samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1

Daniele Dario d.dario76 at gmail.com
Tue Oct 9 01:50:17 MDT 2012 

Hi samba team,
yesterday I was trying to understand why my DC account created during
provisioning (for the primary DC) and during join (for secondary DC) do
not have any permission on the sysvol folder.

Using ssh+GSSAPI to login on the DCs with the DCs account I've seen that
they seem to be part of different groups (KDC01$ logged in kdc02 DC was
meber of TechOffice while logged in kdc01 DC was as expected member of
Domain Controllers).

I found that all the default groups (Domain Users, Domain Admins, ...)
do not map on the same GID on the two DCs even if I provisioned the
domain with the --use-rfc2307 option so I thought that the problem could
be caused by the fact that the AD groups created by me were modified to
be rfc2307 compliant while the default ones not.

Than I stopped samba on one DC and used this script to modify also the
default groups:

#!/bin/bash

strgid=$(wbinfo --group-info="$1")
gid=$(echo $strgid | cut -d ":" -f 3)
echo "dn: cn=$1,cn=Users,dc=saitel,dc=loc
changetype: modify
add:objectclass
objectclass: posixGroup
-
add: gidnumber
gidnumber: $gid" > /tmp/"$1"
ldbmodify -H /usr/local/samba/private/sam.ldb -b
dc=saitel,dc=loc /tmp/"$1"
rm /tmp/"$1"

and I called it for these groups:

Enterprise Read-Only Domain Controllers
Domain Admins
Domain Users
Domain Guests
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Group Policy Creator Owners
Read-Only Domain Controllers
DnsUpdateProxy

At this point I restarted samba on the other DC and foud that the GIDs
were aligned between them. Only the DCs accounts UIDs where not aligned
but I was not sure if it was safe to posixify them.

At that point I retried to login via SSH to the DCs but no the accounts
still did not have any permissions on sysvol.

Using getfacl on the sysvol folder I've seen this:

[root at kdc02:~]# getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: adm
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:3000011:r-x
group:3000044:r-x
group:3000045:rwx
mask::rwx
other::---

[root at kdc01:~/samba4/scripts]# getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: adm
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:Group\040Policy\040Creator\040Owners:r-x
group:3000007:rwx
group:Enterprise\040Admins:r-x
mask::rwx
other::---

so I thought I had to use samba-tool ntacl sysvolreset --use-s3fs to
reset the permissions but running it I get these messages:

[root at kdc02:~]# samba-tool ntacl sysvolreset --use-s3fs
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[scambio]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
Processing section "[homes]"
Processing section "[scambio]"
ldb_wrap open of idmap.ldb
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
...
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: unable to validate owner sid for
S-1-5-21-1132727046-140625262-2935381992-512
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
ERROR(runtime): uncaught exception - (-1073741734,
'NT_STATUS_INVALID_OWNER')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 168, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 214, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1462, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1401, in set_gpos_acl
    str(domainsid), use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1368, in set_dir_acl
    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line 108, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd)


[root at kdc01:~/samba4/scripts]# samba-tool ntacl sysvolreset --use-s3fs
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
(16384)
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
...
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: owner sid mapped to uid 0
unpack_nt_owners: group sid mapped to gid 4
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
unpack_nt_owners: unable to validate owner sid for
S-1-5-21-1132727046-140625262-2935381992-512
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
ERROR(runtime): uncaught exception - (-1073741734,
'NT_STATUS_INVALID_OWNER')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 168, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 214, in run
    lp, use_ntvfs=use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1462, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1401, in set_gpos_acl
    str(domainsid), use_ntvfs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1368, in set_dir_acl
    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line 108, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL,
sd)

On both DCs I've seen that 

[root at kdc01:~/samba4/scripts]# wbinfo -s
S-1-5-21-1132727046-140625262-2935381992-512
SAITEL\Domain Admins 2

Did I break something "posixifying" the AD default groups?

Thanks,
Daniele.

More information about the samba-technical mailing list