Mapping groups to a uid conflicts with rfc2307 (was Re: Samba4 RC1 error: sysvolreset)

Andrew Bartlett abartlet at samba.org
Fri Sep 14 05:46:49 MDT 2012


On Thu, 2012-09-13 at 13:01 +0200, steve wrote:
> Hi
> I followed the release annoncements for Version 4.1.0pre1-GIT-9158423
> 
> samba-tool dbcheck --cross-ncs --fix
> Checking 3442 objects
> Checked 3442 objects (0 errors)
> 
> and:
> 
> samba-tool ntacl sysvolreset
> set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
> ERROR(runtime): uncaught exception - (-1073741734, 
> 'NT_STATUS_INVALID_OWNER')
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 168, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
> line 214, in run
>      lp, use_ntvfs=use_ntvfs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1462, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
> use_ntvfs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1401, in set_gpos_acl
>      str(domainsid), use_ntvfs)
>    File 
> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1368, in set_dir_acl
>      setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
>    File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", 
> line 108, in setntacl
>      smbd.set_nt_acl(file, security.SECINFO_OWNER | 
> security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd)
> 
> Can anyone tell me whether this is safe to procede?

It's no less safe than it was before you ran the command.  However,
without running that we can't offer editing of GPOs as non-administrator
(another member of the domain admins group). 

The issue for upgrading sites such as yours is that you have set a gid
for 'Domain Admins' in LDAP using rfc2307.  One of the key issues with
the rfc2307 schema that you requested is that there is no standard way
to indicate which uid to use when a group such as 'domain admins' needs
to own a file in unix terms.  (Our idmap.ldb default is to store
mappings marked with IDMAP_BOTH). 

So far my thinking is to add an additional objectClass to the LDAP
schema and an additional attribute to indicate that this gidNumber is in
fact also valid and unique as a uidNumber, or to additionally permit a
uidNumber on the record in addition to such a marker. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list