Univention Bugzilla – Bug 49293
sysvolcheck ProvisioningError after modifying / creating GPOs in UCS@school 4.3
Last modified: 2019-09-03 14:47:06 CEST
Ticket #2019032721000316 reported that samba-tool ntacl sysvolcheck finds errors. I tested with the improved checks from Bug #46643 and found yet another type of difference between the NTACL in the filesystem (FSACL) and and the NTACL configured in the Samba/AD directory service (DSACL): root@master:~# samba-tool ntacl sysvolcheck --mask-msad-differences ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{2109D849-36E1-5DDC-8505-CFAD2F230E4}/Machine/Registry.pol does not match value expected from GPO object FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED) DSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED) ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{B9B3B5DA-63E7-63BE-A8C6-12506B2AE1BC}/Machine/Registry.pol does not match value expected from GPO object FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;LA)(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123) DSACL: O:DAG:DAD:ARAI(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123) ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{2109D849-36E1-5DDC-8505-CFAD2F230E4}/Machine/Registry.pol does not match value expected from GPO object FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED) DSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED) ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{B9B3B5DA-63E7-63BE-A8C6-12506B2AE1BC}/Machine/Registry.pol does not match value expected from GPO object FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;LA)(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123) DSACL: O:DAG:DAD:ARAI(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123) There are actually two new things here: SEC_DESC_DACL_AUTO_INHERIT_REQ on a file and LA before DA in the FSACL (rather than DA before LA in the DSACL). The system was UCS 4.3-3 and I just copied the check_dir_acl function from 4.4 into the provision/__init__.py file to test it there.
Created attachment 9972 [details] 1.diff A rough idea to fix the SEC_DESC_DACL_AUTO_INHERIT_REQ difference. Pretty ugly, because the ACLs written by GPMC (via smbd) seem to differ per file type. The LA/DA issue is not well understood yet (never was).
> because the ACLs written by GPMC (via smbd) seem to differ per file type To be precise: The patch introduces a special handling for "Registry.pol" and all other files (they have no "AR" DACL flag in the Filesystem). In contrast, the "GPT.INI", "GptTmpl.inf" and "comment.cmtx" are handled as before (behavior as in Bug 46643 Comment 8).
The customer reported, that creating or modifying a GPO, the GPO is not reliably applied. He gets ProvisioningError messages with samba-tool ntacl sysvolcheck. This is fixable with samba-tool ntacl sysvolreset, BUT this takes nearly an hour now.
Created attachment 10103 [details] log-samba-level10-ABAEADCF-E88C-4C9D-B449-B196350A4E0C.txt I can reproduce this issue simply by starting GPMC from a Windows 7 Client as Domain Administrator, creating a new empty GPO and then adding a user to the security filter. The attached file shows parts of the samba/debug/level=10 logs. From that it looks like the client writes SEC_DESC_DACL_AUTO_INHERIT_REQ = 1 to Samba/AD LDAP, but SEC_DESC_DACL_AUTO_INHERIT_REQ = 0 into the sysvol share. My next idea would be to join the Windows Client against a native MS AD DC and check the same thing there, i.e. the final GPO ACL in the sysvol vs AD LDAP.
In my test with a Windows 7 Client joined to Windows 2008R2 AD DC I see that new GPOs are created with DACL flags "PAI" in LDAP and in the sysvol. In Samba constants thats (SEC_DESC_DACL_PROTECTED | SEC_DESC_DACL_AUTO_INHERITED). Two things seem to be different in Samba: * A new GPO doesn't have the "AI" (SEC_DESC_DACL_AUTO_INHERITED) flag in LDAP, only in the sysvol share. So you only have "P" in LDAP but "PAI" in the sysvol. * After adjusting the security filtering of the GPO (add a group, remove the default "Authenticated Users"), the GPO has the "AR" flag in LDAP (SEC_DESC_DACL_AUTO_INHERIT_REQ). So you have "PAR" in LDAP but "PAI" in sysvol. This difference doesn't seem to have any effect on the Windows (7) client though, GPO evaluation and security filtering worked none the less. So my current recommendation is: 1. Continue debugging the customer specific issues in support 2. Adjust one additional line in the sysvolcheck python code. I'll attach a patch.
Created attachment 10145 [details] bug49293.patch Patch for 97_Bug-46643-add-sysvolcheck-option-mask-msad-differences.quilt in ~/svn/patches/samba/4.4-0-0-ucs/ This adjusts the behavior of the sysvolcheck --mask-msad-differences switch, so this difference between P/PAI/PAR is masked during the normal check of the diagnostic module. The standard sysvolcheck without that option would still complain and that's good for further analysis.
