Univention Bugzilla – Bug 46643
sysvolcheck inconsistencies after modifying / creating GPOs in UCS@school 4.3
Last modified: 2022-11-24 02:21:09 CET
I don't know if this is UCS@school specific, I think it's generic: I created two new GPOs on the DC Master and modified the default domain policy ({31B2F340-016D-11D2-945F-00C04FB984F9}) using GPMC. After that all three GPOs show some minor ACL inconsistencies: ========================================================================== root@master70:~# samba-tool ntacl sysvolcheck ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar430rc1s.school/Policies/{FDB89085-02A1-4A65-8045-00B77469ACB4} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/ar430rc1s.school/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol O:LAG:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar430rc1s.school/Policies/{2CA50B1E-5B60-49BD-B5AE-F9879690A997} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar430rc1s.school/Policies/{FDB89085-02A1-4A65-8045-00B77469ACB4} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/ar430rc1s.school/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol O:LAG:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar430rc1s.school/Policies/{2CA50B1E-5B60-49BD-B5AE-F9879690A997} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object ========================================================================== That's 1. O:DAG:DAD:PAI in filesystem vs O:LAG:DAD:P in Samba/AD LDAP for new GPOs 2. O:LAG:DAD:(...) on disc vs O:LAG:DAD:P(...)(A;OICIIO;0x001f01ff;;;CO)(...) in Samba/AD LDAP for the default domain policy The situation is identical on Master and School Slave.
Same problem in UCS 4.3-1. See https://help.univention.com/t/group-policy-provisioningerror/9045
Reported again by a customer. After changing group policies, a ProvisioningError is generated and the security filtering was deleted by fault. it seems that expected: DAG:DAD:PAI but send: LAG:DAD:PAI A Workaround is sysvolcheck and sysvolreset
Created attachment 9818 [details] mask_PAI_and_CIOIID_flags.patch The attached patch is an attempt to make sysvolcheck ignore differences in the "P" and "AI" inheritance DACL flags, as suggested in Bug 43120 Comment 3. During my tests I also found differences in the ACE flags too ("OI", "CI", "ID") and the attached patch also shows how one could mask them for comparison. Then I also found that new GPOs created with the MS GPMC GUI against Samba 4.7.8 creates files that are owned by "DA", which is contrary to the workaround we have implemented via Bug 39633 (SVN patch: 97_Bug-39633-fix-LA-vs-DA-in-samba-tool-ntacl-syvolcheck.quilt). All together this starts getting a bit absurd to forcefully tweak the sysvolcheck until it returns no errors any longer. The tool has always been broken. The dsacl2fsacl function it uses looks like unmaintained since 2009 (upstream commit 028c9b1c154) and it reads like the author also just experimentally tried to make ends meet. If we continue this road, adding workaround upon workaround in sysvolcheck, we will end up in a situation, where we don't know if it's still broken in upstream samba or if it is broken due to our workarounds. I'd rather live with it beeing broken upstream. So Felix and my suggestion is, to remove it from the UMC diagnostic checks until we have found a way together with upstream to finally make it reliable. Until then, people should just use sysvolreset and not trust the output of sysvolcheck.
Created attachment 9819 [details] /usr/lib/python2.7/dist-packages/samba/provision/__init__.py The full patched file, for reference, just in case we still want to use something like this sometime in the future.
Created attachment 9820 [details] mask_PAI_flags.patch This patch is much better then my last attempt. It fixes the LA/DA owner difference and masks the "P" and "AI" DACL flags for comparison. But it still doesn't help with the differences in the inheritance ACE Flags (like OICIIOID etc.). Still, I would prefer to apply this, because already fixing the LA/DA issue helps avoiding a big source of confusion.
Ok, I now fixed the LA/DA issue via Bug #44282. As explained in Comment 3, I don't think it makes sense to further adjust the sysvolcheck code to "hide" the differences in the inheritance flags. That's something we should address at the source. Something is strange with the NTACLs that Samba writed for new GPOs created via the MS GPMC GUI.
Created attachment 9933 [details] 0001-Bug-46643-A-brute-force-hack.patch I hacked my way threw this basically with a machete and this is what worked. I filter out duplicate DA/LA ACEs as well as ACEs for "Creator Owner" which should probably get replaced by the actual owner upon file creation. That's important for inheritence, but probably negligible for actual ACE evaluation. I'll have to read up on that. Anyway, this is kind of what *could* be done and shows how to work with the dacl structure of the security descriptors.
Created attachment 9935 [details] add_sysvolcheck_option_mask_msad_differences.patch I've refined the patch to only mask specific differences. The attched patch adds a new option --mask-msad-differences to samba-tool ntacl sysvolcheck, which may be used in the UMC system diagnostic module to ignore minor standard differences between 1) the default expectations of sysvolcheck 2) the default Samba GPOs 3) new GPOs added via MS GPMC This patch applies to the 4.10 RC2 package currently included in UCS 4.4-0 (may need minor adjustment for Bug 49034).
Created attachment 9936 [details] add_sysvolcheck_option_mask_msad_differences.patch Another refinement (ignore CO ACE only for files, like GPT.INI).
SVN: r18523 | New option for ntacl sysvolcheck 09e0080f19 | samba.yaml b42f825a15 | Use new option --mask-msad-differences for ntacl sysvolcheck 7b9b0abcd9 | univention-management-console-module-diagnostic.yaml
http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/view/Product%20Tests/job/samba-single-server/lastCompletedBuild/testReport/00_checks/81_diagnostic_checks/test/ this test creates some GPO via a windows client, the 81_diagnostic_checks check now fails with ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/sambatest.local/Policies/{B88B025F-89A8-44E2-8C65-239008C207B0} does not match value expected from GPO object FSACL: O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/sambatest.local/Policies/{D04FC1A5-276A-4E1F-B20A-D7754FB3976F} does not match value expected from GPO object FSACL: O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/sambatest.local/Policies/{B88B025F-89A8-44E2-8C65-239008C207B0} does not match value expected from GPO object FSACL: O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/sambatest.local/Policies/{D04FC1A5-276A-4E1F-B20A-D7754FB3976F} does not match value expected from GPO object FSACL: O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
Strange, works for me with samba-tool ntacl sysvolcheck --mask-msad-differences and with /usr/bin/univention-run-diagnostic-checks -t 42_samba_tool_sysvolcheck also in the Jenkins samba-single-server scenario. I've started that job again.
OK - some default differences are masked with --mask-msad-differences OK - a manual change on the filesystem ACL's results in a report, with or withour --mask-msad-differences OK - works also after sysvolreset OK - univention-management-console-module-diagnostic.yaml OK - samba.yaml
<http://errata.software-univention.de/ucs/4.4/39.html> <http://errata.software-univention.de/ucs/4.4/41.html>
This may be back in 5.0.2 latest updates it seems if you set a GPO, using the win 10 tools. gpmc.msc the policy is put onto the sysvol in the univention and marked with an owner of "root" root Domain Admins 4096 Nov 22 17:11 {0FF9CE2A-F80A-485A-A749-EC5B327C584C} samba-tool ntacl sysvolcheck ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/xxxxxxxx then fails & you need to run samba-tool ntacl sysvolreset drwxrwx---+ 4 Administrator Domain Admins 4096 Nov 22 18:02 {0AB62F02-D802-42E7-9599-A4E3DF8BF376} which fixes the problem