samba-tool ntacl sysvolreset --use-s3fs failure on samba4.0.0rc1

Tue Oct 9 06:58:22 MDT 2012

Hi Andrew,

On Tue, 2012-10-09 at 23:02 +1100, Andrew Bartlett wrote:
> On Tue, 2012-10-09 at 14:01 +0200, Daniele Dario wrote:
> > Hi Andrew,
> > 
> > On Tue, 2012-10-09 at 22:35 +1100, Andrew Bartlett wrote:
> > > On Tue, 2012-10-09 at 09:50 +0200, Daniele Dario wrote:
> > > > Hi samba team,
> > > > yesterday I was trying to understand why my DC account created during
> > > > provisioning (for the primary DC) and during join (for secondary DC) do
> > > > not have any permission on the sysvol folder.
> > > 
> > > > 
> > > > Did I break something "posixifying" the AD default groups?
> > > 
> > > You did.  
> > > 
> > > Like installations that are upgraded from Samba3 and have GID allocated
> > > for domain admins, there is the issue that because 'domain admins'
> > > actually owns files in the sysvol directory, it needs to also map as a
> > > UID.
> > > 
> > > The IDMAP_BOTH tag in idmap.ldb indicates this.
> > > 
> > > However, there is not (yet) a way to indicate this in the AD directory.
> > > My thoughts are to add an optional extra schema that can be imported,
> > > and that administrators wishing to set a SID -> UID and GID mapping can
> > > add:
> > > 
> > > idmapUidAndGid: TRUE
> > > 
> > > to the user and group objects, and have it regard a uidNumber as also
> > > being a gidNumber and vice versa.  
> > > 
> > > This would allow a per-object selection that the administrator has
> > > confirmed that the uid and gid spaces do not conflict in this specific
> > > case. 
> > > 
> > > The other approach is to try and ignore the problem, and this attached
> > > patch tries to simply avoid doing the chown, instead changing the file
> > > to be owned by either administrator or root, but then lying about the
> > > ownership later. 
> > > 
> > > I need feedback to confirm that this all works properly for GPO
> > > manipulation, so if you can test that it would be most helpful. 
> > > 
> > > Andrew Bartlett
> > > 
> > 
> > I'm currently using samba4.0.0rc1 built from the released tarball and
> > patch -p1 < 000... failed with
> > 
> > [root at kdc01:~/samba4/samba-4.0.0rc1]# patch -p1 <
> > 0001-samba-tool-skip-chown-in-sysvolreset-when-it-would-f.patch 
> > patching file source4/scripting/python/samba/ntacls.py
> > patching file source4/scripting/python/samba/provision/__init__.py
> > Hunk #1 FAILED at 1365.
> > Hunk #2 FAILED at 1391.
> > Hunk #3 succeeded at 1398 with fuzz 1 (offset -4 lines).
> > Hunk #4 succeeded at 1415 with fuzz 1 (offset -4 lines).
> > Hunk #5 succeeded at 1449 (offset -6 lines).
> > 2 out of 5 hunks FAILED -- saving rejects to file
> > source4/scripting/python/samba/provision/__init__.py.rej
> > 
> > Please find attached reject file.
> > 
> > May I use the patch to manually patch __init__.py or can you create the
> > patch starting from the file released with the rc1?
> > 
> > Another way could be to download the latest git (master?) and build from
> > scratch than apply the patch you previously sent?
> 
> The patch is for master.
> 
> Andrew Bartlett
> 

made a git pull (from master) and applied the patch.
Built fine and installed.

Now samba-tool ntacl sysvolreset --use-s3fs works fine.

Questions:
1. is it correct now to leave the default ad groups posixified?
2. why do I still see that sysvol (and it's subfolders and files)
getfacl are group:3000007:r-- when 3000007 is not a valid group?
3. would it be possible to add rwx permissions also for the Domain
Controllers group to allow rsync from the DCs account work?

Thanks for your patience,
Daniele.