[patch] add OU management and new GPO commands in samba-tool
denis bonnenfant
denis.bonnenfant at diderot.org
Mon Jun 18 15:46:38 MDT 2012
Le 16/06/2012 23:02, denis bonnenfant a écrit :
> Hello,
>
> Please find the following patches, adding new commands to samba-tool
> for OU and GPO. I tested it against a fresh install from git master.
> If they look good (these are my first patches in samba !), feel free
> to commit them.
>
> While testing it (fresh git install, new provision) , I found
> something strange :
>
>
> I tried again with administrator :
>
> # /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 160, in _run
> return self.run(*args, **kwargs)
> File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 1043, in run
> conn.set_acl(sharepath, fs_sd)
>
> But in this case, GPO is created :
>
> GPO : {7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> display name : Bidon3
> path :
> \\diderot.org\sysvol\diderot.org\Policies\{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> dn :
> CN={7E077E42-6F95-456A-ABFF-4AECD2AAFD2C},CN=Policies,CN=System,DC=diderot,DC=org
> version : 0
> flags : NONE
>
> # getfacl
> /usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file:
> usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> # owner: root
> # group: users
> # flags: -s-
> user::rwx
> user:root:rwx
> group::---
> group:adm:rwx
> group:users:---
> group:3000003:r-x
> group:3000012:rwx
> group:3000016:r-x
> group:3000017:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:adm:rwx
> default:group:users:---
> default:group:3000003:r-x
> default:group:3000012:rwx
> default:group:3000016:r-x
> default:group:3000017:rwx
> default:mask::rwx
> default:other::---
>
> This GPO can be modified from windows interface without errors.
>
These acls are inherited from the Policies dir, but unix-side there is
no posix acls on this dir ( from windows side they exists). Refreshing
it ( for example by adding a new acl to Policies dir) writes the posix
acls, and then everything works on windows side ( new GPO can be
created) . Creating it with samba-tool works too, but still raises an
error when setting acls ( is it necessary, as it seems to be inherited
from parent dir ? )
>
> Another issue : the defaut domain and domain controller GPO folders
> doesn't have the good acls, and can't be modified with windows tools :
It's the same issue : posix acls are not created during initial sysvol
tree creation (or tree is created before s3fs started ?). Do I need to
file a bug for this ?
Regards,
Denis Bonnenfant
More information about the samba-technical
mailing list