Bug 43120 - samba-tool ntacl sysvolcheck error due to Samba writing non-standard DSACL flags
samba-tool ntacl sysvolcheck error due to Samba writing non-standard DSACL flags
Status: RESOLVED WONTFIX
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 minor (vote)
: ---
Assigned To: Samba maintainers
https://hutten.knut.univention.de/med...
:
Depends on:
Blocks: 44282
  Show dependency treegraph
 
Reported: 2016-12-05 19:25 CET by Arvid Requate
Modified: 2019-01-03 07:18 CET (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.034
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2017091221000239,2017082321000701, 2018030821000649, 2018061421001149, 2018090621000445
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2016-12-05 19:25:42 CET
The LDAP nTSecurityDescriptor written by Samba/AD (function level 2008 R2) for GPOs differs from the one written by a native MS AD of the same function level.

MS AD:
==========================================================================
# Default Domain Policy
dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=w2k8r2d2,DC=ar
nTSecurityDescriptor: O:DAG:DAD:PAI(A;;RPWPCCLCLORCWOWDSW;;;DA)(A;CIIO;RPWPCCD
 CLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCCLCLORCWOWDSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWD
 SDDTSW;;;EA)(A;;RPWPCCLCLORCWOWDSW;;;DA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO
 )(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-f
 fb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3
 bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-00
 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9
 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)

# Some new GPO
dn: CN={72D82FAB-D1FB-484E-9DEA-CB39A09397F9},CN=Policies,CN=System,DC=w2k8r2d2,DC=ar
nTSecurityDescriptor: O:DAG:DAD:PAI(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f
 939;;AU)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA
 )(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CI;RPLCLORC;;;ED)(A;CI;RPLCLORC;;;AU)
 (A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)S:A
 I(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30
 e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU
 ;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00a
 a003049e2;WD)
==========================================================================

Samba/AD (without active S4-Connector):
==========================================================================
# Default Domain Policy
dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=ar41i1,DC=qa
nTSecurityDescriptor: O:DAG:DAD:P(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPW
 PCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPWPCCDC
 LCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU
 )(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(
 OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-0
 0aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-
 0de6-11d0-a285-00aa003049e2;WD)

# Some new GPO
dn: CN={7977A05C-350E-43BC-8F9E-1576CB8C4814},CN=Policies,CN=System,DC=ar41i1,DC=qa
nTSecurityDescriptor: O:DAG:DAD:PAR(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)(A;CI;R
 PWPCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;;RPWPCC
 DCLCLORCWOWDSDDTSW;;;DA)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;
 ED)(A;CI;RPLCRC;;;S-1-5-21-2660895256-1678062113-3852026326-1118)(OA;CI;CR;ed
 acfd8f-ffb3-11d1-b41d-00a0c968f939;;S-1-5-21-2660895256-1678062113-3852026326
 -1118)S:AI(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-
 11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c
 1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
==========================================================================

In particular the DSACL flags differ:

* MS AD has: D:PAI
* Samba/AD has: D:PAR for new GPOs and D:P for default GPOs



The MS tool (GPMC) doesn't seem to care, but the D:PAR causes an error message for samba-tool ntacl sysvolcheck (from UCS 4.1-4):

==========================================================================
root@master10:~# samba-tool ntacl sysvolcheckProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{7977A05C-350E-43BC-8F9E-1576CB8C4814} O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-2660895256-1678062113-3852026326-1118) does not match value O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-2660895256-1678062113-3852026326-1118) expected from GPO object

ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{7977A05C-350E-43BC-8F9E-1576CB8C4814} O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-2660895256-1678062113-3852026326-1118) does not match value O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;S-1-5-21-2660895256-1678062113-3852026326-1118) expected from GPO object
==========================================================================
Comment 1 Arvid Requate univentionstaff 2016-12-05 19:46:57 CET
Actually, freshly created GPOs have D:P in Samba/AD. Only after some change in the security filtering (add some group and remove Authenticated Users) it changes to D:PAR.
Comment 2 Arvid Requate univentionstaff 2017-09-12 11:31:51 CEST
Two options how to deal with this:

a) Check how AD does it and provide a fix that can be upstreamed to the Samba-Team

b) Patch samba-tool sysvolcheck to ignore DA/LA difference.
Comment 3 Arvid Requate univentionstaff 2017-09-12 11:32:31 CEST
> b) Patch samba-tool sysvolcheck to ignore DA/LA difference.

This should read:

b) Patch samba-tool sysvolcheck to ignore PAR/P/PAI difference.
Comment 4 Christina Scheinig univentionstaff 2017-09-12 12:16:36 CEST
Happened again in Ticket 2017082321000701

O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA...
O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA...
Comment 5 Christina Scheinig univentionstaff 2018-09-14 10:27:33 CEST
Same problem again in Ticket 2018090621000445
The customer receives a warning from the systemdiagnostic tool about:
"Warnung: Überprüfe die Samba SYSVOL ACL Einträge auf Fehler"
and the provided fix possibility with "samba-tool ntacl sysvolreset" is not working, of course.

Sysvolcheck just shows  
O:LAG:BAD:P(A;OICI
does not match value 
O:LAG:DAD:PAR(A;OICI
Comment 6 Stefan Gohmann univentionstaff 2019-01-03 07:18:37 CET
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.