[Samba] SYSVOL ACLs and GPOs
Alex Matthews
qoole.samba at lillimoth.com
Thu Oct 25 03:32:04 MDT 2012
On 25/10/2012 10:20, Andrew Bartlett wrote:
> On Thu, 2012-10-25 at 10:01 +0100, Alex Matthews wrote:
>> On 25/10/2012 02:31, Andrew Bartlett wrote:
>>> On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote:
>>>> On 24/10/2012 17:25, Alex Matthews wrote:
>>>>> On 24/10/2012 12:09, Andrew Bartlett wrote:
>>>>>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I have installed a virtual testing network consisting of one samba4 PDC
>>>>>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>>>>>>>
>>>>>>> I have successfully provisioned an AD Domain and joined the XP machine
>>>>>>> to it.
>>>>>>> When I run the gpmc on the XP Pro machine and select:
>>>>>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>>>>>>> Objects -> Default Domain [Controller | Policy]
>>>>>>> I get the following error:
>>>>>>>
>>>>>>> "The permissions for this GPO in the SYSVOL folder are inconsistent
>>>>>>> with
>>>>>>> those in Active Directory.
>>>>>>> It is recommended that these permissions be consistent.
>>>>>>> To change the SYSVOL permissions to those in Active Directory, click
>>>>>>> OK."
>>>>>>>
>>>>>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I
>>>>>>> get
>>>>>>> the same error, it doesn't seem to be able to fix the ACL.
>>>>>>>
>>>>>>> I have found one post about this on the list
>>>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>>>>>>> "fixed" a long time ago.
>>>>>>> Seeing as I'm using the latest version I would assume this is a
>>>>>>> different issue.
>>>>>>>
>>>>>>> If I try to change any of the ACLs on either of the folders in
>>>>>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>>>>>>> the change doesn't stick.
>>>>>>>
>>>>>>>
>>>>>>> Looking at the samba log files:
>>>>>>>
>>>>>>> I get this when I start gpmc and click ok:
>>>>>>> http://pastebin.com/7rBKyU1B
>>>>>>>
>>>>>>> I get this when I start gpmc and don't click ok:
>>>>>>> http://pastebin.com/B3DMSE1T
>>>>>>>
>>>>>>> I get this when I alter the ACLs manually (after line 479 is when I
>>>>>>> actually alter the ACLs):
>>>>>>> http://pastebin.com/2mEvWX6K
>>>>>>>
>>>>>>> My smb.conf is stock. No alterations.
>>>>>>> The server OS is Ubuntu 12.04.
>>>>>>> The filesystem is ext4 mounted with the following options:
>>>>>>> "errors=remount-ro,acl,user_xattr,barrier=1".
>>>>>>> I have all acl packages installed that I have seen referenced by samba
>>>>>>> or in posts of a similar nature.
>>>>>> If you are in the mood for some testing, can you try my acl-fixes2
>>>>>> branch?
>>>>>>
>>>>>> git remote add abartlet git://git.samba.org/abartlet/samba.git
>>>>>> git fetch abartlet
>>>>>> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
>>>>>>
>>>>>> I'm trying to get these changes into master, but I'm not quite finished.
>>>>>> You should only put these on a test server, as I may change data formats
>>>>>> etc.
>>>>>>
>>>>>> I would be very curious to know if this fixes the issue.
>>>>>>
>>>>>> Otherwise or in addition, if you can show me the contents of your
>>>>>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
>>>>>> going wrong here, and fix it.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>> I assume
>>>>>
>>>>> git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
>>>>>
>>>>> should be:
>>>>>
>>>>> git checkout abartlet/fix-acls2 -b abartlet-fix-acls2
>>>>>
>>>>> I'm rebuilding now, will keep you posted!
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Alex
>>>>>
>>>> I have tried your branch. Rebuilt and the XP machine still throws the
>>>> same issue.
>>>>
>>>> Do I need to reprovision?
