samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1

Andrew Bartlett abartlet at samba.org
Wed Oct 10 06:36:07 MDT 2012 

On Wed, 2012-10-10 at 14:27 +0200, Daniele Dario wrote:
> Hi Andrew,
> 
> On Wed, 2012-10-10 at 21:35 +1100, Andrew Bartlett wrote:
> > On Tue, 2012-10-09 at 14:58 +0200, Daniele Dario wrote:
> > > Hi Andrew,
> > > 
> > > On Tue, 2012-10-09 at 23:02 +1100, Andrew Bartlett wrote:
> > > > On Tue, 2012-10-09 at 14:01 +0200, Daniele Dario wrote:
> > > > > Hi Andrew,
> > > > > 
> > > > > On Tue, 2012-10-09 at 22:35 +1100, Andrew Bartlett wrote:
> > > > > > On Tue, 2012-10-09 at 09:50 +0200, Daniele Dario wrote:
> > > > > > > Hi samba team,
> > > > > > > yesterday I was trying to understand why my DC account created during
> > > > > > > provisioning (for the primary DC) and during join (for secondary DC) do
> > > > > > > not have any permission on the sysvol folder.
> > > > > > 
> > > > > > > 
> > > > > > > Did I break something "posixifying" the AD default groups?
> > > > > > 
> > > > > > You did.  
> > > > > > 
> > > > > > Like installations that are upgraded from Samba3 and have GID allocated
> > > > > > for domain admins, there is the issue that because 'domain admins'
> > > > > > actually owns files in the sysvol directory, it needs to also map as a
> > > > > > UID.
> > > > > > 
> > > > > > The IDMAP_BOTH tag in idmap.ldb indicates this.
> > > > > > 
> > > > > > However, there is not (yet) a way to indicate this in the AD directory.
> > > > > > My thoughts are to add an optional extra schema that can be imported,
> > > > > > and that administrators wishing to set a SID -> UID and GID mapping can
> > > > > > add:
> > > > > > 
> > > > > > idmapUidAndGid: TRUE
> > > > > > 
> > > > > > to the user and group objects, and have it regard a uidNumber as also
> > > > > > being a gidNumber and vice versa.  
> > > > > > 
> > > > > > This would allow a per-object selection that the administrator has
> > > > > > confirmed that the uid and gid spaces do not conflict in this specific
> > > > > > case. 
> > > > > > 
> > > > > > The other approach is to try and ignore the problem, and this attached
> > > > > > patch tries to simply avoid doing the chown, instead changing the file
> > > > > > to be owned by either administrator or root, but then lying about the
> > > > > > ownership later. 
> > > > > > 
> > > > > > I need feedback to confirm that this all works properly for GPO
> > > > > > manipulation, so if you can test that it would be most helpful. 
> > > > > > 
> > > > > > Andrew Bartlett
> > > > > > 
> > > > > 
> > > > > I'm currently using samba4.0.0rc1 built from the released tarball and
> > > > > patch -p1 < 000... failed with
> > > > > 
> > > > > [root at kdc01:~/samba4/samba-4.0.0rc1]# patch -p1 <
> > > > > 0001-samba-tool-skip-chown-in-sysvolreset-when-it-would-f.patch 
> > > > > patching file source4/scripting/python/samba/ntacls.py
> > > > > patching file source4/scripting/python/samba/provision/__init__.py
> > > > > Hunk #1 FAILED at 1365.
> > > > > Hunk #2 FAILED at 1391.
> > > > > Hunk #3 succeeded at 1398 with fuzz 1 (offset -4 lines).
> > > > > Hunk #4 succeeded at 1415 with fuzz 1 (offset -4 lines).
> > > > > Hunk #5 succeeded at 1449 (offset -6 lines).
> > > > > 2 out of 5 hunks FAILED -- saving rejects to file
> > > > > source4/scripting/python/samba/provision/__init__.py.rej
> > > > > 
> > > > > Please find attached reject file.
> > > > > 
> > > > > May I use the patch to manually patch __init__.py or can you create the
> > > > > patch starting from the file released with the rc1?
> > > > > 
> > > > > Another way could be to download the latest git (master?) and build from
> > > > > scratch than apply the patch you previously sent?
> > > > 
> > > > The patch is for master.
> > > > 
> > > > Andrew Bartlett
> > > > 
> > > 
> > > made a git pull (from master) and applied the patch.
> > > Built fine and installed.
> > > 
> > > Now samba-tool ntacl sysvolreset --use-s3fs works fine.
> > > 
> > > Questions:
> > > 1. is it correct now to leave the default ad groups posixified?
> > 
> > It makes the situation more tolerable.  It is still not ideal, and it
> > may well not allow GPOs to be modified (hence asking for testing of
> > that).
> > 
> > > 2. why do I still see that sysvol (and it's subfolders and files)
> > > getfacl are group:3000007:r-- when 3000007 is not a valid group?
> > 
> > If you install nss_winbind you will see what group that is.  It is
> > probably another group such as group policy admins. 

> 
> Would it be possible that the group's assignment was made before to
> "posixifying" basic AD groups and now I've lost the association?

Yes. 

> May I try to modify them removing permissions to the "unmapped" gids and
> rewrite the right ones?

That should work, particularly if you didn't change idmap.ldb.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list