[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat

Andrew Bartlett abartlet at samba.org
Tue Nov 13 13:51:43 MST 2012


On Tue, 2012-11-13 at 20:05 +0000, Alex Matthews wrote:
> On 13/11/2012 06:00, Andrew Bartlett wrote:
> > On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
> >> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
> >>> This patch should fix the issues where an ACL set on sysvol by
> >>> samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
> >>> fails.
> >>>
> >>> The root cause here appears to be not setting fsp->is_directory
> >>> correctly.
> >>>
> >>> This patch unifies the get and set code by simply using the same
> >>> boilerplate, however another approach would be to call
> >>> SMB_VFS_GET_NT_ACL() instead, which only needs a file path.
> >>>
> >>> I'm posting this so as to mark the fact that I've reproduced and fixed
> >>> one small part of this SYSVOL issue locally, and am continuing to work
> >>> on it.
> >>>
> >>> I have a second patch here, which I feel makes this code more robust -
> >>> it removes the NT4 compatibility layer in the posix ACL code.  This will
> >>> mean that the ACL written by 'samba-tool ntacl sysvolreset' is read by a
> >>> windows client.  Currently samba-tool appears as RA_UNKNOWN, and so gets
> >>> NT4 compatible ACLs, which can break the hash when a windows client
> >>> accesses the server.
> >>>
> >>> I need to test more to prove this is strictly required, but I do feel it
> >>> is a worthwhile change in any case, given how long dead NT4 clients
> >>> changing ACLs with the windows GUI are.
> >> Jelmer,
> >>
> >> Attached are the patches I'm currently working on, for review.  Please
> >> ack the ones you are comfortable with (perhaps just the test patches).
> >>
> >> At https://bugzilla.samba.org/show_bug.cgi?id=9383#c1 has already
> >> indicated he is happy to be rid of the "acl compatibility" code.
> > The ACL patches here, on master, appear to be the key changes required
> > to have GPOs work.  At least, they work for me with a Windows 7 client
> > setting and applying GPOs.  (The patches already posted are unchanged
> > from the previous mail).
> >
> > If I could please have *everyone* who is having trouble with sysvol ACLs
> > and is willing to run master try these patches.  You will have to run
> > 'samba-tool ntacl sysvolreset' to get the correct ACLs.
> >
> > They are also in my gpo-acl-fix branch at
> > git://git.samba.org/abartlet/samba.git
> >
> > There are fixes for both the ntvfs and smbd file servers.  The tests
> > included with them show that we now correctly store the GPO ACLs in both
> > cases.
> >
> > If we confirm this indeed fixes ACLs, then we have finally solved a
> > major blocker for the 4.0 release.
> >
> > Andrew Bartlett
> >
> Hiya,
> 
> Just checked out your patch branch and compiled a test platform.
> 
> GPMC Still comes up with the same message about inconsistent ACLs. 
> Clicking ok does not 'fix' the issue and reselecting the GPO comes up 
> with the same message.
> *_However_* after clicking OK sysvolcheck still passes. It does NOT fail 
> like it did previously!

Does this only happen on a upgraded domain, or also on a fresh domain?

If this was an upgrade domain, did you run 'samba-tool ntacl
sysvolreset' first?

Otherwise, I'll have to expand my testing - I've only tried out Windows
7, so I'll have to try WinXP too and see if I can get this to show up.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list