[Samba] SYSVOL ACLs and GPOs
Alex Matthews
qoole.samba at lillimoth.com
Thu Nov 1 08:54:58 MDT 2012
On 30/10/2012 00:08, Jeremy Allison wrote:
> On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
>>>> be a particular trigger - but it shouldn't be able to make a
>>>> modification that doesn't go via vfs_acl_xattr.
>>>>
>>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
>>>> level 10 on samba-tool ntacl sysvolcheck):
>>>>
>>>> get_nt_acl_internal: blob hash matches for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>
>>>> then after, he gets:
>>>>
>>>> get_nt_acl_internal: blob hash does not match for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
>>> Is this message from smbd, or from samba-tool ?
>> That's what vfs_acl_common is printing, being run from samba-tool ntacl
>> sysvolcheck. It links to the VFS layer.
> So this looks like it's running the Group Policy tools on WinXP
> that causes the problem ?
>
> Can we get a debug level 10 log of that activity going on
> against smbd ?
>
> Jeremy.
Ok I have some additional info.
Using the GPMC I cannot create new GPOs. I get the message: "This
security ID may not be assigned as the owner of this object"
If I use samba-tool gpo create I get the following:
# bin/samba-tool gpo create "SMC Students"
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
File
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
line 952, in run
self.samdb.add(m)
If I supply administrator as username I get:
# bin/samba-tool gpo create "SMC Students" -U administrator
Password for [SMC\administrator]:
ERROR(runtime): uncaught exception - (-1073741734,
'NT_STATUS_INVALID_OWNER')
File
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
line 987, in run
conn.set_acl(sharepath, fs_sd, sio)
However this time it has successfully created the GPO. (GPMC still
throws the same warnings about inconsistent ACLs).
bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u
bin/samba-tool gpo create "SMC Students" -U administrator -d 10:
http://pastebin.com/8kkVEy7V
I would hazard a guess and say the GPMC error (when creating a GPO) is
the same error as the samba-tool error.
Thanks,
Alex
More information about the samba-technical
mailing list