Provisioning an ADDC with vfs_nfs4acl_xattr
Thomas
tgeppert at digitx.de
Sat Feb 20 20:44:03 UTC 2021
I got this working up to a point where some of the NT ACLs were not set properly during provisioning due to an idmapping failure.
This seems to be kind of a chicken and egg problem because the winbind service is not running before the ADDC is provisioned but it would be required for the mapping.
The general setup is summarized in this post https://lists.samba.org/archive/samba/2021-February/234326.html
and some details of the idmapping issue are discussed in this thread https://lists.samba.org/archive/samba/2021-February/234364.html
Running 'samba-tool ntacl sysvolreset' after provisioning, when the winbind service is running and configured in nsswitch.conf, did complete without errors but checking the result with 'samba-tool ntacl sysvolcheck' does throw an exception.
Further investigation seems to indicate that the problem is rooted in peculiarities of the involved ACLs and the fact that they are treated different by the standard acl_xattr vfs module and vfs_nfs4acl_xattr.
The ACL that is retrieved from the SAM database for the Group Policy folders and files is this:
O:DA G:DA D:P
(A;OICI;0x001f01ff;;;DA)
(A;OICI;0x001f01ff;;;EA)
(A;OICIIO;0x001f01ff;;;CO)
(A;OICI;0x001f01ff;;;DA)
(A;OICI;0x001f01ff;;;SY)
(A;OICI;0x001200a9;;;AU)
(A;OICI;0x001200a9;;;ED)
The ACL retrieved from the filesystem is compared against the above ACL and if it doesn't match an exception is thrown by the sysvolcheck.
The first issue is related to the fact that the first and fourth ACE in the above ACL are identical.
The nfs4acl_xattr vfs module does merge these ACEs into one ACE in its code path (smbacl4_MergeIgnoreReject() in nfs4_acls.c) when setting the ACL and would also remove a duplicate ACE when reading the ACL (check_for_duplicate_sec_ace() in nfs4_acls.c). Therefore the ACL returned for a directory in the sysvol Policy branch by vfs_nfs4acl_xattr has one ACE less than the target ACL. It looks like the acl_xattr vfs module is not doing this.
For files in the sysvol Policy branch there are additional issues. The nfs4acl_xattr vfs module removes all inheritance flags from the ACL on a file (nfs4_acl_add_sec_ace() in nfs4_acls.c).
It also removes the Creator/Owner ACE from the file ACL in the same function. Code comment: /* A non inheriting creator owner entry has no effect. */
In the context of the sysvol Policy folders and files I now have the following questions.
Is my understanding correct that for directories the following ACL is equivalent to the above ACL ?
O:DA G:DA D:P
(A;OICI;0x001f01ff;;;DA)
(A;OICI;0x001f01ff;;;EA)
(A;OICIIO;0x001f01ff;;;CO)
(A;OICI;0x001f01ff;;;SY)
(A;OICI;0x001200a9;;;AU)
(A;OICI;0x001200a9;;;ED)
And for files the following ACL is equivalent ?
O:DA G:DA D:P
(A;;0x001f01ff;;;DA)
(A;;0x001f01ff;;;EA)
(A;;0x001f01ff;;;SY)
(A;;0x001200a9;;;AU)
(A;;0x001200a9;;;ED)
After changing the samba-tool code to expect the above ACLs for Policy folders and files the sysvolcheck does complete without errors.
What tests can I run to check if this vfs_nfs4acl_xattr based ADDC installation is sane and working properly ?
----
Thanks
Thomas
More information about the samba-technical
mailing list