[Samba] [PATCH] Re: SYSVOL ACLs and GPOs

Andrew Bartlett abartlet at samba.org
Sun Nov 4 19:10:13 MST 2012


On Thu, 2012-11-01 at 14:54 +0000, Alex Matthews wrote:
> On 30/10/2012 00:08, Jeremy Allison wrote:
> > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> >>>> be a particular trigger - but it shouldn't be able to make a
> >>>> modification that doesn't go via vfs_acl_xattr.
> >>>>
> >>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
> >>>> level 10 on samba-tool ntacl sysvolcheck):
> >>>>
> >>>> get_nt_acl_internal: blob hash matches for
> >>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >>>>
> >>>> then after, he gets:
> >>>>
> >>>> get_nt_acl_internal: blob hash does not match for
> >>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
> >>> Is this message from smbd, or from samba-tool ?
> >> That's what vfs_acl_common is printing, being run from samba-tool ntacl
> >> sysvolcheck.  It links to the VFS layer.
> > So this looks like it's running the Group Policy tools on WinXP
> > that causes the problem ?
> >
> > Can we get a debug level 10 log of that activity going on
> > against smbd ?
> >
> > Jeremy.
> Ok I have some additional info.
> 
> Using the GPMC I cannot create new GPOs. I get the message: "This 
> security ID may not be assigned as the owner of this object"
> 
> If I use samba-tool gpo create I get the following:
> 
> # bin/samba-tool gpo create "SMC Students"
> ERROR(ldb): uncaught exception - LDAP error 50 
> LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on 
> CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
>    File 
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", 
> line 952, in run
>      self.samdb.add(m)
> 
> If I supply administrator as username I get:
> 
> # bin/samba-tool gpo create "SMC Students" -U administrator
> Password for [SMC\administrator]:
> ERROR(runtime): uncaught exception - (-1073741734, 
> 'NT_STATUS_INVALID_OWNER')
>    File 
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>      return self.run(*args, **kwargs)
>    File 
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", 
> line 987, in run
>      conn.set_acl(sharepath, fs_sd, sio)
> 
> However this time it has successfully created the GPO. (GPMC still 
> throws the same warnings about inconsistent ACLs).
> 
> bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u
> bin/samba-tool gpo create "SMC Students" -U administrator -d 10: 
> http://pastebin.com/8kkVEy7V
> 
> I would hazard a guess and say the GPMC error (when creating a GPO) is 
> the same error as the samba-tool error.

It is certainly very helpful to have this happen with samba-tool.  Can
you remind me the history of this domain, is it the upgrade I was trying
to suggest you do, or a fresh provision?

If you can tell me what provision command-line you run, if it was
provisioned with an older version, which branch and git revision that
was and what branch and git revision as you running now?

I've tried to replicate this in 'make test' but failed (the tests pass).
The patch for that is attached for review.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-selfltest-check-that-samba-tool-gpo-works-for-basic-.patch
Type: text/x-patch
Size: 4774 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba/attachments/20121105/96d8ee43/attachment.bin>


More information about the samba mailing list