[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat

Rowland Penny repenny at f2s.com
Tue Nov 13 15:15:12 MST 2012

On 13/11/12 20:51, Andrew Bartlett wrote:
> On Tue, 2012-11-13 at 20:05 +0000, Alex Matthews wrote:
>> On 13/11/2012 06:00, Andrew Bartlett wrote:
>>> On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
>>>> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
>>>>> This patch should fix the issues where an ACL set on sysvol by
>>>>> samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
>>>>> fails.
>>>>> The root cause here appears to be not setting fsp->is_directory
>>>>> correctly.
>>>>> This patch unifies the get and set code by simply using the same
>>>>> boilerplate, however another approach would be to call
>>>>> SMB_VFS_GET_NT_ACL() instead, which only needs a file path.
>>>>> I'm posting this so as to mark the fact that I've reproduced and fixed
>>>>> one small part of this SYSVOL issue locally, and am continuing to work
>>>>> on it.
>>>>> I have a second patch here, which I feel makes this code more robust -
>>>>> it removes the NT4 compatibility layer in the posix ACL code.  This will
>>>>> mean that the ACL written by 'samba-tool ntacl sysvolreset' is read by a
>>>>> windows client.  Currently samba-tool appears as RA_UNKNOWN, and so gets
>>>>> NT4 compatible ACLs, which can break the hash when a windows client
>>>>> accesses the server.
>>>>> I need to test more to prove this is strictly required, but I do feel it
>>>>> is a worthwhile change in any case, given how long dead NT4 clients
>>>>> changing ACLs with the windows GUI are.
>>>> Jelmer,
>>>> Attached are the patches I'm currently working on, for review.  Please
>>>> ack the ones you are comfortable with (perhaps just the test patches).
>>>> At https://bugzilla.samba.org/show_bug.cgi?id=9383#c1 has already
>>>> indicated he is happy to be rid of the "acl compatibility" code.
>>> The ACL patches here, on master, appear to be the key changes required
>>> to have GPOs work.  At least, they work for me with a Windows 7 client
>>> setting and applying GPOs.  (The patches already posted are unchanged
>>> from the previous mail).
>>> If I could please have *everyone* who is having trouble with sysvol ACLs
>>> and is willing to run master try these patches.  You will have to run
>>> 'samba-tool ntacl sysvolreset' to get the correct ACLs.
>>> They are also in my gpo-acl-fix branch at
>>> git://git.samba.org/abartlet/samba.git
>>> There are fixes for both the ntvfs and smbd file servers.  The tests
>>> included with them show that we now correctly store the GPO ACLs in both
>>> cases.
>>> If we confirm this indeed fixes ACLs, then we have finally solved a
>>> major blocker for the 4.0 release.
>>> Andrew Bartlett
>> Hiya,
>> Just checked out your patch branch and compiled a test platform.
>> GPMC Still comes up with the same message about inconsistent ACLs.
>> Clicking ok does not 'fix' the issue and reselecting the GPO comes up
>> with the same message.
>> *_However_* after clicking OK sysvolcheck still passes. It does NOT fail
>> like it did previously!
> Does this only happen on a upgraded domain, or also on a fresh domain?
> If this was an upgrade domain, did you run 'samba-tool ntacl
> sysvolreset' first?
> Otherwise, I'll have to expand my testing - I've only tried out Windows
> 7, so I'll have to try WinXP too and see if I can get this to show up.
> Andrew Bartlett
Hello Andrew,
in my case, I upgraded from RC4 to 4.1.0pre1-GIT-c5f53ed.
I carried out the upgrade, then ran 'samba-tool ntacl sysvolreset', this 
ran without error, I then restarted samba4.
I then logged in as administrator on a W7 client and ran gpmc and got 
the error.

Before the upgrade, if I ran 'samba-tool ntacl sysvolreset' it errored out


This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba-technical mailing list