Samba-4.0-rc2 samba-tool ntacl sysvolreset
Gémes Géza
geza at kzsdabas.hu
Sat Oct 6 09:51:26 MDT 2012
Hi,
My saga with RC2 continues :-)
I have successfully joined a new RC2 install to my old beta6-GIT-4631723
domain (from classicupgrade)
The rc2 works fine this time. Except one minor (or not so) problem:
I've copied (the tar-ed version) of the sysvol folder from the old
install (deliberately chose to drop acls at the origin)
then I ran samba-tool ntacl sysvolreset on the RC2 install, which gave:
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
ERROR(runtime): uncaught exception - (-1073741734,
'NT_STATUS_INVALID_OWNER')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 168, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 214, in run
lp, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1462, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1401, in set_gpos_acl
str(domainsid), use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1368, in set_dir_acl
setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line 108, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)
A the same time samba-tool ntacl sysvolcheck fails with:
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: DB ACL on GPO directory
/usr/local/samba/var/locks/sysvol/kzsdabas.hu/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 168, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 247, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1570, in checksysvolacl
check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1523, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1474, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
Which suggest some bad ntacls on
sysvol/kzsdabas.hu/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} but
IMHO it shouldn't crash.
The directory in question has the following posix acl:
# file:
usr/local/samba/var/locks/sysvol/kzsdabas.hu/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
# owner: root
# group: adm
# flags: -s-
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:3000005:r-x
group:3000008:r-x
group:3000009:rwx
mask::rwx
other::---
And the ntacl (--as-sddl) is:
O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)
Cheers
Geza Gemes
More information about the samba-technical
mailing list