[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Thu Oct 25 16:27:24 MDT 2012 

On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
> > On 25/10/2012 11:30, Andrew Bartlett wrote:
> > > On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
> > >
> > >> samba-tool ntacl sysvolcheck shows:
> > >>
> > >> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
> > >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > >> ProvisioningError: VFS ACL on GPO directory
> > >> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> > >> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
> > >> does not match expected value
> > >> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> > >> from GPO object
> > >>     File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > >> line 175, in _run
> > >>       return self.run(*args, **kwargs)
> > >>     File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > >> line 245, in run
> > >>       lp)
> > >>     File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> > >> line 1574, in checksysvolacl
> > >>       direct_db_access)
> > >>     File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> > >> line 1526, in check_gpos_acl
> > >>       domainsid, direct_db_access)
> > >>     File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> > >> line 1476, in check_dir_acl
> > >>       raise ProvisioningError('%s ACL on GPO directory %s %s does not
> > >> match expected value %s from GPO object' % (acl_type(direct_db_access),
> > >> path, fsacl_sddl, acl))
> > > Drat.
> > >
> > > So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
> > > the issue we have had for a while.  I had (incorrectly in your case)
> > > assumed the issue was that IDMAP mappings imported from classic domains
> > > were breaking it.  That's why I worked on my patches, which improve the
> > > situation by handling some details at a lower level.
> > >
> > > On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
> > > then, if you don't mind, getting me the level 10 debug log would be very
> > > helpful.  Set 'log level = 10' in your smb.conf, then re-run and send me
> > > (personally) the result compressed with xz.
> > >
> > > Andrew Bartlett
> > >
> > Just to be clear, those last two logs were taken from a samba compiled 
> > with your fix-acls2 branch.
> > It is also a completely blank provisioned domain I have not migrated 
> > anything.
> > 
> > What do you want the logs of? Starting samba + logging in from XP + 
> > starting gpmc.msc + altering permissions manually?
> 
> Yeah, I was incredibly unclear:  I need level 10 logs of just the
> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
> in a very nice, self-contained way. 

So, the issue is that this host doesn't return the ACL consistently.
What I mean is this:

When we store the NT ACL for the {12344...} folder, we store an xattr
with:
 - the NT ACL we need to return to clients
 - the hash of the posix ACL we set on disk (as read back from the OS)

When we do the sysvolcheck we fetch the xattr, read the hash and get the
posix ACL off disk again.  On your host, these don't match!

Can you give me details about what your host is?

Just to be really sure we are doing this right, because I can't
reproduce this here, can you run:

bin/samba-tool domain provision --targetdir=/tmp/provision-root2
--realm=realm.com --domain=dom

Do this on master and on my fix-acls2 branch, with separate targetdir
for each, with this patch on top in both cases?

If that passes, can you give me the provision command you normally use,
and tell me if that fails?

If your normal command passes, then can you work out if there is a time
period involved before sysvolcheck fails? (that is, after X seconds it
fails).  For this last thing, I'm clutching at caching straws, but this
is a real issue that we must get to the bottom of - beyond the AD DC,
the ACL facility we use here is critical to file server users in Samba
too.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-provision-Always-check-the-sysvol-ACLs-worked-after-.patch
Type: text/x-patch
Size: 2566 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121026/9cda2a38/attachment.bin>

More information about the samba-technical mailing list