>>> You need to at least run 'samba-tool ntacl sysvolreset' to get the new
>>> ACLs on disk.
>>>
>>> Andrew Bartlett
>>>
>> Hiya,
>>
>> No luck I'm afraid, still the same issue!
> Drat. OK, we will need to dig in further. Can you show me your
> idmap.ldb?
>
> What does 'samba-tool ntacl sysvolcheck' show?
>
> Andrew Bartlett
>
samba-tool ntacl sysvolcheck shows:
sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
[sudo] password for qoole:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: VFS ACL on GPO directory
/usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 245, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1574, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1526, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1476, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
idmap.ldb contains:
# ldbsearch -H idmap.ldb
# record 1
dn: CN=S-1-1-0
cn: S-1-1-0
objectClass: sidMap
objectSid:: AQEAAAAAAAEAAAAA
type: ID_TYPE_BOTH
xidNumber: 3000013
distinguishedName: CN=S-1-1-0
# record 2
dn: CN=CONFIG
cn: CONFIG
lowerBound: 3000000
upperBound: 4000000
xidNumber: 3000018
distinguishedName: CN=CONFIG
# record 3
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid:: AQEAAAAAAAULAAAA
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
# record 4
dn: CN=S-1-5-9
cn: S-1-5-9
objectClass: sidMap
objectSid:: AQEAAAAAAAUJAAAA
type: ID_TYPE_BOTH
xidNumber: 3000010
distinguishedName: CN=S-1-5-9
# record 5
dn: CN=S-1-5-7
cn: S-1-5-7
objectClass: sidMap
objectSid:: AQEAAAAAAAUHAAAA
type: ID_TYPE_UID
xidNumber: 65534
distinguishedName: CN=S-1-5-7
# record 6
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-572
cn: S-1-5-21-3528014533-2888711523-1744986056-572
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoPAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000005
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-572
# record 7
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-520
cn: S-1-5-21-3528014533-2888711523-1744986056-520
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoCAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000004
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-520
# record 8
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-515
cn: S-1-5-21-3528014533-2888711523-1744986056-515
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAwIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000017
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-515
# record 9
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-514
cn: S-1-5-21-3528014533-2888711523-1744986056-514
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000012
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-514
# record 10
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-513
cn: S-1-5-21-3528014533-2888711523-1744986056-513
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAQIAAA==
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-513
# record 11
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-512
cn: S-1-5-21-3528014533-2888711523-1744986056-512
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-512
# record 12
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-501
cn: S-1-5-21-3528014533-2888711523-1744986056-501
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJo9QEAAA==
type: ID_TYPE_BOTH
xidNumber: 3000011
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-501
# record 13
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-500
cn: S-1-5-21-3528014533-2888711523-1744986056-500
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJo9AEAAA==
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-500
# record 14
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-1103
cn: S-1-5-21-3528014533-2888711523-1744986056-1103
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoTwQAAA==
type: ID_TYPE_BOTH
xidNumber: 3000016
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-1103
# record 15
dn: CN=S-1-5-32-545
cn: S-1-5-32-545
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIQIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-5-32-545
# record 16
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 17
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-519
cn: S-1-5-21-3528014533-2888711523-1744986056-519
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoBwIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000006
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-519
# record 18
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-518
cn: S-1-5-21-3528014533-2888711523-1744986056-518
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoBgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000007
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-518
# record 19
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAJQIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 20
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid:: AQEAAAAAAAUSAAAA
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 21
dn: CN=S-1-5-2
cn: S-1-5-2
objectClass: sidMap
objectSid:: AQEAAAAAAAUCAAAA
type: ID_TYPE_BOTH
xidNumber: 3000014
distinguishedName: CN=S-1-5-2
# record 22
dn: CN=S-1-5-32-546
cn: S-1-5-32-546
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000015
distinguishedName: CN=S-1-5-32-546
# returned 22 records
# 22 entries
# 0 referrals
Thanks,
Alex
More information about the samba
mailing list