[SCM] Samba Shared Repository - branch master updated
Matthieu Patou
mat at samba.org
Thu Aug 19 10:40:06 MDT 2010
Dear Samba4 users,
With this patch I correct an error that I introduced at the beginning of
the year and that caused the machine GPO not to be accessible (because
file access was denied).
I recommand users who provisioned their samba4 after the 1/01/2010 to
run upgradeprovision with the following parameter:
--resetfileacl
Ie. ./scripting/bin/upgradeprovision -s <path_to_smb.conf> --resetfileacl
Of course you are invited to backup the provision before, to stop
samba4, and to be prepared for a restore. In a word if you are
unprepared, in hurry, unaware don't do the upgrade.
Although we pay attention to upgradeprovision so that is does it job
correctly errors and bugs are still possible. That being said I updated
my provisions without a problem in a couple of minutes this morning.
For people who have updated an older provision within the last two
months you are also invited to do the update.
Cheers.
Matthieu
On 19/08/2010 16:07, Matthieu Patou wrote:
> The branch, master has been updated
> via 4fec72d... s4 provision: POLICY_ACL is already an FS acl no need to translate it
> - Log -----------------------------------------------------------------
> commit 4fec72db1c73c03e6a666723dcc8eb8a2667d598
> Author: Matthieu Patou<mat at matws.net>
> Date: Thu Aug 19 12:37:00 2010 +0400
>
> s4 provision: POLICY_ACL is already an FS acl no need to translate it
> diff --git a/source4/scripting/python/samba/provision.py b/source4/scripting/python/samba/provision.py
> index 9014e49..92cb6f4 100644
> --- a/source4/scripting/python/samba/provision.py
> +++ b/source4/scripting/python/samba/provision.py
> @@ -1204,23 +1220,46 @@ def set_dir_acl(path, acl, lp, domsid):
> setntacl(lp, os.path.join(root, name), acl, domsid)
>
>
> -def set_gpo_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp):
> - # Set ACL for GPO
> - policy_path = os.path.join(sysvol, dnsdomain, "Policies")
> - set_dir_acl(policy_path,dsacl2fsacl(POLICIES_ACL, str(domainsid)),
> - lp, str(domainsid))
> +def set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp):
> + """Set ACL on the sysvol/<dnsname>/Policies folder and the policy
> + folders beneath.
> +
> + :param sysvol: Physical path for the sysvol folder
> + :param dnsdomain: The DNS name of the domain
> + :param domainsid: The SID of the domain
> + :param domaindn: The DN of the domain (ie. DC=...)
> + :param samdb: An LDB object on the SAM db
> + :param lp: an LP object
> + """
> +
> + # Set ACL for GPO root folder
> + root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")
> + setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid))
> +
> res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),
> attrs=["cn", "nTSecurityDescriptor"],
> expression="", scope=ldb.SCOPE_ONELEVEL)
> +
> for policy in res:
> acl = ndr_unpack(security.descriptor,
> str(policy["nTSecurityDescriptor"])).as_sddl()
> - policy_path = getpolicypath(sysvol,dnsdomain,str(policy["cn"]))
> + policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))
> set_dir_acl(policy_path, dsacl2fsacl(acl, str(domainsid)), lp,
> str(domainsid))
>
> def setsysvolacl(samdb, netlogon, sysvol, gid, domainsid, dnsdomain, domaindn,
> lp):
> + """Set the ACL for the sysvol share and the subfolders
> +
> + :param samdb: An LDB object on the SAM db
> + :param netlogon: Physical path for the netlogon folder
> + :param sysvol: Physical path for the sysvol folder
> + :param gid: The GID of the "Domain adminstrators" group
> + :param domainsid: The SID of the domain
> + :param dnsdomain: The DNS name of the domain
> + :param domaindn: The DN of the domain (ie. DC=...)
> + """
> +
> try:
> os.chown(sysvol,-1,gid)
> except:
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list