[Samba] SYSVOL ACLs and GPOs

Alex Matthews qoole.samba at lillimoth.com
Thu Nov 1 08:54:58 MDT 2012


On 30/10/2012 00:08, Jeremy Allison wrote:
> On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
>>>> be a particular trigger - but it shouldn't be able to make a
>>>> modification that doesn't go via vfs_acl_xattr.
>>>>
>>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
>>>> level 10 on samba-tool ntacl sysvolcheck):
>>>>
>>>> get_nt_acl_internal: blob hash matches for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>
>>>> then after, he gets:
>>>>
>>>> get_nt_acl_internal: blob hash does not match for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
>>> Is this message from smbd, or from samba-tool ?
>> That's what vfs_acl_common is printing, being run from samba-tool ntacl
>> sysvolcheck.  It links to the VFS layer.
> So this looks like it's running the Group Policy tools on WinXP
> that causes the problem ?
>
> Can we get a debug level 10 log of that activity going on
> against smbd ?
>
> Jeremy.
Ok I have some additional info.

Using the GPMC I cannot create new GPOs. I get the message: "This 
security ID may not be assigned as the owner of this object"

If I use samba-tool gpo create I get the following:

# bin/samba-tool gpo create "SMC Students"
ERROR(ldb): uncaught exception - LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on 
CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
   File 
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", 
line 952, in run
     self.samdb.add(m)

If I supply administrator as username I get:

# bin/samba-tool gpo create "SMC Students" -U administrator
Password for [SMC\administrator]:
ERROR(runtime): uncaught exception - (-1073741734, 
'NT_STATUS_INVALID_OWNER')
   File 
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", 
line 987, in run
     conn.set_acl(sharepath, fs_sd, sio)

However this time it has successfully created the GPO. (GPMC still 
throws the same warnings about inconsistent ACLs).

bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u
bin/samba-tool gpo create "SMC Students" -U administrator -d 10: 
http://pastebin.com/8kkVEy7V

I would hazard a guess and say the GPMC error (when creating a GPO) is 
the same error as the samba-tool error.

Thanks,

Alex


More information about the samba-technical mailing list