Since 4.2 samba can resolve BUILTIN groups via libwinbind-nss. But it still does not resolve "well known security principals" like "Authenticated Users". On an AD DC the sysvol folder is created with read rights for "Authenticated Users" and Read/Write Rights for "Local System". They get mapped by winbindd to local uid/gid in idmap.ldb but do not resolve to names. Below are the default acl's after domain provision. dc1#~getfacl /var/lib/samba/sysvol getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:BUILTIN\134server\040operators:r-x user:3000002:rwx user:3000003:r-x group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:BUILTIN\134server\040operators:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- dc1#~getfacl -n /var/lib/samba/sysvol getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: 0 # group: 3000000 user::rwx user:0:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:0:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: 0 # group: 3000000 user::rwx user:0:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:0:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- Via idmap.ldb 3000002 maps to S-1-5-11 (Local System) 3000003 maps to S-1-5-18 (Authenticated Users) BUILTIN\Administrators map to 3000000 BUILTIN\Server Operators map to 3000001 If I copy the sysvol folder to an second dc (dc2) with rsync dc2#~rsync -XAavz -e ssh root@dc1:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/ The two BUILTIN groups map to the proper gid's from the local idmap.ldb but the "Local System" and "Authenticated Users" keep the gid's from the source server. dc2#~getfacl /var/lib/samba/sysvol getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:BUILTIN\134server\040operators:r-x user:BUILTIN\134server\040operators:rwx user:group\040policy\040creator\040owners:r-x group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:BUILTIN\134server\040operators:rwx group:group\040policy\040creator\040owners:r-x mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:BUILTIN\134server\040operators:r-x default:user:BUILTIN\134server\040operators:rwx default:user:group\040policy\040creator\040owners:r-x default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:BUILTIN\134server\040operators:rwx default:group:group\040policy\040creator\040owners:r-x default:mask::rwx default:other::--- dc2#~getfacl -n /var/lib/samba/sysvol # file: var/lib/samba/sysvol/ # owner: 0 # group: 3000000 user::rwx user:0:rwx user:3000000:rwx user:3000002:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000002:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:0:rwx default:user:3000000:rwx default:user:3000002:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000002:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- In this example on dc2 "BUILTIN\Server Operators" map to 3000002 and "Group Policy Creator Owners" map to 3000003. Via idmap.ldb on dc2 3000007 maps to S-1-5-18 (Local System) 3000009 maps to S-1-5-11 (Authenticated Users) This results in no read access rights for "Authenticated Users" means normal users can not access the sysvol share and can not read the gpo's. Also "BUILTIN\Server Operators" now gained write access th sysvol on dc2. getfacl after "samba-tool ntacl sysvolreset" on dc2: getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol/ # owner: root # group: BUILTIN\134administrators user::rwx user:root:rwx user:BUILTIN\134administrators:rwx user:BUILTIN\134server\040operators:r-x user:3000007:r-x user:3000009:rwx group::rwx group:BUILTIN\134administrators:rwx group:BUILTIN\134server\040operators:r-x group:3000007:r-x group:3000009:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\134administrators:rwx default:user:BUILTIN\134server\040operators:r-x default:user:3000007:r-x default:user:3000009:rwx default:group::--- default:group:BUILTIN\134administrators:rwx default:group:BUILTIN\134server\040operators:r-x default:group:3000007:r-x default:group:3000009:rwx default:mask::rwx default:other::--- Since the posix acl's are still mandatory to access the share it does not help that the extended acl's in security.NTACL are not affected by this mapping problem. Even with acl_xattr:ignore system acls = Yes set an domain user can not access the sysvol share on dc2 without running sysvolreset or keeping idmap.ldb in sync. If the "well known security principals" would be resolved like the BUILTIN groups via winbindd above problems would be fixed.
Hai, i'am testing atm with win7 and win10 systems and this "enhancement" should be a bug. Below it tested on samba 4.4.3-Debian a rebuilded Debian Stretch version. I just tested a win10 upgrade with a new policy and again im getting denied messages, from witin windows all things resolve good, but i see the following. ( tested on the DC with FSMO roles ) wbinfo --gid-info 3000000 BUILTIN\administrators:x:3000000: wbinfo --gid-info 3000001 BUILTIN\server operators:x:3000001: wbinfo --gid-info 3000002 failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for gid 3000002 wbinfo --gid-info 3000003 failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND Could not get info for gid 3000003 getfacl -n /home/samba/sysvol/ getfacl: Removing leading '/' from absolute path names # file: home/samba/sysvol/ # owner: 0 # group: 3000000 user::rwx user:0:rwx user:3000000:rwx user:3000001:r-x user:3000002:rwx user:3000003:r-x group::rwx group:3000000:rwx group:3000001:r-x group:3000002:rwx group:3000003:r-x mask::rwx other::--- default:user::rwx default:user:0:rwx default:user:3000000:rwx default:user:3000001:r-x default:user:3000002:rwx default:user:3000003:r-x default:group::--- default:group:3000000:rwx default:group:3000001:r-x default:group:3000002:rwx default:group:3000003:r-x default:mask::rwx default:other::--- im using 2 dc's as Achim also shows here. I also sync. i dont have any out of syncs with rights between the 2 servers and im also using : acl_xattr:ignore system acls = Yes on the sysvol share.
Closing this, it would seem that by fixing other things, this has been fixed: getfacl /var/lib/samba/sysvol getfacl: Removing leading '/' from absolute path names # file: var/lib/samba/sysvol # owner: root # group: BUILTIN\\administrators user::rwx user:root:rwx user:BUILTIN\\administrators:rwx user:NT\040Authority\\authenticated\040users:r-x user:BUILTIN\\server\040operators:r-x user:NT\040Authority\\system:rwx group::rwx group:BUILTIN\\administrators:rwx group:NT\040Authority\\authenticated\040users:r-x group:BUILTIN\\server\040operators:r-x group:NT\040Authority\\system:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:user:BUILTIN\\administrators:rwx default:user:NT\040Authority\\authenticated\040users:r-x default:user:BUILTIN\\server\040operators:r-x default:user:NT\040Authority\\system:rwx default:group::--- default:group:BUILTIN\\administrators:rwx default:group:NT\040Authority\\authenticated\040users:r-x default:group:BUILTIN\\server\040operators:r-x default:group:NT\040Authority\\system:rwx default:mask::rwx default:other::---