[Samba] SYSVOL ACLs and GPOs
Andrew Bartlett
abartlet at samba.org
Fri Oct 26 03:46:58 MDT 2012
On Fri, 2012-10-26 at 00:49 +0100, Alex Matthews wrote:
> On 26/10/2012 00:34, Alex Matthews wrote:
> > On 25/10/2012 23:27, Andrew Bartlett wrote:
> >> On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
> >>> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
> >>>> On 25/10/2012 11:30, Andrew Bartlett wrote:
> >>>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
> >>>>>
> >>>>>> samba-tool ntacl sysvolcheck shows:
> >>>>>>
> >>>>>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
> >>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> >>>>>> exception -
> >>>>>> ProvisioningError: VFS ACL on GPO directory
> >>>>>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> >>>>>>
> >>>>>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
> >>>>>>
> >>>>>> does not match expected value
> >>>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> >>>>>>
> >>>>>> from GPO object
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >>>>>>
> >>>>>> line 175, in _run
> >>>>>> return self.run(*args, **kwargs)
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> >>>>>>
> >>>>>> line 245, in run
> >>>>>> lp)
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>
> >>>>>> line 1574, in checksysvolacl
> >>>>>> direct_db_access)
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>
> >>>>>> line 1526, in check_gpos_acl
> >>>>>> domainsid, direct_db_access)
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>
> >>>>>> line 1476, in check_dir_acl
> >>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s
> >>>>>> does not
> >>>>>> match expected value %s from GPO object' %
> >>>>>> (acl_type(direct_db_access),
> >>>>>> path, fsacl_sddl, acl))
> >>>>> Drat.
> >>>>>
> >>>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is
> >>>>> indeed
> >>>>> the issue we have had for a while. I had (incorrectly in your case)
> >>>>> assumed the issue was that IDMAP mappings imported from classic
> >>>>> domains
> >>>>> were breaking it. That's why I worked on my patches, which
> >>>>> improve the
> >>>>> situation by handling some details at a lower level.
> >>>>>
> >>>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset'
> >>>>> then
> >>>>> then, if you don't mind, getting me the level 10 debug log would
> >>>>> be very
> >>>>> helpful. Set 'log level = 10' in your smb.conf, then re-run and
> >>>>> send me
> >>>>> (personally) the result compressed with xz.
> >>>>>
> >>>>> Andrew Bartlett
> >>>>>
> >>>> Just to be clear, those last two logs were taken from a samba compiled
> >>>> with your fix-acls2 branch.
> >>>> It is also a completely blank provisioned domain I have not migrated
> >>>> anything.
> >>>>
> >>>> What do you want the logs of? Starting samba + logging in from XP +
> >>>> starting gpmc.msc + altering permissions manually?
> >>> Yeah, I was incredibly unclear: I need level 10 logs of just the
> >>> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
> >>> in a very nice, self-contained way.
> >> So, the issue is that this host doesn't return the ACL consistently.
> >> What I mean is this:
> >>
> >> When we store the NT ACL for the {12344...} folder, we store an xattr
> >> with:
> >> - the NT ACL we need to return to clients
> >> - the hash of the posix ACL we set on disk (as read back from the OS)
> >>
> >> When we do the sysvolcheck we fetch the xattr, read the hash and get the
> >> posix ACL off disk again. On your host, these don't match!
> >>
> >> Can you give me details about what your host is?
> >>
> >> Just to be really sure we are doing this right, because I can't
> >> reproduce this here, can you run:
> >>
> >> bin/samba-tool domain provision --targetdir=/tmp/provision-root2
> >> --realm=realm.com --domain=dom
> >>
> >> Do this on master and on my fix-acls2 branch, with separate targetdir
> >> for each, with this patch on top in both cases?
> >>
> >> If that passes, can you give me the provision command you normally use,
> >> and tell me if that fails?
> >>
> >> If your normal command passes, then can you work out if there is a time
> >> period involved before sysvolcheck fails? (that is, after X seconds it
> >> fails). For this last thing, I'm clutching at caching straws, but this
> >> is a real issue that we must get to the bottom of - beyond the AD DC,
> >> the ACL facility we use here is critical to file server users in Samba
> >> too.
> >>
> >> Thanks,
> >>
> >> Andrew Bartlett
> >>
> > I have the following directory tree:
> >
> > /root/samba_test/samba-master
> > /root/samba_test/samba-aclfix
> > /root/samba_test/build-master
> > /root/samba_test/build-aclfix
> >
> > I ran:
> > build-master/bin/samba-tool domain provision
> > --targetdir=/root/samba_test/provision_master --realm=realm.com
> > --domain=dom
> > build-aclfix/bin/samba-tool domain provision
> > --targetdir=/root/samba_test/provision_aclfix --realm=realm.com
> > --domain=dom
> >
> > however when I run:
> > build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck
> > I get the following error:
> >
> > ERROR(runtime): uncaught exception - samdb_domain_sid failed
> > File
> > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 175, in _run
> > return self.run(*args, **kwargs)
> > File
> > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > line 240, in run
> > domain_sid = security.dom_sid(samdb.domain_sid)
> > File
> > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/samdb.py",
> > line 549, in get_domain_sid
> > return dsdb._samdb_get_domain_sid(self)
> >
> > I assume this is due to the targetdir supplied in the provision step?
> >
> > Thanks,
> >
> > Alex
> >
> Instead of using targetdir I just ran the provision as is as and on both
> trees sysvolcheck passes everytime.
> I have run sysvolreset as well and sysvolcheck passes still.
So, what changed?
You said previously that sysvolcheck failed, and now it passes. I
suspect you will find your GPO issues have been solved too.
I'm not suggesting you are stuffing me about, I really want to know what
you can find as a difference, so we can narrow this down.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list