Assert on correct Domain Admins GID IDMAP in 'samba-tool ntacl sysvolreset'
abartlet at samba.org
Thu Oct 4 17:43:21 MDT 2012
On Thu, 2012-10-04 at 13:49 +1000, Andrew Bartlett wrote:
> Ricky (and others)
> The WHATSNEW has this known issue:
> - 'samba-tool domain classicupgrade' will fail when setting ACLs on
> the GPO folders with NT_STATUS_INVALID_ONWER in the default
> configuration. This happens if, as is typical a 'domain admins'
> group (-512) is mapped in the passdb backend being upgraded. This
> is because the group mapping to a GID only prevents Samba from
> allocating a uid for that group. The uid is needed so the 'domain
> admins' group can own the GPO file objects.
> To work around this issue, remove the 'domain admins' group before
> upgrade, as it will be re-created automatically. You will
> of course need to fill in the group membership again. A future
> will make this automatic, or find some other workaround.
> The attached patch makes it automatic. Can you test it and check it
> I hope to propose something better (a way to select a value for a
> combined (IDMAP_BOTH) uid and gid for domain admins) and a way to store
> it in the AD directory, but for now this might help.
Thinking about this some more, one other thing I can do is make the
error much clearer. If you could test the attached patch and ensure
that on a system with a GID (only) for domain admins that it fails, it
would be most helpful.
The next step from here will be to have a mode where the chown to
'domain admins' is ignored, and we go back to the ntvfs behaviour of
lying about the ACL (but set a mostly-correct posix ACL underneath).
We do need a way to solve this in a generic manner, but this close to
the release I'm also looking at ways to paper over the cracks.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1885 bytes
Desc: not available
More information about the samba-technical