samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1

[Andrew Bartlett]

On Tue, 2012-10-09 at 09:50 +0200, Daniele Dario wrote:
> Hi samba team,
> yesterday I was trying to understand why my DC account created during
> provisioning (for the primary DC) and during join (for secondary DC) do
> not have any permission on the sysvol folder.

> 
> Did I break something "posixifying" the AD default groups?

You did.  

Like installations that are upgraded from Samba3 and have GID allocated
for domain admins, there is the issue that because 'domain admins'
actually owns files in the sysvol directory, it needs to also map as a
UID.

The IDMAP_BOTH tag in idmap.ldb indicates this.

However, there is not (yet) a way to indicate this in the AD directory.
My thoughts are to add an optional extra schema that can be imported,
and that administrators wishing to set a SID -> UID and GID mapping can
add:

idmapUidAndGid: TRUE

to the user and group objects, and have it regard a uidNumber as also
being a gidNumber and vice versa.  

This would allow a per-object selection that the administrator has
confirmed that the uid and gid spaces do not conflict in this specific
case. 

The other approach is to try and ignore the problem, and this attached
patch tries to simply avoid doing the chown, instead changing the file
to be owned by either administrator or root, but then lying about the
ownership later. 

I need feedback to confirm that this all works properly for GPO
manipulation, so if you can test that it would be most helpful. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba-tool-skip-chown-in-sysvolreset-when-it-would-f.patch
Type: text/x-patch
Size: 8303 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121009/02208b75/attachment.bin>