[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat
Rowland Penny
repenny at f2s.com
Wed Nov 14 03:35:50 MST 2012
On 13/11/12 23:52, Ricky Nance wrote:
> Rowland, make sure you are grabbing his fix-gpo-acl branch, the
> patches are not yet in master, so you will need his repo.
>
> Ricky
>
> On Tue, Nov 13, 2012 at 4:15 PM, Rowland Penny <repenny at f2s.com
> <mailto:repenny at f2s.com>> wrote:
>
> On 13/11/12 20:51, Andrew Bartlett wrote:
>
> On Tue, 2012-11-13 at 20:05 +0000, Alex Matthews wrote:
>
> On 13/11/2012 06:00, Andrew Bartlett wrote:
>
> On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
>
> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett
> wrote:
>
> This patch should fix the issues where an ACL
> set on sysvol by
> samba-tool ntacl sysvolreset cannot be read
> back, and so sysvolcheck
> fails.
>
> The root cause here appears to be not setting
> fsp->is_directory
> correctly.
>
> This patch unifies the get and set code by
> simply using the same
> boilerplate, however another approach would be
> to call
> SMB_VFS_GET_NT_ACL() instead, which only needs
> a file path.
>
> I'm posting this so as to mark the fact that
> I've reproduced and fixed
> one small part of this SYSVOL issue locally,
> and am continuing to work
> on it.
>
> I have a second patch here, which I feel makes
> this code more robust -
> it removes the NT4 compatibility layer in the
> posix ACL code. This will
> mean that the ACL written by 'samba-tool ntacl
> sysvolreset' is read by a
> windows client. Currently samba-tool appears
> as RA_UNKNOWN, and so gets
> NT4 compatible ACLs, which can break the hash
> when a windows client
> accesses the server.
>
> I need to test more to prove this is strictly
> required, but I do feel it
> is a worthwhile change in any case, given how
> long dead NT4 clients
> changing ACLs with the windows GUI are.
>
> Jelmer,
>
> Attached are the patches I'm currently working on,
> for review. Please
> ack the ones you are comfortable with (perhaps
> just the test patches).
>
> At
> https://bugzilla.samba.org/show_bug.cgi?id=9383#c1
> has already
> indicated he is happy to be rid of the "acl
> compatibility" code.
>
> The ACL patches here, on master, appear to be the key
> changes required
> to have GPOs work. At least, they work for me with a
> Windows 7 client
> setting and applying GPOs. (The patches already
> posted are unchanged
> from the previous mail).
>
> If I could please have *everyone* who is having
> trouble with sysvol ACLs
> and is willing to run master try these patches. You
> will have to run
> 'samba-tool ntacl sysvolreset' to get the correct ACLs.
>
> They are also in my gpo-acl-fix branch at
> git://git.samba.org/abartlet/samba.git
> <http://git.samba.org/abartlet/samba.git>
>
> There are fixes for both the ntvfs and smbd file
> servers. The tests
> included with them show that we now correctly store
> the GPO ACLs in both
> cases.
>
> If we confirm this indeed fixes ACLs, then we have
> finally solved a
> major blocker for the 4.0 release.
>
> Andrew Bartlett
>
> Hiya,
>
> Just checked out your patch branch and compiled a test
> platform.
>
> GPMC Still comes up with the same message about
> inconsistent ACLs.
> Clicking ok does not 'fix' the issue and reselecting the
> GPO comes up
> with the same message.
> *_However_* after clicking OK sysvolcheck still passes. It
> does NOT fail
> like it did previously!
>
> Does this only happen on a upgraded domain, or also on a fresh
> domain?
>
> If this was an upgrade domain, did you run 'samba-tool ntacl
> sysvolreset' first?
>
> Otherwise, I'll have to expand my testing - I've only tried
> out Windows
> 7, so I'll have to try WinXP too and see if I can get this to
> show up.
>
> Andrew Bartlett
>
> Hello Andrew,
> in my case, I upgraded from RC4 to 4.1.0pre1-GIT-c5f53ed.
> I carried out the upgrade, then ran 'samba-tool ntacl
> sysvolreset', this ran without error, I then restarted samba4.
> I then logged in as administrator on a W7 client and ran gpmc and
> got the error.
>
> Before the upgrade, if I ran 'samba-tool ntacl sysvolreset' it
> errored out
>
>
> Rowland
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
>
> --
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
> believed to be clean.
Hi Ricky, I applied the patches that Andrew supplied, before I compiled
samba-master.
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list