[PATCH] SYSVOL ACL fixes Re: [PATCH] Fix 'samba-tool ntacl sysvolcheck' failures and remove NT4 compat

Wed Nov 14 01:40:22 MST 2012

Could you make those patches for rc5 or should they apply cleanly? Then I
could test them on my main deployment and not on testing deployment with
only few machines.

I really want to see GPO's fixed :)

Tadas Barzdžius

On 14 November 2012 01:52, Ricky Nance <ricky.nance at weaubleau.k12.mo.us>wrote:

> Rowland, make sure you are grabbing his fix-gpo-acl branch, the patches are
> not yet in master, so you will need his repo.
>
> Ricky
>
> On Tue, Nov 13, 2012 at 4:15 PM, Rowland Penny <repenny at f2s.com> wrote:
>
> > On 13/11/12 20:51, Andrew Bartlett wrote:
> >
> >> On Tue, 2012-11-13 at 20:05 +0000, Alex Matthews wrote:
> >>
> >>> On 13/11/2012 06:00, Andrew Bartlett wrote:
> >>>
> >>>> On Tue, 2012-11-13 at 09:26 +1100, Andrew Bartlett wrote:
> >>>>
> >>>>> On Mon, 2012-11-12 at 17:19 +1100, Andrew Bartlett wrote:
> >>>>>
> >>>>>> This patch should fix the issues where an ACL set on sysvol by
> >>>>>> samba-tool ntacl sysvolreset cannot be read back, and so sysvolcheck
> >>>>>> fails.
> >>>>>>
> >>>>>> The root cause here appears to be not setting fsp->is_directory
> >>>>>> correctly.
> >>>>>>
> >>>>>> This patch unifies the get and set code by simply using the same
> >>>>>> boilerplate, however another approach would be to call
> >>>>>> SMB_VFS_GET_NT_ACL() instead, which only needs a file path.
> >>>>>>
> >>>>>> I'm posting this so as to mark the fact that I've reproduced and
> fixed
> >>>>>> one small part of this SYSVOL issue locally, and am continuing to
> work
> >>>>>> on it.
> >>>>>>
> >>>>>> I have a second patch here, which I feel makes this code more
> robust -
> >>>>>> it removes the NT4 compatibility layer in the posix ACL code.  This
> >>>>>> will
> >>>>>> mean that the ACL written by 'samba-tool ntacl sysvolreset' is read
> >>>>>> by a
> >>>>>> windows client.  Currently samba-tool appears as RA_UNKNOWN, and so
> >>>>>> gets
> >>>>>> NT4 compatible ACLs, which can break the hash when a windows client
> >>>>>> accesses the server.
> >>>>>>
> >>>>>> I need to test more to prove this is strictly required, but I do
> feel
> >>>>>> it
> >>>>>> is a worthwhile change in any case, given how long dead NT4 clients
> >>>>>> changing ACLs with the windows GUI are.
> >>>>>>
> >>>>> Jelmer,
> >>>>>
> >>>>> Attached are the patches I'm currently working on, for review.
>  Please
> >>>>> ack the ones you are comfortable with (perhaps just the test
> patches).
> >>>>>
> >>>>> At https://bugzilla.samba.org/**show_bug.cgi?id=9383#c1<
> https://bugzilla.samba.org/show_bug.cgi?id=9383#c1>has already
> >>>>> indicated he is happy to be rid of the "acl compatibility" code.
> >>>>>
> >>>> The ACL patches here, on master, appear to be the key changes required
> >>>> to have GPOs work.  At least, they work for me with a Windows 7 client
> >>>> setting and applying GPOs.  (The patches already posted are unchanged
> >>>> from the previous mail).
> >>>>
> >>>> If I could please have *everyone* who is having trouble with sysvol
> ACLs
> >>>> and is willing to run master try these patches.  You will have to run
> >>>> 'samba-tool ntacl sysvolreset' to get the correct ACLs.
> >>>>
> >>>> They are also in my gpo-acl-fix branch at
> >>>> git://git.samba.org/abartlet/**samba.git<
> http://git.samba.org/abartlet/samba.git>
> >>>>
> >>>> There are fixes for both the ntvfs and smbd file servers.  The tests
> >>>> included with them show that we now correctly store the GPO ACLs in
> both
> >>>> cases.
> >>>>
> >>>> If we confirm this indeed fixes ACLs, then we have finally solved a
> >>>> major blocker for the 4.0 release.
> >>>>
> >>>> Andrew Bartlett
> >>>>
> >>>>  Hiya,
> >>>
> >>> Just checked out your patch branch and compiled a test platform.
> >>>
> >>> GPMC Still comes up with the same message about inconsistent ACLs.
> >>> Clicking ok does not 'fix' the issue and reselecting the GPO comes up
> >>> with the same message.
> >>> *_However_* after clicking OK sysvolcheck still passes. It does NOT
> fail
> >>> like it did previously!
> >>>
> >> Does this only happen on a upgraded domain, or also on a fresh domain?
> >>
> >> If this was an upgrade domain, did you run 'samba-tool ntacl
> >> sysvolreset' first?
> >>
> >> Otherwise, I'll have to expand my testing - I've only tried out Windows
> >> 7, so I'll have to try WinXP too and see if I can get this to show up.
> >>
> >> Andrew Bartlett
> >>
> >>  Hello Andrew,
> > in my case, I upgraded from RC4 to 4.1.0pre1-GIT-c5f53ed.
> > I carried out the upgrade, then ran 'samba-tool ntacl sysvolreset', this
> > ran without error, I then restarted samba4.
> > I then logged in as administrator on a W7 client and ran gpmc and got the
> > error.
> >
> > Before the upgrade, if I ran 'samba-tool ntacl sysvolreset' it errored
> out
> >
> >
> > Rowland
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by MailScanner, and is
> > believed to be clean.
> >
> >
>
>
> --
>