[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat

Tadas retrry at gmail.com
Tue Nov 13 13:15:58 MST 2012

What should have changed?
I compiled master with your patches, but I get the same functionality as
with samba4rc5. I can read, edit, create, delete GPO, still get error about
GPO and SYSVOL permissions not matching, still can't edit security
filtering (I get access denied). Still some clients do not apply GPO
settings at boot. I get error: The processing of Group Policy failed
because of lack of network connectivity to a domain controller. (I have
Always wait for the network at computer startup and logon policy set).

Tadas Barzdžius

On 13 November 2012 14:35, Rowland Penny <repenny at f2s.com> wrote:

> On 13/11/12 06:00, Andrew Bartlett wrote:
>> On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
>>> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
>>>> This patch should fix the issues where an ACL set on sysvol by
>>>> samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
>>>> fails.
>>>> The root cause here appears to be not setting fsp->is_directory
>>>> correctly.
>>>> This patch unifies the get and set code by simply using the same
>>>> boilerplate, however another approach would be to call
>>>> SMB_VFS_GET_NT_ACL() instead, which only needs a file path.
>>>> I'm posting this so as to mark the fact that I've reproduced and fixed
>>>> one small part of this SYSVOL issue locally, and am continuing to work
>>>> on it.
>>>> I have a second patch here, which I feel makes this code more robust -
>>>> it removes the NT4 compatibility layer in the posix ACL code.  This will
>>>> mean that the ACL written by 'samba-tool ntacl sysvolreset' is read by a
>>>> windows client.  Currently samba-tool appears as RA_UNKNOWN, and so gets
>>>> NT4 compatible ACLs, which can break the hash when a windows client
>>>> accesses the server.
>>>> I need to test more to prove this is strictly required, but I do feel it
>>>> is a worthwhile change in any case, given how long dead NT4 clients
>>>> changing ACLs with the windows GUI are.
>>> Jelmer,
>>> Attached are the patches I'm currently working on, for review.  Please
>>> ack the ones you are comfortable with (perhaps just the test patches).
>>> At https://bugzilla.samba.org/**show_bug.cgi?id=9383#c1<https://bugzilla.samba.org/show_bug.cgi?id=9383#c1>has already
>>> indicated he is happy to be rid of the "acl compatibility" code.
>> The ACL patches here, on master, appear to be the key changes required
>> to have GPOs work.  At least, they work for me with a Windows 7 client
>> setting and applying GPOs.  (The patches already posted are unchanged
>> from the previous mail).
>> If I could please have *everyone* who is having trouble with sysvol ACLs
>> and is willing to run master try these patches.  You will have to run
>> 'samba-tool ntacl sysvolreset' to get the correct ACLs.
>> They are also in my gpo-acl-fix branch at
>> git://git.samba.org/abartlet/**samba.git<http://git.samba.org/abartlet/samba.git>
>> There are fixes for both the ntvfs and smbd file servers.  The tests
>> included with them show that we now correctly store the GPO ACLs in both
>> cases.
>> If we confirm this indeed fixes ACLs, then we have finally solved a
>> major blocker for the 4.0 release.
>> Andrew Bartlett
> Hello Andrew,
> Version 4.1.0pre1-GIT-c5f53ed with the six patches applied, compiles ok on
> Ubuntu 12.04 and 'samba-tool ntacl sysvolreset' now runs without errors.
> Roaming profiles/folder redirection work ok, but when I run the Group
> Policy Management Console on a windows 7 pc and click on a Domain Policy, I
> still receive the following message:
>     The permissions for this GPO in the SYSVOL folder are inconsistent
> with those in Active Directory. It is recommended that these permissions be
> consistent. To change the permissions in SYSVOL to those in Active
> Directory, click OK
> It also gives a link to a microsoft website: http://go.microsoft.com/**
> fwlink/?LinkId=20066 <http://go.microsoft.com/fwlink/?LinkId=20066>
> When I go to the microsoft website, the cause given is that the access
> control list (ACL) on the Sysvol portion of the Group Policy object is set
> to inherit permissions from the parent folder.
> If I click OK to the message I get on the W7 pc, it doesn't seem to do
> anything, getfacl /usr/local/samba/var/locks/**sysvol returns the same
> ACLs before and after I open the Group Policy.
> getfacl: Removing leading '/' from absolute path names
> # file: usr/local/samba/var/locks/**sysvol/
> # owner: root
> # group: adm
> user::rwx
> user:root:rwx
> group::rwx
> group:adm:rwx
> group:3000000:r-x
> group:3000001:rwx
> group:3000002:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:adm:rwx
> default:group:3000000:r-x
> default:group:3000001:rwx
> default:group:3000002:r-x
> default:mask::rwx
> default:other::---
> Rowland
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.

More information about the samba-technical mailing list