Problem: GPO-ACLs stop working when Group Policies are adjusted

Knowledge Base Community
, ,
#1

Problem:

GPO-ACLs stop working when Group Policies are adjusted

Investigation

The GPO was added or adjusted as a member of Domain Admins.

root@master:~$ samba-tool ntacl sysvolcheck --mask-msad-differences
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/schein.ig/Policies/{2ADB0006-6825-4D5B-AB7B-FE1F218E112F}/GPT.INI does not match value expected from GPO object
FSACL: O:S-1-5-21-2438365080-1175145288-4246282840-1122G:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;S-1-5-21-2438365080-1175145288-4246282840-1122)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/schein.ig/Policies/{2ADB0006-6825-4D5B-AB7B-FE1F218E112F}/GPT.INI does not match value expected from GPO object
FSACL: O:S-1-5-21-2438365080-1175145288-4246282840-1122G:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;S-1-5-21-2438365080-1175145288-4246282840-1122)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)
DSACL: O:DAG:DAD:AI(A;ID;0x001f01ff;;;DA)(A;ID;0x001f01ff;;;EA)(A;ID;0x001f01ff;;;SY)(A;ID;0x001200a9;;;AU)(A;ID;0x001200a9;;;ED)

root@master:~$ ls -lah /var/lib/samba/sysvol/schein.ig/Policies/
insgesamt 48K
drwxrwx---+ 6 Administrator Administrators 4,0K Mai 20 10:48 .
drwxrwx---+ 4 Administrator Administrators 4,0K Mär 24 12:26 ..
drwxrwx---+ 4 cscheini      Domain Admins  4,0K Mai 20 10:48 {2ADB0006-6825-4D5B-AB7B-FE1F218E112F}
drwxrwx---+ 4 Administrator Domain Admins  4,0K Mär 24 12:26 {31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 Administrator Domain Admins  4,0K Mär 24 12:26 {6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root          Domain Admins  4,0K Mai 20 10:05 {9D70C97F-9F36-4F18-9AC9-6EBB796CCA68}

univention-s4search cn=cscheini objectsid

# record 1
dn: CN=cscheini,CN=Users,DC=schein,DC=ig
objectSid: S-1-5-21-2438365080-1175145288-4246282840-1122
memberOf: cn=Domain Admins,cn=groups,dc=schein,dc=ig
memberOf: CN=Enterprise Admins,CN=Groups,DC=schein,DC=ig
memberOf: CN=Administrators,CN=Builtin,DC=schein,DC=ig

Temporary workaround:

samba-tool ntacl sysvolreset

Solution:

We have to replace the type of the Administrators, so this is not just a user, but also a group:

root@master:~$  ldbmodify -H /var/lib/samba/private/idmap.ldb <<%EOF
dn: CN=S-1-5-32-544
changetype: modify
replace: type
type: ID_TYPE_BOTH
%EOF  

root@master:~$ net cache flush

This has to be done on each samba-DC

After this adjustment and net cache flush the ACLs will now work again. There may still some errors shown with samba-tool ntacl sysvolcheck --mask-msad-differences. This is only cosmetic then.

#2
Mastodon