[Samba] SYSVOL ACLs and GPOs

Luiz Gustavo dos S. Costa luizgustavo at mundounix.com.br
Fri Oct 26 12:32:16 MDT 2012


sysvol resolves here with ntfvs format... with s3fs i have this problem

2012/10/26 Luiz Gustavo dos S. Costa <luizgustavo at mundounix.com.br>:
> more errors with sysvol:
>
> samba4# bin/samba-tool ntacl sysvolcheck -d3
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (11095) to minimum Windows limit (16384)
> params.c:pm_process() - Processing configuration file
> "/usr/local/samba/etc/smb.conf"
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Processing section "[engenharia]"
> Processing section "[pessoal]"
> Processing section "[financeiro]"
> Processing section "[comercial]"
> Processing section "[producao]"
> Processing section "[eletrica]"
> Processing section "[aparas]"
> Processing section "[contabilidade]"
> Processing section "[qualidade]"
> ldb_wrap open of idmap.ldb
> ERROR(<type 'exceptions.TypeError'>): uncaught exception - (34,
> 'Result too large')
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 245, in run
>     lp)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1565, in checksysvolacl
>     fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
> line 73, in getntacl
>     xattr.XATTR_NTACL_NAME)
>
>
>
>
>
> 2012/10/26 Luiz Gustavo dos S. Costa <luizgustavo at mundounix.com.br>:
>> Hi people...
>>
>> i have this same problem in a FreeBSD 9.0 with samba rc3 and git version
>>
>> Andrew, this patch work only in git version ?
>>
>> other issue...
>>
>> i can use the sysvol path in other place ? for example:
>>
>> [sysvol]
>>    path = /samba/sysvol
>>    read only = No
>>
>> obvious... with netlogon path correct too.
>>
>> thanks
>>
>>
>> 2012/10/26 Andrew Bartlett <abartlet at samba.org>:
>>> On Fri, 2012-10-26 at 11:09 +0100, Alex Matthews wrote:
>>>> On 26/10/2012 11:03, Andrew Bartlett wrote:
>>>> > On Fri, 2012-10-26 at 10:44 +0100, Alex Matthews wrote:
>>>> >
>>>> >> I'm assuming because of the way I laid my directory tree out I could
>>>> >> also just provision as normal and run the tests? Just makes it difficult
>>>> >> to "un-provision".
>>>> >>
>>>> >> I did a bit of testing last night and sysvolcheck returns no errors
>>>> >> until the point that run the gpmc.msc on the XP domain member and click
>>>> >> ok to "fix" the inconsistent ACLs. At that point it returns the same
>>>> >> error. Running sysvolreset does not fix it either.
>>>> > OK.  This is more interesting.  Can you show me first the output, and
>>>> > then the level 10 log of that sysvolcheck command?
>>>> >
>>>> > I'm particularly curious that a sysvolreset can't fix it.
>>>> >
>>>> > A network capture of what gpmc does may be instructive also.
>>>> >
>>>> >> This is true, atleast, for the master branch, I haven't tested the
>>>> >> aclfix branch yet.
>>>> > OK.
>>>> >
>>>> > Given this info on the essential components involved (running gpmc.msc
>>>> > once seems key), I think I have the steps to reproduce this here, which
>>>> > I'll try tonight or tomorrow.
>>>> >
>>>> > Thanks,
>>>> >
>>>> > Andrew Bartlett
>>>> >
>>>>
>>>> # bin/samba-tool ntacl sysvolcheck
>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>>>> ProvisioningError: VFS ACL on GPO directory
>>>> /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
>>>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;ED)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;;0x00120089;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)(A;OICIIO;0x001f01ff;;;SY)
>>>> does not match expected value
>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>> from GPO object
>>>>    File
>>>> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>> line 175, in _run
>>>>      return self.run(*args, **kwargs)
>>>>    File
>>>> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>> line 245, in run
>>>>      lp)
>>>>    File
>>>> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1574, in checksysvolacl
>>>>      direct_db_access)
>>>>    File
>>>> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1526, in check_gpos_acl
>>>>      domainsid, direct_db_access)
>>>>    File
>>>> "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>> line 1476, in check_dir_acl
>>>>      raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>>>> path, fsacl_sddl, acl))
>>>>
>>>>
>>>> Level 10 sysvolcheck log: http://pastebin.com/QBHTKkqL
>>>>
>>>> Do you want a wireshark packet log of GPMC or a samba level 10 log?
>>>
>>> Both if possible, please.
>>>
>>> Thanks,
>>>
>>> Andrew Bartlett
>>>
>>> --
>>> Andrew Bartlett                                http://samba.org/~abartlet/
>>> Authentication Developer, Samba Team           http://samba.org
>>>
>>>


More information about the samba-technical mailing list