Assert on correct Domain Admins GID IDMAP in 'samba-tool ntacl sysvolreset'

Andrew Bartlett abartlet at samba.org
Thu Oct 4 17:43:21 MDT 2012 

On Thu, 2012-10-04 at 13:49 +1000, Andrew Bartlett wrote:
> Ricky (and others)
> 
> The WHATSNEW has this known issue:
> 
> - 'samba-tool domain classicupgrade' will fail when setting ACLs on
>   the GPO folders with NT_STATUS_INVALID_ONWER in the default
>   configuration.  This happens if, as is typical a 'domain admins'
>   group (-512) is mapped in the passdb backend being upgraded.  This
>   is because the group mapping to a GID only prevents Samba from
>   allocating a uid for that group.  The uid is needed so the 'domain
>   admins' group can own the GPO file objects.
> 
>   To work around this issue, remove the 'domain admins' group before
>   upgrade, as it will be re-created automatically.  You will
>   of course need to fill in the group membership again.  A future
> release
>   will make this automatic, or find some other workaround.
> 
> The attached patch makes it automatic.  Can you test it and check it
> works?
> 
> I hope to propose something better (a way to select a value for a
> combined (IDMAP_BOTH) uid and gid for domain admins) and a way to store
> it in the AD directory, but for now this might help.

Thinking about this some more, one other thing I can do is make the
error much clearer.  If you could test the attached patch and ensure
that on a system with a GID (only) for domain admins that it fails, it
would be most helpful.

The next step from here will be to have a mode where the chown to
'domain admins' is ignored, and we go back to the ntvfs behaviour of
lying about the ACL (but set a mostly-correct posix ACL underneath). 

We do need a way to solve this in a generic manner, but this close to
the release I'm also looking at ways to paper over the cracks. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba-tool-Assert-that-domain-admins-is-IDMAP_BOTH.patch
Type: text/x-patch
Size: 1885 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121005/b5953b7c/attachment.bin>

More information about the samba-technical mailing list