[Samba] SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Mon Oct 29 04:22:31 MDT 2012


I'm wondering if I can get your assistance on this one?

In short, both Alex and Luiz have an issue where vfs_acl_xattr does not
return the NT ACL that has been set.  The details in in this thread, but
we have the particularly odd situation where running 'samba-tool ntacl
sysvolreset' doesn't seem to fix it.  This isn't the case of the tools
expecting the wrong value - the 'got' ACL is clearly one mapped back
from POSIX.  Running the Group Policy tools on a domain member seems to
be a particular trigger - but it shouldn't be able to make a
modification that doesn't go via vfs_acl_xattr.

For Alex, before running the Group Policy tools on WinXP, he gets (at
level 10 on samba-tool ntacl sysvolcheck):

get_nt_acl_internal: blob hash matches for
file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}

then after, he gets:

get_nt_acl_internal: blob hash does not match for
file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.

This is on unmodified master, but my ACL patches don't seem to help

On Mon, 2012-10-29 at 01:03 -0200, Luiz Gustavo dos S. Costa wrote:

> Thanks Andrew,
> I did exactly as you suggested .. apparently the problem has evolved.
> I put everything in tinypaste.
> http://tny.cz/0ec346e9
> In resume, this is the error:
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
> - ProvisioningError: VFS ACL on GPO directory
> /usr/local/samba/var/locks/sysvol/ad.mundounix.com.br/Policies/{F8562CF5-518A-4E06-9BAA-8B2135F8624C}
> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;;0x00120089;;;SY)(A;;0x00120089;;;ED)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)(A;OICIIO;0x001f01ff;;;SY)
> does not match expected value
> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> from GPO object
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> line 245, in run
>     lp)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1574, in checksysvolacl
>     direct_db_access)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1526, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> line 1476, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> match expected value %s from GPO object' %
> (acl_type(direct_db_access), path, fsacl_sddl, acl))


This essentially brings us back to the issue that Alex has.  We are
still trying to pin this down.  Can you reproduce this issue on a fresh
provision without using any windows admin tools, or do you also only see
this after running the windows Group Policy Admin tools?


Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list