[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat

Rowland Penny repenny at f2s.com
Tue Nov 13 05:35:12 MST 2012


On 13/11/12 06:00, Andrew Bartlett wrote:
> On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
>> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
>>> This patch should fix the issues where an ACL set on sysvol by
>>> samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
>>> fails.
>>>
>>> The root cause here appears to be not setting fsp->is_directory
>>> correctly.
>>>
>>> This patch unifies the get and set code by simply using the same
>>> boilerplate, however another approach would be to call
>>> SMB_VFS_GET_NT_ACL() instead, which only needs a file path.
>>>
>>> I'm posting this so as to mark the fact that I've reproduced and fixed
>>> one small part of this SYSVOL issue locally, and am continuing to work
>>> on it.
>>>
>>> I have a second patch here, which I feel makes this code more robust -
>>> it removes the NT4 compatibility layer in the posix ACL code.  This will
>>> mean that the ACL written by 'samba-tool ntacl sysvolreset' is read by a
>>> windows client.  Currently samba-tool appears as RA_UNKNOWN, and so gets
>>> NT4 compatible ACLs, which can break the hash when a windows client
>>> accesses the server.
>>>
>>> I need to test more to prove this is strictly required, but I do feel it
>>> is a worthwhile change in any case, given how long dead NT4 clients
>>> changing ACLs with the windows GUI are.
>> Jelmer,
>>
>> Attached are the patches I'm currently working on, for review.  Please
>> ack the ones you are comfortable with (perhaps just the test patches).
>>
>> At https://bugzilla.samba.org/show_bug.cgi?id=9383#c1 has already
>> indicated he is happy to be rid of the "acl compatibility" code.
> The ACL patches here, on master, appear to be the key changes required
> to have GPOs work.  At least, they work for me with a Windows 7 client
> setting and applying GPOs.  (The patches already posted are unchanged
> from the previous mail).
>
> If I could please have *everyone* who is having trouble with sysvol ACLs
> and is willing to run master try these patches.  You will have to run
> 'samba-tool ntacl sysvolreset' to get the correct ACLs.
>
> They are also in my gpo-acl-fix branch at
> git://git.samba.org/abartlet/samba.git
>
> There are fixes for both the ntvfs and smbd file servers.  The tests
> included with them show that we now correctly store the GPO ACLs in both
> cases.
>
> If we confirm this indeed fixes ACLs, then we have finally solved a
> major blocker for the 4.0 release.
>
> Andrew Bartlett
>

Hello Andrew,

Version 4.1.0pre1-GIT-c5f53ed with the six patches applied, compiles ok 
on Ubuntu 12.04 and 'samba-tool ntacl sysvolreset' now runs without errors.

Roaming profiles/folder redirection work ok, but when I run the Group 
Policy Management Console on a windows 7 pc and click on a Domain 
Policy, I still receive the following message:

     The permissions for this GPO in the SYSVOL folder are inconsistent 
with those in Active Directory. It is recommended that these permissions 
be consistent. To change the permissions in SYSVOL to those in Active 
Directory, click OK

It also gives a link to a microsoft website: 
http://go.microsoft.com/fwlink/?LinkId=20066

When I go to the microsoft website, the cause given is that the access 
control list (ACL) on the Sysvol portion of the Group Policy object is 
set to inherit permissions from the parent folder.

If I click OK to the message I get on the W7 pc, it doesn't seem to do 
anything, getfacl /usr/local/samba/var/locks/sysvol returns the same 
ACLs before and after I open the Group Policy.

getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: adm
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:3000000:r-x
group:3000001:rwx
group:3000002:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:adm:rwx
default:group:3000000:r-x
default:group:3000001:rwx
default:group:3000002:r-x
default:mask::rwx
default:other::---

Rowland

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the samba-technical mailing list