[patch] add OU management and new GPO commands in samba-tool

Mon Jun 18 15:46:38 MDT 2012

Le 16/06/2012 23:02, denis bonnenfant a écrit :
> Hello,
>
> Please find the following patches, adding new commands to samba-tool 
> for OU and GPO. I tested it against a fresh install from git master. 
> If they look good (these are my first patches in samba !), feel free 
> to commit them.
>
> While testing it (fresh git install, new provision) , I found 
> something strange :
>
>
> I tried again with administrator :
>
> # /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
>   File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 160, in _run
>     return self.run(*args, **kwargs)
>   File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", 
> line 1043, in run
>     conn.set_acl(sharepath, fs_sd)
>
> But in this case, GPO is created :
>
> GPO          : {7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> display name : Bidon3
> path         : 
> \\diderot.org\sysvol\diderot.org\Policies\{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> dn           : 
> CN={7E077E42-6F95-456A-ABFF-4AECD2AAFD2C},CN=Policies,CN=System,DC=diderot,DC=org
> version      : 0
> flags        : NONE
>
> # getfacl 
> /usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file: 
> usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> # owner: root
> # group: users
> # flags: -s-
> user::rwx
> user:root:rwx
> group::---
> group:adm:rwx
> group:users:---
> group:3000003:r-x
> group:3000012:rwx
> group:3000016:r-x
> group:3000017:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:adm:rwx
> default:group:users:---
> default:group:3000003:r-x
> default:group:3000012:rwx
> default:group:3000016:r-x
> default:group:3000017:rwx
> default:mask::rwx
> default:other::---
>
> This GPO can be modified from windows interface without errors.
>

These acls are inherited from the Policies dir, but unix-side there is 
no posix acls on this dir ( from windows side they exists). Refreshing 
it ( for example by adding a new acl to Policies dir) writes the posix 
acls, and then everything works on windows side ( new GPO can be 
created) . Creating it with samba-tool works too, but still raises an 
error when setting acls ( is it necessary, as it seems to be inherited 
from parent dir ? )
>
> Another issue : the defaut domain and domain controller GPO folders 
> doesn't have the good acls, and can't be modified with windows tools :

It's the same issue : posix acls are not created during initial sysvol 
tree creation (or tree is created before s3fs started ?). Do I need to 
file a bug for this ?

Regards,

Denis Bonnenfant