[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat
Ricky Nance
ricky.nance at weaubleau.k12.mo.us
Tue Nov 13 16:52:10 MST 2012
Rowland, make sure you are grabbing his fix-gpo-acl branch, the patches are
not yet in master, so you will need his repo.
Ricky
On Tue, Nov 13, 2012 at 4:15 PM, Rowland Penny <repenny at f2s.com> wrote:
> On 13/11/12 20:51, Andrew Bartlett wrote:
>
>> On Tue, 2012-11-13 at 20:05 +0000, Alex Matthews wrote:
>>
>>> On 13/11/2012 06:00, Andrew Bartlett wrote:
>>>
>>>> On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
>>>>
>>>>> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
>>>>>
>>>>>> This patch should fix the issues where an ACL set on sysvol by
>>>>>> samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
>>>>>> fails.
>>>>>>
>>>>>> The root cause here appears to be not setting fsp->is_directory
>>>>>> correctly.
>>>>>>
>>>>>> This patch unifies the get and set code by simply using the same
>>>>>> boilerplate, however another approach would be to call
>>>>>> SMB_VFS_GET_NT_ACL() instead, which only needs a file path.
>>>>>>
>>>>>> I'm posting this so as to mark the fact that I've reproduced and fixed
>>>>>> one small part of this SYSVOL issue locally, and am continuing to work
>>>>>> on it.
>>>>>>
>>>>>> I have a second patch here, which I feel makes this code more robust -
>>>>>> it removes the NT4 compatibility layer in the posix ACL code. This
>>>>>> will
>>>>>> mean that the ACL written by 'samba-tool ntacl sysvolreset' is read
>>>>>> by a
>>>>>> windows client. Currently samba-tool appears as RA_UNKNOWN, and so
>>>>>> gets
>>>>>> NT4 compatible ACLs, which can break the hash when a windows client
>>>>>> accesses the server.
>>>>>>
>>>>>> I need to test more to prove this is strictly required, but I do feel
>>>>>> it
>>>>>> is a worthwhile change in any case, given how long dead NT4 clients
>>>>>> changing ACLs with the windows GUI are.
>>>>>>
>>>>> Jelmer,
>>>>>
>>>>> Attached are the patches I'm currently working on, for review. Please
>>>>> ack the ones you are comfortable with (perhaps just the test patches).
>>>>>
>>>>> At https://bugzilla.samba.org/**show_bug.cgi?id=9383#c1<https://bugzilla.samba.org/show_bug.cgi?id=9383#c1>has already
>>>>> indicated he is happy to be rid of the "acl compatibility" code.
>>>>>
>>>> The ACL patches here, on master, appear to be the key changes required
>>>> to have GPOs work. At least, they work for me with a Windows 7 client
>>>> setting and applying GPOs. (The patches already posted are unchanged
>>>> from the previous mail).
>>>>
>>>> If I could please have *everyone* who is having trouble with sysvol ACLs
>>>> and is willing to run master try these patches. You will have to run
>>>> 'samba-tool ntacl sysvolreset' to get the correct ACLs.
>>>>
>>>> They are also in my gpo-acl-fix branch at
>>>> git://git.samba.org/abartlet/**samba.git<http://git.samba.org/abartlet/samba.git>
>>>>
>>>> There are fixes for both the ntvfs and smbd file servers. The tests
>>>> included with them show that we now correctly store the GPO ACLs in both
>>>> cases.
>>>>
>>>> If we confirm this indeed fixes ACLs, then we have finally solved a
>>>> major blocker for the 4.0 release.
>>>>
>>>> Andrew Bartlett
>>>>
>>>> Hiya,
>>>
>>> Just checked out your patch branch and compiled a test platform.
>>>
>>> GPMC Still comes up with the same message about inconsistent ACLs.
>>> Clicking ok does not 'fix' the issue and reselecting the GPO comes up
>>> with the same message.
>>> *_However_* after clicking OK sysvolcheck still passes. It does NOT fail
>>> like it did previously!
>>>
>> Does this only happen on a upgraded domain, or also on a fresh domain?
>>
>> If this was an upgrade domain, did you run 'samba-tool ntacl
>> sysvolreset' first?
>>
>> Otherwise, I'll have to expand my testing - I've only tried out Windows
>> 7, so I'll have to try WinXP too and see if I can get this to show up.
>>
>> Andrew Bartlett
>>
>> Hello Andrew,
> in my case, I upgraded from RC4 to 4.1.0pre1-GIT-c5f53ed.
> I carried out the upgrade, then ran 'samba-tool ntacl sysvolreset', this
> ran without error, I then restarted samba4.
> I then logged in as administrator on a W7 client and ran gpmc and got the
> error.
>
> Before the upgrade, if I ran 'samba-tool ntacl sysvolreset' it errored out
>
>
> Rowland
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
--
More information about the samba-technical
mailing list