[Samba] SYSVOL ACLs and GPOs

Alex Matthews qoole.samba at lillimoth.com
Thu Oct 25 17:49:04 MDT 2012 

On 26/10/2012 00:34, Alex Matthews wrote:
> On 25/10/2012 23:27, Andrew Bartlett wrote:
>> On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
>>> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
>>>> On 25/10/2012 11:30, Andrew Bartlett wrote:
>>>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
>>>>>
>>>>>> samba-tool ntacl sysvolcheck shows:
>>>>>>
>>>>>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
>>>>>> exception -
>>>>>> ProvisioningError: VFS ACL on GPO directory
>>>>>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
>>>>>>
>>>>>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) 
>>>>>>
>>>>>> does not match expected value
>>>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) 
>>>>>>
>>>>>> from GPO object
>>>>>>      File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>>>>
>>>>>> line 175, in _run
>>>>>>        return self.run(*args, **kwargs)
>>>>>>      File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
>>>>>>
>>>>>> line 245, in run
>>>>>>        lp)
>>>>>>      File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>>
>>>>>> line 1574, in checksysvolacl
>>>>>>        direct_db_access)
>>>>>>      File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>>
>>>>>> line 1526, in check_gpos_acl
>>>>>>        domainsid, direct_db_access)
>>>>>>      File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>>
>>>>>> line 1476, in check_dir_acl
>>>>>>        raise ProvisioningError('%s ACL on GPO directory %s %s 
>>>>>> does not
>>>>>> match expected value %s from GPO object' % 
>>>>>> (acl_type(direct_db_access),
>>>>>> path, fsacl_sddl, acl))
>>>>> Drat.
>>>>>
>>>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is 
>>>>> indeed
>>>>> the issue we have had for a while.  I had (incorrectly in your case)
>>>>> assumed the issue was that IDMAP mappings imported from classic 
>>>>> domains
>>>>> were breaking it.  That's why I worked on my patches, which 
>>>>> improve the
>>>>> situation by handling some details at a lower level.
>>>>>
>>>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' 
>>>>> then
>>>>> then, if you don't mind, getting me the level 10 debug log would 
>>>>> be very
>>>>> helpful.  Set 'log level = 10' in your smb.conf, then re-run and 
>>>>> send me
>>>>> (personally) the result compressed with xz.
>>>>>
>>>>> Andrew Bartlett
>>>>>
>>>> Just to be clear, those last two logs were taken from a samba compiled
>>>> with your fix-acls2 branch.
>>>> It is also a completely blank provisioned domain I have not migrated
>>>> anything.
>>>>
>>>> What do you want the logs of? Starting samba + logging in from XP +
>>>> starting gpmc.msc + altering permissions manually?
>>> Yeah, I was incredibly unclear:  I need level 10 logs of just the
>>> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
>>> in a very nice, self-contained way.
>> So, the issue is that this host doesn't return the ACL consistently.
>> What I mean is this:
>>
>> When we store the NT ACL for the {12344...} folder, we store an xattr
>> with:
>>   - the NT ACL we need to return to clients
>>   - the hash of the posix ACL we set on disk (as read back from the OS)
>>
>> When we do the sysvolcheck we fetch the xattr, read the hash and get the
>> posix ACL off disk again.  On your host, these don't match!
>>
>> Can you give me details about what your host is?
>>
>> Just to be really sure we are doing this right, because I can't
>> reproduce this here, can you run:
>>
>> bin/samba-tool domain provision --targetdir=/tmp/provision-root2
>> --realm=realm.com --domain=dom
>>
>> Do this on master and on my fix-acls2 branch, with separate targetdir
>> for each, with this patch on top in both cases?
>>
>> If that passes, can you give me the provision command you normally use,
>> and tell me if that fails?
>>
>> If your normal command passes, then can you work out if there is a time
>> period involved before sysvolcheck fails? (that is, after X seconds it
>> fails).  For this last thing, I'm clutching at caching straws, but this
>> is a real issue that we must get to the bottom of - beyond the AD DC,
>> the ACL facility we use here is critical to file server users in Samba
>> too.
>>
>> Thanks,
>>
>> Andrew Bartlett
>>
> I have the following directory tree:
>
> /root/samba_test/samba-master
> /root/samba_test/samba-aclfix
> /root/samba_test/build-master
> /root/samba_test/build-aclfix
>
> I ran:
> build-master/bin/samba-tool domain provision 
> --targetdir=/root/samba_test/provision_master --realm=realm.com 
> --domain=dom
> build-aclfix/bin/samba-tool domain provision 
> --targetdir=/root/samba_test/provision_aclfix --realm=realm.com 
> --domain=dom
>
> however when I run:
> build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck
> I get the following error:
>
> ERROR(runtime): uncaught exception - samdb_domain_sid failed
>   File 
> "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
> line 240, in run
>     domain_sid = security.dom_sid(samdb.domain_sid)
>   File 
> "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/samdb.py", 
> line 549, in get_domain_sid
>     return dsdb._samdb_get_domain_sid(self)
>
> I assume this is due to the targetdir supplied in the provision step?
>
> Thanks,
>
> Alex
>
Instead of using targetdir I just ran the provision as is as and on both 
trees sysvolcheck passes everytime.
I have run sysvolreset as well and sysvolcheck passes still.

More information about the samba mailing list