posix and NT ACL interactions on sysvol

Fri Jun 22 23:27:16 MDT 2012

On 06/19/2012 07:22 PM, Andrew Bartlett wrote:
> On Mon, 2012-06-18 at 23:46 +0200, denis bonnenfant wrote:
>> Le 16/06/2012 23:02, denis bonnenfant a écrit :
>>> Hello,
>>>
>>> Please find the following patches, adding new commands to samba-tool
>>> for OU and GPO. I tested it against a fresh install from git master.
>>> If they look good (these are my first patches in samba !), feel free
>>> to commit them.
>>>
>>> While testing it (fresh git install, new provision) , I found
>>> something strange :
>>>
>>>
>>> I tried again with administrator :
>>>
>>> # /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
>>> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
>>>    File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> line 160, in _run
>>>      return self.run(*args, **kwargs)
>>>    File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
>>> line 1043, in run
>>>      conn.set_acl(sharepath, fs_sd)
>>>
>>> But in this case, GPO is created :
>>>
>>> GPO          : {7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
>>> display name : Bidon3
>>> path         :
>>> \\diderot.org\sysvol\diderot.org\Policies\{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
>>> dn           :
>>> CN={7E077E42-6F95-456A-ABFF-4AECD2AAFD2C},CN=Policies,CN=System,DC=diderot,DC=org
>>> version      : 0
>>> flags        : NONE
>>>
>>> # getfacl
>>> /usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
>>> getfacl : suppression du premier « / » des noms de chemins absolus
>>> # file:
>>> usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
>>> # owner: root
>>> # group: users
>>> # flags: -s-
>>> user::rwx
>>> user:root:rwx
>>> group::---
>>> group:adm:rwx
>>> group:users:---
>>> group:3000003:r-x
>>> group:3000012:rwx
>>> group:3000016:r-x
>>> group:3000017:rwx
>>> mask::rwx
>>> other::---
>>> default:user::rwx
>>> default:user:root:rwx
>>> default:group::---
>>> default:group:adm:rwx
>>> default:group:users:---
>>> default:group:3000003:r-x
>>> default:group:3000012:rwx
>>> default:group:3000016:r-x
>>> default:group:3000017:rwx
>>> default:mask::rwx
>>> default:other::---
>>>
>>> This GPO can be modified from windows interface without errors.
>>>
>> These acls are inherited from the Policies dir, but unix-side there is
>> no posix acls on this dir ( from windows side they exists). Refreshing
>> it ( for example by adding a new acl to Policies dir) writes the posix
>> acls, and then everything works on windows side ( new GPO can be
>> created) . Creating it with samba-tool works too, but still raises an
>> error when setting acls ( is it necessary, as it seems to be inherited
>> from parent dir ? )
>>> Another issue : the defaut domain and domain controller GPO folders
>>> doesn't have the good acls, and can't be modified with windows tools :
>> It's the same issue : posix acls are not created during initial sysvol
>> tree creation (or tree is created before s3fs started ?). Do I need to
>> file a bug for this ?
> The theory was that the ACLs written during provision (which are written
> only as security.NTACL version 1 entries) would trump any posix
> permissions.  Later, when Samba is running we can write posix ACLs to
> match if the permissions are changed.  (The reason we don't write out
> posix ACLs during provision is that, we don't have the full software
> stack running, and regardless, we have upgrading sites in a similar
> situation of having just security.NTACL version 1 entries so need to
> support it.
>
> Can you please file a bug on this, so we can either resolve it to
> (somehow) set the posix ACL as well, or honour the security.NTACL alone?
I'm wondering if we can't right a 1 time task that will run at the 
startup of samba and that will get the ACL as set by provision (which is 
the correct ACLs) and try to set them one more time by using the system 
account, this should trigger the right of the correct posix ACLs. With 
Amitay's work on the python binding for doing CIFS requests it should be 
pretty easy.

Matthieu.