samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1

Daniele Dario d.dario76 at gmail.com
Wed Oct 10 06:27:09 MDT 2012 

Hi Andrew,

On Wed, 2012-10-10 at 21:35 +1100, Andrew Bartlett wrote:
> On Tue, 2012-10-09 at 14:58 +0200, Daniele Dario wrote:
> > Hi Andrew,
> > 
> > On Tue, 2012-10-09 at 23:02 +1100, Andrew Bartlett wrote:
> > > On Tue, 2012-10-09 at 14:01 +0200, Daniele Dario wrote:
> > > > Hi Andrew,
> > > > 
> > > > On Tue, 2012-10-09 at 22:35 +1100, Andrew Bartlett wrote:
> > > > > On Tue, 2012-10-09 at 09:50 +0200, Daniele Dario wrote:
> > > > > > Hi samba team,
> > > > > > yesterday I was trying to understand why my DC account created during
> > > > > > provisioning (for the primary DC) and during join (for secondary DC) do
> > > > > > not have any permission on the sysvol folder.
> > > > > 
> > > > > > 
> > > > > > Did I break something "posixifying" the AD default groups?
> > > > > 
> > > > > You did.  
> > > > > 
> > > > > Like installations that are upgraded from Samba3 and have GID allocated
> > > > > for domain admins, there is the issue that because 'domain admins'
> > > > > actually owns files in the sysvol directory, it needs to also map as a
> > > > > UID.
> > > > > 
> > > > > The IDMAP_BOTH tag in idmap.ldb indicates this.
> > > > > 
> > > > > However, there is not (yet) a way to indicate this in the AD directory.
> > > > > My thoughts are to add an optional extra schema that can be imported,
> > > > > and that administrators wishing to set a SID -> UID and GID mapping can
> > > > > add:
> > > > > 
> > > > > idmapUidAndGid: TRUE
> > > > > 
> > > > > to the user and group objects, and have it regard a uidNumber as also
> > > > > being a gidNumber and vice versa.  
> > > > > 
> > > > > This would allow a per-object selection that the administrator has
> > > > > confirmed that the uid and gid spaces do not conflict in this specific
> > > > > case. 
> > > > > 
> > > > > The other approach is to try and ignore the problem, and this attached
> > > > > patch tries to simply avoid doing the chown, instead changing the file
> > > > > to be owned by either administrator or root, but then lying about the
> > > > > ownership later. 
> > > > > 
> > > > > I need feedback to confirm that this all works properly for GPO
> > > > > manipulation, so if you can test that it would be most helpful. 
> > > > > 
> > > > > Andrew Bartlett
> > > > > 
> > > > 
> > > > I'm currently using samba4.0.0rc1 built from the released tarball and
> > > > patch -p1 < 000... failed with
> > > > 
> > > > [root at kdc01:~/samba4/samba-4.0.0rc1]# patch -p1 <
> > > > 0001-samba-tool-skip-chown-in-sysvolreset-when-it-would-f.patch 
> > > > patching file source4/scripting/python/samba/ntacls.py
> > > > patching file source4/scripting/python/samba/provision/__init__.py
> > > > Hunk #1 FAILED at 1365.
> > > > Hunk #2 FAILED at 1391.
> > > > Hunk #3 succeeded at 1398 with fuzz 1 (offset -4 lines).
> > > > Hunk #4 succeeded at 1415 with fuzz 1 (offset -4 lines).
> > > > Hunk #5 succeeded at 1449 (offset -6 lines).
> > > > 2 out of 5 hunks FAILED -- saving rejects to file
> > > > source4/scripting/python/samba/provision/__init__.py.rej
> > > > 
> > > > Please find attached reject file.
> > > > 
> > > > May I use the patch to manually patch __init__.py or can you create the
> > > > patch starting from the file released with the rc1?
> > > > 
> > > > Another way could be to download the latest git (master?) and build from
> > > > scratch than apply the patch you previously sent?
> > > 
> > > The patch is for master.
> > > 
> > > Andrew Bartlett
> > > 
> > 
> > made a git pull (from master) and applied the patch.
> > Built fine and installed.
> > 
> > Now samba-tool ntacl sysvolreset --use-s3fs works fine.
> > 
> > Questions:
> > 1. is it correct now to leave the default ad groups posixified?
> 
> It makes the situation more tolerable.  It is still not ideal, and it
> may well not allow GPOs to be modified (hence asking for testing of
> that).
> 
> > 2. why do I still see that sysvol (and it's subfolders and files)
> > getfacl are group:3000007:r-- when 3000007 is not a valid group?
> 
> If you install nss_winbind you will see what group that is.  It is
> probably another group such as group policy admins. 

Currently I have:

[root at kdc01:~]# ll /lib/libnss_winbind.so*
lrwxrwxrwx 1 root root 40 2012-10-09 14:49 /lib/libnss_winbind.so
-> /usr/local/samba/lib/libnss_winbind.so.2*
lrwxrwxrwx 1 root root 22 2012-10-09 14:49 /lib/libnss_winbind.so.2
-> /lib/libnss_winbind.so*

and

[root at kdc01:~]# cat /etc/nsswitch.conf 
# /etc/nsswitch.conf

passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

but still

[root at kdc01:~/samba4/samba-master]#
getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: adm
user::rwx
user:root:rwx
group::r--
group:adm:r--
group:Group\040Policy\040Creator\040Owners:r--
group:3000007:r--
group:Enterprise\040Admins:r--
mask::rwx
other::---

That's because I'm asking who would be 3000007

Also using wbinfo --gid-info tells
[root at kdc01:~/]# wbinfo --gid-info=3000007
failed to call wbcGetgrgid: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for gid 3000007

Same happens on the other DC:

[root at kdc02:~]# getfacl /usr/local/samba/var/locks/sysvol
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol
# owner: root
# group: adm
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:3000011:r-x
group:3000044:r-x
group:3000045:rwx
mask::rwx
other::---

Would it be possible that the group's assignment was made before to
"posixifying" basic AD groups and now I've lost the association?

May I try to modify them removing permissions to the "unmapped" gids and
rewrite the right ones?

>From what I can read between the two dcs I guess that on kdc02 3000011
was "Group Policy Creator Owners" and 3000045 was "Enterprise Admins"
but I don't know who could be 3000007 on kdc01 and 3000044 on kdc02
before to posixify AD groups. Can someone know it?

I also thought ntacl sysvolreset to be able to change that but it does
not.

> 
> > 3. would it be possible to add rwx permissions also for the Domain
> > Controllers group to allow rsync from the DCs account work?
> 
> Probably best to rsync as root, so you can get the permissions correct.
> As rsync will use nss calls to map usernames and groups to uid/gid
> values, it should be able to cope with them having different numeric
> values on each DC (I hope!).
> 

The idea to use DCs account came from the sync_dc script from Matthew
and seemed to be a good compromise. Would it be possible to use kinit -k
-t /etc/krb5.keytab administrator to allow rsync use ssh+gss-mic?

> We know this is not an ideal situation, but it's also not easy to fix,
> it's actually a matter of choosing which non-ideal compromise to take. 
> 
> Andrew Bartlett
> 

Many thanks,
Daniele.

More information about the samba-technical mailing list