samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1
Andrew Bartlett
abartlet at samba.org
Tue Oct 9 06:02:55 MDT 2012
On Tue, 2012-10-09 at 14:01 +0200, Daniele Dario wrote:
> Hi Andrew,
>
> On Tue, 2012-10-09 at 22:35 +1100, Andrew Bartlett wrote:
> > On Tue, 2012-10-09 at 09:50 +0200, Daniele Dario wrote:
> > > Hi samba team,
> > > yesterday I was trying to understand why my DC account created during
> > > provisioning (for the primary DC) and during join (for secondary DC) do
> > > not have any permission on the sysvol folder.
> >
> > >
> > > Did I break something "posixifying" the AD default groups?
> >
> > You did.
> >
> > Like installations that are upgraded from Samba3 and have GID allocated
> > for domain admins, there is the issue that because 'domain admins'
> > actually owns files in the sysvol directory, it needs to also map as a
> > UID.
> >
> > The IDMAP_BOTH tag in idmap.ldb indicates this.
> >
> > However, there is not (yet) a way to indicate this in the AD directory.
> > My thoughts are to add an optional extra schema that can be imported,
> > and that administrators wishing to set a SID -> UID and GID mapping can
> > add:
> >
> > idmapUidAndGid: TRUE
> >
> > to the user and group objects, and have it regard a uidNumber as also
> > being a gidNumber and vice versa.
> >
> > This would allow a per-object selection that the administrator has
> > confirmed that the uid and gid spaces do not conflict in this specific
> > case.
> >
> > The other approach is to try and ignore the problem, and this attached
> > patch tries to simply avoid doing the chown, instead changing the file
> > to be owned by either administrator or root, but then lying about the
> > ownership later.
> >
> > I need feedback to confirm that this all works properly for GPO
> > manipulation, so if you can test that it would be most helpful.
> >
> > Andrew Bartlett
> >
>
> I'm currently using samba4.0.0rc1 built from the released tarball and
> patch -p1 < 000... failed with
>
> [root at kdc01:~/samba4/samba-4.0.0rc1]# patch -p1 <
> 0001-samba-tool-skip-chown-in-sysvolreset-when-it-would-f.patch
> patching file source4/scripting/python/samba/ntacls.py
> patching file source4/scripting/python/samba/provision/__init__.py
> Hunk #1 FAILED at 1365.
> Hunk #2 FAILED at 1391.
> Hunk #3 succeeded at 1398 with fuzz 1 (offset -4 lines).
> Hunk #4 succeeded at 1415 with fuzz 1 (offset -4 lines).
> Hunk #5 succeeded at 1449 (offset -6 lines).
> 2 out of 5 hunks FAILED -- saving rejects to file
> source4/scripting/python/samba/provision/__init__.py.rej
>
> Please find attached reject file.
>
> May I use the patch to manually patch __init__.py or can you create the
> patch starting from the file released with the rc1?
>
> Another way could be to download the latest git (master?) and build from
> scratch than apply the patch you previously sent?
The patch is for master.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list