samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1

Andrew Bartlett abartlet at samba.org
Wed Oct 10 04:35:50 MDT 2012 

On Tue, 2012-10-09 at 14:58 +0200, Daniele Dario wrote:
> Hi Andrew,
> 
> On Tue, 2012-10-09 at 23:02 +1100, Andrew Bartlett wrote:
> > On Tue, 2012-10-09 at 14:01 +0200, Daniele Dario wrote:
> > > Hi Andrew,
> > > 
> > > On Tue, 2012-10-09 at 22:35 +1100, Andrew Bartlett wrote:
> > > > On Tue, 2012-10-09 at 09:50 +0200, Daniele Dario wrote:
> > > > > Hi samba team,
> > > > > yesterday I was trying to understand why my DC account created during
> > > > > provisioning (for the primary DC) and during join (for secondary DC) do
> > > > > not have any permission on the sysvol folder.
> > > > 
> > > > > 
> > > > > Did I break something "posixifying" the AD default groups?
> > > > 
> > > > You did.  
> > > > 
> > > > Like installations that are upgraded from Samba3 and have GID allocated
> > > > for domain admins, there is the issue that because 'domain admins'
> > > > actually owns files in the sysvol directory, it needs to also map as a
> > > > UID.
> > > > 
> > > > The IDMAP_BOTH tag in idmap.ldb indicates this.
> > > > 
> > > > However, there is not (yet) a way to indicate this in the AD directory.
> > > > My thoughts are to add an optional extra schema that can be imported,
> > > > and that administrators wishing to set a SID -> UID and GID mapping can
> > > > add:
> > > > 
> > > > idmapUidAndGid: TRUE
> > > > 
> > > > to the user and group objects, and have it regard a uidNumber as also
> > > > being a gidNumber and vice versa.  
> > > > 
> > > > This would allow a per-object selection that the administrator has
> > > > confirmed that the uid and gid spaces do not conflict in this specific
> > > > case. 
> > > > 
> > > > The other approach is to try and ignore the problem, and this attached
> > > > patch tries to simply avoid doing the chown, instead changing the file
> > > > to be owned by either administrator or root, but then lying about the
> > > > ownership later. 
> > > > 
> > > > I need feedback to confirm that this all works properly for GPO
> > > > manipulation, so if you can test that it would be most helpful. 
> > > > 
> > > > Andrew Bartlett
> > > > 
> > > 
> > > I'm currently using samba4.0.0rc1 built from the released tarball and
> > > patch -p1 < 000... failed with
> > > 
> > > [root at kdc01:~/samba4/samba-4.0.0rc1]# patch -p1 <
> > > 0001-samba-tool-skip-chown-in-sysvolreset-when-it-would-f.patch 
> > > patching file source4/scripting/python/samba/ntacls.py
> > > patching file source4/scripting/python/samba/provision/__init__.py
> > > Hunk #1 FAILED at 1365.
> > > Hunk #2 FAILED at 1391.
> > > Hunk #3 succeeded at 1398 with fuzz 1 (offset -4 lines).
> > > Hunk #4 succeeded at 1415 with fuzz 1 (offset -4 lines).
> > > Hunk #5 succeeded at 1449 (offset -6 lines).
> > > 2 out of 5 hunks FAILED -- saving rejects to file
> > > source4/scripting/python/samba/provision/__init__.py.rej
> > > 
> > > Please find attached reject file.
> > > 
> > > May I use the patch to manually patch __init__.py or can you create the
> > > patch starting from the file released with the rc1?
> > > 
> > > Another way could be to download the latest git (master?) and build from
> > > scratch than apply the patch you previously sent?
> > 
> > The patch is for master.
> > 
> > Andrew Bartlett
> > 
> 
> made a git pull (from master) and applied the patch.
> Built fine and installed.
> 
> Now samba-tool ntacl sysvolreset --use-s3fs works fine.
> 
> Questions:
> 1. is it correct now to leave the default ad groups posixified?

It makes the situation more tolerable.  It is still not ideal, and it
may well not allow GPOs to be modified (hence asking for testing of
that).

> 2. why do I still see that sysvol (and it's subfolders and files)
> getfacl are group:3000007:r-- when 3000007 is not a valid group?

If you install nss_winbind you will see what group that is.  It is
probably another group such as group policy admins. 

> 3. would it be possible to add rwx permissions also for the Domain
> Controllers group to allow rsync from the DCs account work?

Probably best to rsync as root, so you can get the permissions correct.
As rsync will use nss calls to map usernames and groups to uid/gid
values, it should be able to cope with them having different numeric
values on each DC (I hope!).

We know this is not an ideal situation, but it's also not easy to fix,
it's actually a matter of choosing which non-ideal compromise to take. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list