Bug 14972 - User member of default AD-group "Group Policy Creator Owners" cannot create GPOs with samba-tool
Summary: User member of default AD-group "Group Policy Creator Owners" cannot create G...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.17.8
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2022-02-09 09:14 UTC by keesvanvloten
Modified: 2023-07-10 17:38 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description keesvanvloten 2022-02-09 09:14:09 UTC
I am trying to create a GPO as a user in  "Group Policy Creator Owners":

samba-tool gpo create 'testgpo' --user=gpo_manager --password=<password>
Using temporary directory /tmp/tmp_a869azf (use --tmpdir to change)
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <acl: unable to get access to CN={B4C8AF24-50C5-400C-B823-4AF8727AD8E6},CN=Policies,CN=System,DC=composers,DC=lan
> <>
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 1244, in run

As a result the GPO is not created on the filesystem nor in ldap.
The doc here: 

The ability to create GPOs in a domain is a permission that is managed on a per-domain basis. By default, only members of the Domain Admins, Enterprise Admins, Group Policy Creator Owners, and SYSTEM groups can create new GPOs.

The permissions provided by the group "Group Policy Creator Owners" should be enough to create and manage GPOs. 

Using a user in this group prevents the need to use a domain-admin and is therefore IMHO a big security win.
This is even more important when managing the GPO (after creation with samba-tool) on a Windows client. When created by a domain-admin, it must be managed on Windows by a domain-admin, whereas otherwise an ordinary user member of "Group Policy Creator Owners" can be used. 
I would say a huge security gain and reason to make samba-tool work for users in "Group Policy Creator Owners".
Comment 1 keesvanvloten 2023-07-10 17:38:46 UTC
What is needed is an addition of "Group Policy Creator Owners" to the GPO container in LDAP and to filesystem ACLs on the GPO directory.

Somehow it looks like Samba has been setting these permissions quite differently and that does work. The below settings are created as a "Domain Admin" from a Windows 10 (21h2) machine. The filesystem ACLs have been slightly modified in order to have them as Posix-ACLs which much easier to manage (and more readable) from a Linux machine.

BTW. "samba-tool ntacl sysvolreset" will remove these changes. If the Samba defaults are changed according the the specs here, then "samba-tool ntacl sysvolreset" should be changed accordingly.

The filesystem ACLS on "/var/lib/samba/sysvol/example.com/Policies" when specified as Posix-ACLs should be changed to:
# owner: root
# group: BUILTIN\\administrators
user:NT Authority\\system:rwx
user:NT Authority\\authenticated users:r-x
user:EXAMPLE\\enterprise admins:rwx
user:EXAMPLE\\group policy creator owners:rwx
user:NT Authority\\enterprise domain controllers:r-x
group:NT Authority\\system:rwx
group:NT Authority\\authenticated users:r-x
group:EXAMPLE\\domain admins:rwx
group:EXAMPLE\\enterprise admins:rwx
group:EXAMPLE\\group policy creator owners:rwx
group:NT Authority\\enterprise domain controllers:r-x
default:user:NT Authority\\system:rwx
default:user:NT Authority\\authenticated users:r-x
default:user:EXAMPLE\\domain admins:rwx
default:user:EXAMPLE\\enterprise admins:rwx
default:user:EXAMPLE\\group policy creator owners:rwx
default:user:NT Authority\\enterprise domain controllers:r-x
default:group:NT Authority\\system:rwx
default:group:NT Authority\\authenticated users:r-x
default:group:EXAMPLE\\domain admins:rwx
default:group:EXAMPLE\\enterprise admins:rwx
default:group:EXAMPLE\\group policy creator owners:rwx
default:group:NT Authority\\enterprise domain controllers:r-x

When specified as NT-ACLs it is probably slightly different, the important thing is that the group "Group Policy Creator Owners" has write permissions.

The LDAP container DS-ACLs on "CN=Policies,CN=System,DC=example,DC=com" should be changed to: