posix and NT ACL interactions on sysvol
Andrew Bartlett
abartlet at samba.org
Tue Jun 19 20:22:49 MDT 2012
On Mon, 2012-06-18 at 23:46 +0200, denis bonnenfant wrote:
> Le 16/06/2012 23:02, denis bonnenfant a écrit :
> > Hello,
> >
> > Please find the following patches, adding new commands to samba-tool
> > for OU and GPO. I tested it against a fresh install from git master.
> > If they look good (these are my first patches in samba !), feel free
> > to commit them.
> >
> > While testing it (fresh git install, new provision) , I found
> > something strange :
> >
> >
> > I tried again with administrator :
> >
> > # /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
> > ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 160, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> > line 1043, in run
> > conn.set_acl(sharepath, fs_sd)
> >
> > But in this case, GPO is created :
> >
> > GPO : {7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> > display name : Bidon3
> > path :
> > \\diderot.org\sysvol\diderot.org\Policies\{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> > dn :
> > CN={7E077E42-6F95-456A-ABFF-4AECD2AAFD2C},CN=Policies,CN=System,DC=diderot,DC=org
> > version : 0
> > flags : NONE
> >
> > # getfacl
> > /usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> > getfacl : suppression du premier « / » des noms de chemins absolus
> > # file:
> > usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> > # owner: root
> > # group: users
> > # flags: -s-
> > user::rwx
> > user:root:rwx
> > group::---
> > group:adm:rwx
> > group:users:---
> > group:3000003:r-x
> > group:3000012:rwx
> > group:3000016:r-x
> > group:3000017:rwx
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:root:rwx
> > default:group::---
> > default:group:adm:rwx
> > default:group:users:---
> > default:group:3000003:r-x
> > default:group:3000012:rwx
> > default:group:3000016:r-x
> > default:group:3000017:rwx
> > default:mask::rwx
> > default:other::---
> >
> > This GPO can be modified from windows interface without errors.
> >
>
> These acls are inherited from the Policies dir, but unix-side there is
> no posix acls on this dir ( from windows side they exists). Refreshing
> it ( for example by adding a new acl to Policies dir) writes the posix
> acls, and then everything works on windows side ( new GPO can be
> created) . Creating it with samba-tool works too, but still raises an
> error when setting acls ( is it necessary, as it seems to be inherited
> from parent dir ? )
> >
> > Another issue : the defaut domain and domain controller GPO folders
> > doesn't have the good acls, and can't be modified with windows tools :
>
> It's the same issue : posix acls are not created during initial sysvol
> tree creation (or tree is created before s3fs started ?). Do I need to
> file a bug for this ?
The theory was that the ACLs written during provision (which are written
only as security.NTACL version 1 entries) would trump any posix
permissions. Later, when Samba is running we can write posix ACLs to
match if the permissions are changed. (The reason we don't write out
posix ACLs during provision is that, we don't have the full software
stack running, and regardless, we have upgrading sites in a similar
situation of having just security.NTACL version 1 entries so need to
support it.
Can you please file a bug on this, so we can either resolve it to
(somehow) set the posix ACL as well, or honour the security.NTACL alone?
See https://bugzilla.samba.org/show_bug.cgi?id=8938#c7 for an example of
what Jeremy will need.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list