor: O:DAG:DAD:PAR(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;R PWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPWPCC DCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;; ED)(A;CI;RPLCRC;;;S-1-5-21-2660895256-1678062113-3852026326-1118)(OA;CI;CR;ed acfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2660895256-1678062113-3852026326 -1118)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6- 11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c 1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) ========================================================================== In particular the DSACL flags differ: * MS AD has: D:PAI * Samba/AD has: D:PAR for new GPOs and D:P for default GPOs The MS tool (GPMC) doesn't seem to care, but the D:PAR causes an error message for samba-tool ntacl sysvolcheck (from UCS 4.1-4): ========================================================================== root@master10:~# samba-tool ntacl sysvolcheckProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{7977A05C-350E-43BC-8F9E-1576CB8C4814} O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-2660895256-1678062113-3852026326-1118) does not match value O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-2660895256-1678062113-3852026326-1118) expected from GPO object ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{7977A05C-350E-43BC-8F9E-1576CB8C4814} O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-2660895256-1678062113-3852026326-1118) does not match value O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-2660895256-1678062113-3852026326-1118) expected from GPO object ==========================================================================
Actually, freshly created GPOs have D:P in Samba/AD. Only after some change in the security filtering (add some group and remove Authenticated Users) it changes to D:PAR.
Two options how to deal with this: a) Check how AD does it and provide a fix that can be upstreamed to the Samba-Team b) Patch samba-tool sysvolcheck to ignore DA/LA difference.
> b) Patch samba-tool sysvolcheck to ignore DA/LA difference. This should read: b) Patch samba-tool sysvolcheck to ignore PAR/P/PAI difference.
Happened again in Ticket 2017082321000701 O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA... O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA...
Same problem again in Ticket 2018090621000445 The customer receives a warning from the systemdiagnostic tool about: "Warnung: Überprüfe die Samba SYSVOL ACL Einträge auf Fehler" and the provided fix possibility with "samba-tool ntacl sysvolreset" is not working, of course. Sysvolcheck just shows O:LAG:BAD:P(A;OICI does not match value O:LAG:DAD:PAR(A;OICI
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.