[Samba] SYSVOL ACLs and GPOs

Alex Matthews qoole.samba at lillimoth.com
Fri Oct 26 03:44:29 MDT 2012 

On 26/10/2012 02:37, Andrew Bartlett wrote:
> On Fri, 2012-10-26 at 00:34 +0100, Alex Matthews wrote:
>> On 25/10/2012 23:27, Andrew Bartlett wrote:
>>> On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
>>>> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
>>>>> On 25/10/2012 11:30, Andrew Bartlett wrote:
>>>>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
>>>>>>
>>>>>>> samba-tool ntacl sysvolcheck shows:
>>>>>>>
>>>>>>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>>>>>>> ProvisioningError: VFS ACL on GPO directory
>>>>>>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>>>>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
>>>>>>> does not match expected value
>>>>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>>>> from GPO object
>>>>>>>       File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>> line 175, in _run
>>>>>>>         return self.run(*args, **kwargs)
>>>>>>>       File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>>>>> line 245, in run
>>>>>>>         lp)
>>>>>>>       File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>> line 1574, in checksysvolacl
>>>>>>>         direct_db_access)
>>>>>>>       File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>> line 1526, in check_gpos_acl
>>>>>>>         domainsid, direct_db_access)
>>>>>>>       File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>> line 1476, in check_dir_acl
>>>>>>>         raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>>>>>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>>>>>>> path, fsacl_sddl, acl))
>>>>>> Drat.
>>>>>>
>>>>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
>>>>>> the issue we have had for a while.  I had (incorrectly in your case)
>>>>>> assumed the issue was that IDMAP mappings imported from classic domains
>>>>>> were breaking it.  That's why I worked on my patches, which improve the
>>>>>> situation by handling some details at a lower level.
>>>>>>
>>>>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
>>>>>> then, if you don't mind, getting me the level 10 debug log would be very
>>>>>> helpful.  Set 'log level = 10' in your smb.conf, then re-run and send me
>>>>>> (personally) the result compressed with xz.
>>>>>>
>>>>>> Andrew Bartlett
>>>>>>
>>>>> Just to be clear, those last two logs were taken from a samba compiled
>>>>> with your fix-acls2 branch.
>>>>> It is also a completely blank provisioned domain I have not migrated
>>>>> anything.
>>>>>
>>>>> What do you want the logs of? Starting samba + logging in from XP +
>>>>> starting gpmc.msc + altering permissions manually?
>>>> Yeah, I was incredibly unclear:  I need level 10 logs of just the
>>>> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
>>>> in a very nice, self-contained way.
>>> So, the issue is that this host doesn't return the ACL consistently.
>>> What I mean is this:
>>>
>>> When we store the NT ACL for the {12344...} folder, we store an xattr
>>> with:
>>>    - the NT ACL we need to return to clients
>>>    - the hash of the posix ACL we set on disk (as read back from the OS)
>>>
>>> When we do the sysvolcheck we fetch the xattr, read the hash and get the
>>> posix ACL off disk again.  On your host, these don't match!
>>>
>>> Can you give me details about what your host is?
>>>
>>> Just to be really sure we are doing this right, because I can't
>>> reproduce this here, can you run:
>>>
>>> bin/samba-tool domain provision --targetdir=/tmp/provision-root2
>>> --realm=realm.com --domain=dom
>>>
>>> Do this on master and on my fix-acls2 branch, with separate targetdir
>>> for each, with this patch on top in both cases?
>>>
>>> If that passes, can you give me the provision command you normally use,
>>> and tell me if that fails?
>>>
>>> If your normal command passes, then can you work out if there is a time
>>> period involved before sysvolcheck fails? (that is, after X seconds it
>>> fails).  For this last thing, I'm clutching at caching straws, but this
>>> is a real issue that we must get to the bottom of - beyond the AD DC,
>>> the ACL facility we use here is critical to file server users in Samba
>>> too.
>>>
>>> Thanks,
>>>
>>> Andrew Bartlett
>>>
>> I have the following directory tree:
>>
>> /root/samba_test/samba-master
>> /root/samba_test/samba-aclfix
>> /root/samba_test/build-master
>> /root/samba_test/build-aclfix
>>
>> I ran:
>> build-master/bin/samba-tool domain provision
>> --targetdir=/root/samba_test/provision_master --realm=realm.com --domain=dom
>> build-aclfix/bin/samba-tool domain provision
>> --targetdir=/root/samba_test/provision_aclfix --realm=realm.com --domain=dom
>>
>> however when I run:
>> build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck
>> I get the following error:
>>
>> ERROR(runtime): uncaught exception - samdb_domain_sid failed
>>     File
>> "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>>       return self.run(*args, **kwargs)
>>     File
>> "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 240, in run
>>       domain_sid = security.dom_sid(samdb.domain_sid)
>>     File
>> "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/samdb.py",
>> line 549, in get_domain_sid
>>       return dsdb._samdb_get_domain_sid(self)
>>
>> I assume this is due to the targetdir supplied in the provision step?
> Yes.  Use:
>
> build_master/bin/samba-tool ntacl sysvolcheck
> -s /root/samba_test/provision_master/etc/smb.conf
>
> Thanks!
>
> Andrew Bartlett
>
I'm assuming because of the way I laid my directory tree out I could 
also just provision as normal and run the tests? Just makes it difficult 
to "un-provision".

I did a bit of testing last night and sysvolcheck returns no errors 
until the point that run the gpmc.msc on the XP domain member and click 
ok to "fix" the inconsistent ACLs. At that point it returns the same 
error. Running sysvolreset does not fix it either.
This is true, atleast, for the master branch, I haven't tested the 
aclfix branch yet.

Thanks,
Alex

More information about the samba-technical mailing list