r18634 | Patch in samba/4.4-0-0-ucs/2:4.10.1-1-errata4.4-1 33f062988e | samba.yaml QA: 1. Join a windows client to a UCS 4.4-1 Samba/AD DC Master (You may use VM arequate_Win7SP1.229, which has the GPMC feature installed) 2. Log in as Domain Administrator and start the Group Policy Management Console to create a GPO (doesn't need to have any content) 3. Login to your UCS Samba/AD DC Master and run samba-tool ntacl sysvolcheck --mask-msad-differences No error output should appear. Note: If you run univention-s4search displayName=YourGPOName nTSecurityDescriptor then you can see "nTSecurityDescriptor: O:DAG:DAD:P(..." 4. In the Group Policy Management Console click on the GPO and adjust the "security filtering" by adding e.g. "Domain Users" and removing "Authenticated Users". 5. Login to your UCS Samba/AD DC Master and run samba-tool ntacl sysvolcheck --mask-msad-differences If you have updated the packages to the versions in errata4.4-1, then no error output should appear. Note: If you run univention-s4search displayName=YourGPOName nTSecurityDescriptor then you can see "nTSecurityDescriptor: O:DAG:DAD:PAR(..." FYI: The nTSecurityDescriptor in Samba/AD LDAP differs in this point from the NTALCs in the fileystem, which can be checked by running e.g. something like this: samba-tool ntacl get --as-sddl /var/lib/samba/sysvol/ar41i1.qa/Policies/\{7D5A2A26-2D2F-47A4-BD9C-47B3075D8598\}/ O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) The "AI" flag says, that the "Auto Inheritance" feature is supported (Since Windows 2000). It's an informative flag. As recommended in Bug 43120#c3 we now don't alert the users if the P/PAI/PAR flags differ. The --mask-msad-differences options was introduced by us to allow masking these non-critical issues. This option is only used in the UMC system diagnostic. If you don't use the special option, then you can see all the differences. See Comment 6 for further details.
OK: Following the description from comment #8 does indeed fix the GPO that was created before updating samba. With the flag --mask-msad-differences no issues are shown, while omitting the flag does present errors. FAIL: i cannot reproduce this once the samba packages are updated. I created another GPO, edited it, and samba-tool ntacl sysvolcheck --mask-msad-differences shows errors: ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{090E72CC-72E0-42DC-9D18-4C3FEE6B6E7E} does not match value expected from GPO object FSACL: O:DAG:DAD:PARAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{090E72CC-72E0-42DC-9D18-4C3FEE6B6E7E} does not match value expected from GPO object FSACL: O:DAG:DAD:PARAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) # samba-tool ntacl sysvolcheck ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{EB931722-215B-4BC9-8C3A-1B6F432465FA} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) expected from GPO object ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{EB931722-215B-4BC9-8C3A-1B6F432465FA} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) does not match value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DU) expected from GPO object It seems that the samba package update fixed something else, too
Together, we could not reproduce the issue reported in Comment 9 in my test env.
I did not fully log all my attemps to reproduce the issue, sorry for the noise. The issue i could produce occurs when executing a sysvolreset with the updated samba package, samba-tool ntacl sysvolcheck will show no errors, but sysvolcheck --mask-msad-differences shows the errors from comment#9 As discussed -> Reopen
r18645 | Patch update r18646 | Patch update 9a6c460e08 | Advisory update
As discussed, now we see a different error: samba-tool ntacl sysvolcheck --mask-msad-differences ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{46781564-58F7-4770-9A55-3726DC2F0E3A}/GPT.INI does not match value expected from GPO object FSACL: O:DAG:DAD:AI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED) DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED) ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{46781564-58F7-4770-9A55-3726DC2F0E3A}/GPT.INI does not match value expected from GPO object FSACL: O:DAG:DAD:AI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED) DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
Yes, you are right, I fixed it in r18650 | Update patch d401fad234 | Advisory version The package is building, I'll close the bug once it's done and tested.
obviously fixed as mentioned by last comment -> resolved
Sorry for the last comment, i was to eager to finally mark this verified. I can still reproduce an issue when changing the security filter: tested: samba 2:4.10.1-1A~4.4.0.201908281834 create new GPO, modify security filter by deleting current and adding new group. sysvolcheck + sysvolcheck --mask-msad-differences is fine. Now do a sysvolreset + change the security filter again: error from sysvolcheck --mask-msad-differences: ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232}/GPT.INI does not match value expected from GPO object FSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;DU) DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED) ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232}/GPT.INI does not match value expected from GPO object FSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;DU) DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)
r18650 | Update patch d401fad234 | Update Advisory version
root@ucsmaster:~# samba-tool ntacl sysvolcheck --mask-msad-differences ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232}/GPT.INI does not match value expected from GPO object FSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED) DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;DU) ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232}/GPT.INI does not match value expected from GPO object FSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED) DSACL: O:DAG:DAD:ARAI(A;ID;0x001d0156;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;DU) root@ucsmaster:~# samba-tool ntacl sysvolcheck ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232} O:DAG:DAD:PAI(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)(A;OICI;0x001200a9;;;DU) does not match value O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)(A;OICI;0x001200a9;;;DU) expected from GPO object ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/mydomain.intranet/Policies/{8EAD3636-8544-41B5-8A7F-4098353A9232} O:DAG:DAD:PAI(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)(A;OICI;0x001200a9;;;DU) does not match value O:DAG:DAD:PAR(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001d0156;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;DA)(A;OICI;0x001200a9;;;DU) expected from GPO object
Thanks, real good catch reported in Comment 16 and Comment 18! That's actually not a shortcomming of sysvolcheck but a real issue and I created Bug #50085 for that. Let's get this improvement shipped and then we need to go for the real issue, which might be a bug in Samba.
OK: Bug #50085 OK: current behavior within bug scope OK: yaml Verified
<http://errata.software-univention.de/ucs/4.4/246.html>