[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat
Rowland Penny
repenny at f2s.com
Tue Nov 13 05:35:12 MST 2012
On 13/11/12 06:00, Andrew Bartlett wrote:
> On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
>> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
>>> This patch should fix the issues where an ACL set on sysvol by
>>> samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
>>> fails.
>>>
>>> The root cause here appears to be not setting fsp->is_directory
>>> correctly.
>>>
>>> This patch unifies the get and set code by simply using the same
>>> boilerplate, however another approach would be to call
>>> SMB_VFS_GET_NT_ACL() instead, which only needs a file path.
>>>
>>> I'm posting this so as to mark the fact that I've reproduced and fixed
>>> one small part of this SYSVOL issue locally, and am continuing to work
>>> on it.
>>>
>>> I have a second patch here, which I feel makes this code more robust -
>>> it removes the NT4 compatibility layer in the posix ACL code. This will
>>> mean that the ACL written by 'samba-tool ntacl sysvolreset' is read by a
>>> windows client. Currently samba-tool appears as RA_UNKNOWN, and so gets
>>> NT4 compatible ACLs, which can break the hash when a windows client
>>> accesses the server.
>>>
>>> I need to test more to prove this is strictly required, but I do feel it
>>> is a worthwhile change in any case, given how long dead NT4 clients
>>> changing ACLs with the windows GUI are.
>> Jelmer,
>>
>> Attached are the patches I'm currently working on, for review. Please
>> ack the ones you are comfortable with (perhaps just the test patches).
>>
>> At https://bugzilla.samba.org/show_bug.cgi?id=9383#c1 has already
>> indicated he is happy to be rid of the "acl compatibility" code.
> The ACL patches here, on master, appear to be the key changes required
> to have GPOs work. At least, they work for me with a Windows 7 client
> setting and applying GPOs. (The patches already posted are unchanged
> from the previous mail).
>
> If I could please have *everyone* who is having trouble with sysvol ACLs
> and is willing to run master try these patches. You will have to run
> 'samba-tool ntacl sysvolreset' to get the correct ACLs.
>
> They are also in my gpo-acl-fix branch at
> git://git.samba.org/abartlet/samba.git
>
> There are fixes for both the ntvfs and smbd file servers. The tests
> included with them show that we now correctly store the GPO ACLs in both
> cases.
>
> If we confirm this indeed fixes ACLs, then we have finally solved a
> major blocker for the 4.0 release.
>
> Andrew Bartlett
>
Hello Andrew,
Version 4.1.0pre1-GIT-c5f53ed with the six patches applied, compiles ok
on Ubuntu 12.04 and 'samba-tool ntacl sysvolreset' now runs without errors.
Roaming profiles/folder redirection work ok, but when I run the Group
Policy Management Console on a windows 7 pc and click on a Domain
Policy, I still receive the following message:
The permissions for this GPO in the SYSVOL folder are inconsistent
with those in Active Directory. It is recommended that these permissions
be consistent. To change the permissions in SYSVOL to those in Active
Directory, click OK
It also gives a link to a microsoft website:
http://go.microsoft.com/fwlink/?LinkId=20066
When I go to the microsoft website, the cause given is that the access
control list (ACL) on the Sysvol portion of the Group Policy object is
set to inherit permissions from the parent folder.
If I click OK to the message I get on the W7 pc, it doesn't seem to do
anything, getfacl /usr/local/samba/var/locks/sysvol returns the same
ACLs before and after I open the Group Policy.
getfacl: Removing leading '/' from absolute path names
# file: usr/local/samba/var/locks/sysvol/
# owner: root
# group: adm
user::rwx
user:root:rwx
group::rwx
group:adm:rwx
group:3000000:r-x
group:3000001:rwx
group:3000002:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:adm:rwx
default:group:3000000:r-x
default:group:3000001:rwx
default:group:3000002:r-x
default:mask::rwx
default:other::---
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list