[Samba] [PATCH] Re: SYSVOL ACLs and GPOs
Alex Matthews
qoole.samba at lillimoth.com
Tue Nov 6 13:41:08 MST 2012
On 06/11/2012 11:43, Alex Matthews wrote:
> On 05/11/2012 02:10, Andrew Bartlett wrote:
>> It is certainly very helpful to have this happen with samba-tool. Can
>> you remind me the history of this domain, is it the upgrade I was trying
>> to suggest you do, or a fresh provision?
>>
>> If you can tell me what provision command-line you run, if it was
>> provisioned with an older version, which branch and git revision that
>> was and what branch and git revision as you running now?
>>
>> I've tried to replicate this in 'make test' but failed (the tests pass).
>> The patch for that is attached for review.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
>
> Ok, I think we've got a bit lost in issues here, so I'll start from
> the very beginning (I've heard it's a very good place to start).
>
> I have set up two domains:
>
> home.lillimoth.com - a test domain set up on virtual machines at home.
> This domain has been provisioned from scratch.
> internal.stmaryscollege.co.uk - a production domain at my work place.
> This domain was migrated from a samba 3 domain.
>
>
> My issue is that when I run gpmc (the group policy management console)
> on a windows machine (XP or 7) and selected a gpo to edit I get the
> message:
>
> "The permissions for this GPO in the SYSVOL folder are inconsistent
> with those in Active Directory.
> It is recommended that these permissions be consistent.
> To change the SYSVOL permissions to those in Active Directory, click
> OK." - Please see: http://support.microsoft.com/kb/828760
>
> This occurs on both domains.
> Clicking 'ok' to the popup should correct the ACLs on the
> files/folders it believes are incorrect.
> Please note that before clicking 'ok' sysvolcheck passes with no
> errors however after clicking it would fail with the following error:
>
> "ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> exception - ProvisioningError: VFS ACL on GPO directory
> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
> does not match expected value
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> from GPO object"
>
> This suggests that the gpmc did change the ACLs however when
> reselecting the same GPO it pops up with the same message again!
> Both servers have the correct mount options (user_xattr,acl) and acls
> work when set manually.
>
> I did some research into what the ACLs should be on the sysvol share
> and came up with these: http://pastebin.com/sSURWrDf which were taken
> from a WS2003 machine.
>
> I have not yet attempted to set these on my S4 server but will try
> that tonight.
>
>
> The issue seems to revolve around:
> Incorrect initial ACLs on the sysvol share and its subfolders.
> The inability of the GPMC to correct the issue. Suggesting that
> there is some issue setting ACLs on the sysvol share from a windows
> client.
>
> There we a couple of issues with samba-tool creating GPOs but I will
> run through those in an email later this evening when I have had
> chance to test them on my test domain.
>
> Thanks,
>
> Alex
>
>
I have just attempted to set the ACL on the sysvol directory using
samba-tool ntacl set and got the following message:
/usr/local/samba/var/locks# ../../bin/samba-tool ntacl set
"D:AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)"
sysvol -d 2
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Unknown flag - FA in FA
Badly formatted SDDL
'AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)'
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to
parse SDDL
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 90, in run
setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file,
use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line 89, in setntacl
sd = security.descriptor.from_sddl(sddl, sid)
FA is listed on the Microsoft ACE String page as FILE_ALL_ACCESS
(http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928(v=vs.85).aspx
<http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx>)
Is it correct that the sddl parser cannot parse FA?
Thanks,
Alex
More information about the samba
mailing list