[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat

Ricky Nance ricky.nance at weaubleau.k12.mo.us
Tue Nov 13 14:33:33 MST 2012 

With your branch, I can replicate this behavior on both windows 7 and
windows xp (haven't looked at samba logs yet, but will do that this
evening). Open Group Policy Editor, then click on the Group Policy Objects
container, then click on one of your gpo's and it will prompt you.

On a brighter note, this fixed all of my GPO issues that gpupdate was
complaining about, so good work, it saved me a bit of a headache today, so
thanks for that! I will hop on IRC in a few hours and maybe we can work it
out.

Ricky

On Tue, Nov 13, 2012 at 2:51 PM, Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2012-11-13 at 20:05 +0000, Alex Matthews wrote:
> > On 13/11/2012 06:00, Andrew Bartlett wrote:
> > > On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
> > >> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
> > >>> This patch should fix the issues where an ACL set on sysvol by
> > >>> samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
> > >>> fails.
> > >>>
> > >>> The root cause here appears to be not setting fsp->is_directory
> > >>> correctly.
> > >>>
> > >>> This patch unifies the get and set code by simply using the same
> > >>> boilerplate, however another approach would be to call
> > >>> SMB_VFS_GET_NT_ACL() instead, which only needs a file path.
> > >>>
> > >>> I'm posting this so as to mark the fact that I've reproduced and
> fixed
> > >>> one small part of this SYSVOL issue locally, and am continuing to
> work
> > >>> on it.
> > >>>
> > >>> I have a second patch here, which I feel makes this code more robust
> -
> > >>> it removes the NT4 compatibility layer in the posix ACL code.  This
> will
> > >>> mean that the ACL written by 'samba-tool ntacl sysvolreset' is read
> by a
> > >>> windows client.  Currently samba-tool appears as RA_UNKNOWN, and so
> gets
> > >>> NT4 compatible ACLs, which can break the hash when a windows client
> > >>> accesses the server.
> > >>>
> > >>> I need to test more to prove this is strictly required, but I do
> feel it
> > >>> is a worthwhile change in any case, given how long dead NT4 clients
> > >>> changing ACLs with the windows GUI are.
> > >> Jelmer,
> > >>
> > >> Attached are the patches I'm currently working on, for review.  Please
> > >> ack the ones you are comfortable with (perhaps just the test patches).
> > >>
> > >> At https://bugzilla.samba.org/show_bug.cgi?id=9383#c1 has already
> > >> indicated he is happy to be rid of the "acl compatibility" code.
> > > The ACL patches here, on master, appear to be the key changes required
> > > to have GPOs work.  At least, they work for me with a Windows 7 client
> > > setting and applying GPOs.  (The patches already posted are unchanged
> > > from the previous mail).
> > >
> > > If I could please have *everyone* who is having trouble with sysvol
> ACLs
> > > and is willing to run master try these patches.  You will have to run
> > > 'samba-tool ntacl sysvolreset' to get the correct ACLs.
> > >
> > > They are also in my gpo-acl-fix branch at
> > > git://git.samba.org/abartlet/samba.git
> > >
> > > There are fixes for both the ntvfs and smbd file servers.  The tests
> > > included with them show that we now correctly store the GPO ACLs in
> both
> > > cases.
> > >
> > > If we confirm this indeed fixes ACLs, then we have finally solved a
> > > major blocker for the 4.0 release.
> > >
> > > Andrew Bartlett
> > >
> > Hiya,
> >
> > Just checked out your patch branch and compiled a test platform.
> >
> > GPMC Still comes up with the same message about inconsistent ACLs.
> > Clicking ok does not 'fix' the issue and reselecting the GPO comes up
> > with the same message.
> > *_However_* after clicking OK sysvolcheck still passes. It does NOT fail
> > like it did previously!
>
> Does this only happen on a upgraded domain, or also on a fresh domain?
>
> If this was an upgrade domain, did you run 'samba-tool ntacl
> sysvolreset' first?
>
> Otherwise, I'll have to expand my testing - I've only tried out Windows
> 7, so I'll have to try WinXP too and see if I can get this to show up.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>
>
>


--

More information about the samba-technical mailing list