samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1
Daniele Dario
d.dario76 at gmail.com
Wed Oct 10 06:27:09 MDT 2012
Hi Andrew,
On Wed, 2012-10-10 at 21:35 +1100, Andrew Bartlett wrote:
> On Tue, 2012-10-09 at 14:58 +0200, Daniele Dario wrote:
> > Hi Andrew,
> >
> > On Tue, 2012-10-09 at 23:02 +1100, Andrew Bartlett wrote:
> > > On Tue, 2012-10-09 at 14:01 +0200, Daniele Dario wrote:
> > > > Hi Andrew,
> > > >
> > > > On Tue, 2012-10-09 at 22:35 +1100, Andrew Bartlett wrote:
> > > > > On Tue, 2012-10-09 at 09:50 +0200, Daniele Dario wrote:
> > > > > > Hi samba team,
> > > > > > yesterday I was trying to understand why my DC account created during
> > > > > > provisioning (for the primary DC) and during join (for secondary DC) do
> > > > > > not have any permission on the sysvol folder.
> > > > >
> > > > > >
> > > > > > Did I break something "posixifying" the AD default groups?
> > > > >
> > > > > You did.
> > > > >
> > > > > Like installations that are upgraded from Samba3 and have GID allocated
> > > > > for domain admins, there is the issue that because 'domain admins'
> > > > > actually owns files in the sysvol directory, it needs to also map as a
> > > > > UID.
> > > > >
> > > > > The IDMAP_BOTH tag in idmap.ldb indicates this.
> > > > >
> > > > > However, there is not (yet) a way to indicate this in the AD directory.
> > > > > My thoughts are to add an optional extra schema that can be imported,
> > > > > and that administrators wishing to set a SID -> UID and GID mapping can
> > > > > add:
> > > > >
> > > > > idmapUidAndGid: TRUE
> > > > >
> > > > > to the user and group objects, and have it regard a uidNumber as also
> > > > > being a gidNumber and vice versa.
> > > > >
> > > > > This would allow a per-object selection that the administrator has
> > > > > confirmed that the uid and gid spaces do not conflict in this specific
> > > > > case.
> > > > >
> > > > > The other approach is to try and ignore the problem, and this attached
> > > > > patch tries to simply avoid doing the chown, instead changing the file
> > > > > to be owned by either administrator or root, but then lying about the
> > > > > ownership later.
> > > > >
> > > > > I need feedback to confirm that this all works properly for GPO
> > > > > manipulation, so if you can test that it would be most helpful.
> > > > >
> > > > > Andrew Bartlett
> > > > >
> > > >
> > > > I'm currently using samba4.0.0rc1 built from the released tarball and
> > > > patch -p1 < 000... failed with
> > > >
> > > > [root at kdc01:~/samba4/samba-4.0.0rc1]# patch -p1 <
> > > > 0001-samba-tool-skip-chown-in-sysvolreset-when-it-would-f.patch
> > > > patching file source4/scripting/python/samba/ntacls.py
> > > > patching file source4/scripting/python/samba/provision/__init__.py
> > > > Hunk #1 FAILED at 1365.
> > > > Hunk #2 FAILED at 1391.
> > > > Hunk #3 succeeded at 1398 with fuzz 1 (offset -4 lines).
> > > > Hunk #4 succeeded at 1415 with fuzz 1 (offset -4 lines).
> > > > Hunk #5 succeeded at 1449 (offset -6 lines).
> > > > 2 out of 5 hunks FAILED -- saving rejects to file
> > > > source4/scripting/python/samba/provision/__init__.py.rej
> > > >
> > > > Please find attached reject file.
> > > >
> > > > May I use the patch to manually patch __init__.py or can you create the
> > > > patch starting from the file released with the rc1?
> > > >
> > > > Another way could be to download the latest git (master?) and build from
> > > > scratch than apply the patch you previously sent?
> > >
> > > The patch is for master.
> > >
> > > Andrew Bartlett
> > >
> >
> > made a git pull (from master) and applied the patch.
> > Built fine and installed.
> >
> > Now samba-tool ntacl sysvolreset --use-s3fs works fine.
> >
> > Questions:
> > 1. is it correct now to leave the default ad groups posixified?
>
> It makes the situation more tolerable. It is still not ideal, and it
> may well not allow GPOs to be modified (hence asking for testing of
> that).
>
> > 2. why do I still see that sysvol (and it's subfolders and files)
> > getfacl are group:3000007:r-- when 3000007 is not a valid group?
>
> If you install nss_winbind you will see what group that is. It is
> probably another group such as group policy admins.
Currently I have:
[root at kdc01:~]# ll /lib/libnss_winbind.so*
lrwxrwxrwx 1 root root 40 2012-10-09 14:49 /lib/libnss_winbind.so
-> /usr/local/samba/lib/libnss_winbind.so.2*
lrwxrwxrwx 1 root root 22 2012-10-09 14:49 /lib/libnss_winbind.so.2
-> /lib/libnss_winbind.so*
and
[root at kdc01:~]# cat /etc/nsswitch.conf
# /etc/nsswitch.conf
passwd: compat winbind
group: compat winbind
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
but still
[root at kdc01:~/samba4/samba-master]#
getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: adm
user::rwx
user:root:rwx
group::r--
group:adm:r--
group:Group\040Policy\040Creator\040Owners:r--
group:3000007:r--
group:Enterprise\040Admins:r--
mask::rwx
other::---
That's because I'm asking who would be 3000007
Also using wbinfo --gid-info tells
[root at kdc01:~/]# wbinfo --gid-info=3000007
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000007
Same happens on the other DC:
[root at kdc02:~]# getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: adm
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:3000011:r-x
group:3000044:r-x
group:3000045:rwx
mask::rwx
other::---
Would it be possible that the group's assignment was made before to
"posixifying" basic AD groups and now I've lost the association?
May I try to modify them removing permissions to the "unmapped" gids and
rewrite the right ones?
>From what I can read between the two dcs I guess that on kdc02 3000011
was "Group Policy Creator Owners" and 3000045 was "Enterprise Admins"
but I don't know who could be 3000007 on kdc01 and 3000044 on kdc02
before to posixify AD groups. Can someone know it?
I also thought ntacl sysvolreset to be able to change that but it does
not.
>
> > 3. would it be possible to add rwx permissions also for the Domain
> > Controllers group to allow rsync from the DCs account work?
>
> Probably best to rsync as root, so you can get the permissions correct.
> As rsync will use nss calls to map usernames and groups to uid/gid
> values, it should be able to cope with them having different numeric
> values on each DC (I hope!).
>
The idea to use DCs account came from the sync_dc script from Matthew
and seemed to be a good compromise. Would it be possible to use kinit -k
-t /etc/krb5.keytab administrator to allow rsync use ssh+gss-mic?
> We know this is not an ideal situation, but it's also not easy to fix,
> it's actually a matter of choosing which non-ideal compromise to take.
>
> Andrew Bartlett
>
Many thanks,
Daniele.
More information about the samba-technical
mailing list