Bug 49293 - sysvolcheck ProvisioningError after modifying / creating GPOs in UCS@school 4.3
sysvolcheck ProvisioningError after modifying / creating GPOs in UCS@school 4.3
Status: NEW
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.3
Other Linux
: P5 normal (vote)
: ---
Assigned To: Samba maintainers
Samba maintainers
https://hutten.knut.univention.de/med...
:
Depends on: 46643
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-15 14:32 CEST by Arvid Requate
Modified: 2019-07-09 12:21 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2019032721000316, 2019070221000301
Bug group (optional):
Max CVSS v3 score:


Attachments
1.diff (9.71 KB, patch)
2019-04-15 14:35 CEST, Arvid Requate
Details | Diff
log-samba-level10-ABAEADCF-E88C-4C9D-B449-B196350A4E0C.txt (7.54 KB, text/plain)
2019-07-04 13:07 CEST, Arvid Requate
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2019-04-15 14:32:29 CEST
Ticket #2019032721000316 reported that samba-tool ntacl sysvolcheck finds errors. I tested with the improved checks from Bug #46643 and found yet another type of difference between the NTACL in the filesystem (FSACL) and and the NTACL configured in the Samba/AD directory service (DSACL):

root@master:~# samba-tool ntacl sysvolcheck --mask-msad-differences
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{2109D849-36E1-5DDC-8505-CFAD2F230E4}/Machine/Registry.pol does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{B9B3B5DA-63E7-63BE-A8C6-12506B2AE1BC}/Machine/Registry.pol does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;LA)(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{2109D849-36E1-5DDC-8505-CFAD2F230E4}/Machine/Registry.pol does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/foo.bar.com/Policies/{B9B3B5DA-63E7-63BE-A8C6-12506B2AE1BC}/Machine/Registry.pol does not match value expected from GPO object
FSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;LA)(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123)
DSACL: O:DAG:DAD:ARAI(A;ID;0x001200a9;;;AU)(A;ID;0x001f01ff;;;SY)(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001200a9;;;ED)(A;ID;0x001200a9;;;S-1-5-21-123-456-769-123)

There are actually two new things here: SEC_DESC_DACL_AUTO_INHERIT_REQ on a file and LA before DA in the FSACL (rather than DA before LA in the DSACL).

The system was UCS 4.3-3 and I just copied the check_dir_acl function from 4.4 into the provision/__init__.py file to test it there.
Comment 1 Arvid Requate univentionstaff 2019-04-15 14:35:04 CEST
Created attachment 9972 [details]
1.diff

A rough idea to fix the SEC_DESC_DACL_AUTO_INHERIT_REQ difference. Pretty ugly, because the ACLs written by GPMC (via smbd) seem to differ per file type.

The LA/DA issue is not well understood yet (never was).
Comment 2 Arvid Requate univentionstaff 2019-04-23 17:35:07 CEST
> because the ACLs written by GPMC (via smbd) seem to differ per file type

To be precise: The patch introduces a special handling for "Registry.pol" and all other files (they have no "AR" DACL flag in the Filesystem).
In contrast, the "GPT.INI", "GptTmpl.inf" and "comment.cmtx" are handled as before (behavior as in Bug 46643 Comment 8).
Comment 4 Christina Scheinig univentionstaff 2019-07-04 12:15:52 CEST
The customer reported, that creating or modifying a GPO, the GPO is not reliably applied.
He gets ProvisioningError messages with samba-tool ntacl sysvolcheck.

This is fixable with samba-tool ntacl sysvolreset, BUT this takes nearly an hour now.
Comment 5 Arvid Requate univentionstaff 2019-07-04 13:07:56 CEST
Created attachment 10103 [details]
log-samba-level10-ABAEADCF-E88C-4C9D-B449-B196350A4E0C.txt

I can reproduce this issue simply by starting GPMC from a Windows 7 Client as Domain Administrator, creating a new empty GPO and then adding a user to the security filter. The attached file shows parts of the samba/debug/level=10 logs. From that it looks like the client writes SEC_DESC_DACL_AUTO_INHERIT_REQ = 1 to Samba/AD LDAP, but SEC_DESC_DACL_AUTO_INHERIT_REQ = 0 into the sysvol share.

My next idea would be to join the Windows Client against a native MS AD DC and check the same thing there, i.e. the final GPO ACL in the sysvol vs AD LDAP.