Ignore incorrect Domain Admins GID IDMAP in 'samba-tool ntacl sysvolreset'

Andrew Bartlett abartlet at samba.org
Thu Oct 4 18:25:34 MDT 2012

On Fri, 2012-10-05 at 09:43 +1000, Andrew Bartlett wrote:
> On Thu, 2012-10-04 at 13:49 +1000, Andrew Bartlett wrote:
> > Ricky (and others)
> > 
> > The WHATSNEW has this known issue:
> > 
> > - 'samba-tool domain classicupgrade' will fail when setting ACLs on
> >   the GPO folders with NT_STATUS_INVALID_ONWER in the default
> >   configuration.  This happens if, as is typical a 'domain admins'
> >   group (-512) is mapped in the passdb backend being upgraded.  This
> >   is because the group mapping to a GID only prevents Samba from
> >   allocating a uid for that group.  The uid is needed so the 'domain
> >   admins' group can own the GPO file objects.
> > 
> >   To work around this issue, remove the 'domain admins' group before
> >   upgrade, as it will be re-created automatically.  You will
> >   of course need to fill in the group membership again.  A future
> > release
> >   will make this automatic, or find some other workaround.
> > 
> > The attached patch makes it automatic.  Can you test it and check it
> > works?
> > 
> > I hope to propose something better (a way to select a value for a
> > combined (IDMAP_BOTH) uid and gid for domain admins) and a way to store
> > it in the AD directory, but for now this might help.
> Thinking about this some more, one other thing I can do is make the
> error much clearer.  If you could test the attached patch and ensure
> that on a system with a GID (only) for domain admins that it fails, it
> would be most helpful.
> The next step from here will be to have a mode where the chown to
> 'domain admins' is ignored, and we go back to the ntvfs behaviour of
> lying about the ACL (but set a mostly-correct posix ACL underneath). 

This patch (apply instead of that one) patch demonstrates this possible
approach.  The advantage is that we will get the ACL correct as far as
windows sees it, and we will have a reasonable posix ACL on disk, but we
won't notice if the posix ACL changes (invaliding the NT ACL).

> We do need a way to solve this in a generic manner, but this close to
> the release I'm also looking at ways to paper over the cracks. 

Let me know if you think this papers over things enough.  When used with
the first patch (skipping the domain admins GID), It should only be hit
by sites that have done an upgrade already, or we could keep that GID
and use this patch more broadly. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba-tool-skip-chown-in-sysvolreset-when-it-would-f.patch
Type: text/x-patch
Size: 6474 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121005/be45b18a/attachment.bin>

More information about the samba-technical mailing list