On Tue, 2012-10-16 at 13:17 +1100, Andrew Bartlett wrote:
> On Sat, 2012-10-13 at 19:30 +1100, Andrew Bartlett wrote:
> > On Sat, 2012-10-13 at 09:58 +0330, Mohammad Ebrahim Abravi wrote:
> > > Solved
> > >
> > > Thanks a lot
> >
> > Thanks.
> >
> > The root of the issue is this automatically generated entry in your
> > idmap.ldb:
> >
> > # record 12
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_GID
> > xidNumber: 10
> > distinguishedName: CN=S-1-5-32-544
> >
> >
> > What we need to do in your case is to remove that record, so it becomes
> > regenerated as an IDMAP_BOTH. We also need to remove the generation of
> > that record from provision.
> >
> > The issue is that as a GID, you of course can't own a file. The ntvfs
> > file server papered over this issue (didn't deal with file ownership at
> > a unix level), but the smbd file server needs to correctly set posix
> > permissions.
> >
> > I hope this clarifies things. If you can please file a bug, I'll try
> > not to forget this.
>
> The attached patch should prevent this for a new provision. Are you
> able to test if this fixes things for you (on a new test domain?)
This updated version uses the primary group of root (or the --root user)
rather than hoping that there will be a group by the same name.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 65b53382e4e8bae4a68fb7c3835b4d5a5f108a76 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abart...@samba.org>
Date: Tue, 16 Oct 2012 13:08:22 +1100
Subject: [PATCH] provision: No longer use the wheel group in new AD Domains
The issue here is that if we set S-1-5-32-544 (administrators) to a GID only, then
users cannot force a mandetory profile to be owned by administrators (which is a requirement).
There is no particularly useful reason for us to enforce this matching a system
group.
Andrew Bartlett
---
source4/scripting/python/samba/netcmd/domain.py | 5 +---
.../scripting/python/samba/provision/__init__.py | 34 +++++++++-------------
2 files changed, 15 insertions(+), 24 deletions(-)
diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py
index 6e3f35a..4ba305c 100644
--- a/source4/scripting/python/samba/netcmd/domain.py
+++ b/source4/scripting/python/samba/netcmd/domain.py
@@ -186,8 +186,6 @@ class cmd_domain_provision(Command):
help="choose 'root' unix username"),
Option("--nobody", type="string", metavar="USERNAME",
help="choose 'nobody' user"),
- Option("--wheel", type="string", metavar="GROUPNAME",
- help="choose 'wheel' privileged group"),
Option("--users", type="string", metavar="GROUPNAME",
help="choose 'users' group"),
Option("--quiet", help="Be quiet", action="store_true"),
@@ -237,7 +235,6 @@ class cmd_domain_provision(Command):
ldapadminpass=None,
root=None,
nobody=None,
- wheel=None,
users=None,
quiet=None,
blank=None,
@@ -393,7 +390,7 @@ class cmd_domain_provision(Command):
krbtgtpass=krbtgtpass, machinepass=machinepass,
dns_backend=dns_backend, dns_forwarder=dns_forwarder,
dnspass=dnspass, root=root, nobody=nobody,
- wheel=wheel, users=users,
+ users=users,
serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
backend_type=ldap_backend_type,
ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls,
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index d9ba90c..0cec8a9 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -241,12 +241,6 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
else:
names.policyid_dc = None
- res9 = idmapdb.search(expression="(cn=%s)" %
- (security.SID_BUILTIN_ADMINISTRATORS),
- attrs=["xidNumber"])
- if len(res9) != 1:
- raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
- names.wheel_gid = res9[0]["xidNumber"]
return names
@@ -692,7 +686,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
- users_gid, wheel_gid):
+ users_gid, root_gid):
"""setup reasonable name mappings for sam names to unix names.
:param samdb: SamDB object.
@@ -702,12 +696,14 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
:param root_uid: uid of the UNIX root user.
:param nobody_uid: uid of the UNIX nobody user.
:param users_gid: gid of the UNIX users group.
- :param wheel_gid: gid of the UNIX wheel group.
+ :param root_gid: gid of the UNIX root group.
"""
idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid)
- idmap.setup_name_mapping("S-1-5-32-544", idmap.TYPE_GID, wheel_gid)
- idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
+ if (root_gid == root_uid):
+ idmap.setup_name_mapping(sid + "-500", idmap.TYPE_BOTH, root_uid)
+ else:
+ idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid)
idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid)
@@ -1644,7 +1640,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
policyguid_dc)
if not skip_sysvolacl:
setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
- paths.wheel_gid, domainsid, names.dnsdomain,
+ paths.root_gid, domainsid, names.dnsdomain,
names.domaindn, lp, use_ntvfs)
else:
logger.info("Setting acl on sysvol skipped")
@@ -1776,7 +1772,7 @@ def provision(logger, session_info, credentials, smbconf=None,
krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None,
dns_backend=None, dns_forwarder=None, dnspass=None,
invocationid=None, machinepass=None, ntdsguid=None,
- root=None, nobody=None, users=None, wheel=None, backup=None, aci=None,
+ root=None, nobody=None, users=None, backup=None, aci=None,
serverrole=None, dom_for_fun_level=None, backend_type=None,
sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false",
useeadb=False, am_rodc=False, lp=None, use_ntvfs=False,
@@ -1806,10 +1802,8 @@ def provision(logger, session_info, credentials, smbconf=None,
root_uid = findnss_uid([root or "root"])
nobody_uid = findnss_uid([nobody or "nobody"])
users_gid = findnss_gid([users or "users", 'users', 'other', 'staff'])
- if wheel is None:
- wheel_gid = findnss_gid(["wheel", "adm"])
- else:
- wheel_gid = findnss_gid([wheel])
+ root_gid = pwd.getpwuid(root_uid).pw_gid
+
try:
bind_gid = findnss_gid(["bind", "named"])
except KeyError:
@@ -1872,7 +1866,7 @@ def provision(logger, session_info, credentials, smbconf=None,
paths.bind_gid = bind_gid
paths.root_uid = root_uid;
- paths.wheel_gid = wheel_gid
+ paths.root_gid = root_gid
if hostip is None:
logger.info("Looking up IPv4 addresses")
@@ -1923,7 +1917,7 @@ def provision(logger, session_info, credentials, smbconf=None,
file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol))
try:
try:
- smbd.set_simple_acl(file.name, 0755, wheel_gid)
+ smbd.set_simple_acl(file.name, 0755, root_gid)
except Exception:
if not smbd.have_posix_acls():
# This clue is only strictly correct for RPM and
@@ -1933,7 +1927,7 @@ def provision(logger, session_info, credentials, smbconf=None,
raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.")
try:
- smbd.chown(file.name, root_uid, wheel_gid)
+ smbd.chown(file.name, root_uid, root_gid)
except Exception:
raise ProvisioningError("Unable to chown a file on your filesystem. You may not be running provision as root.")
finally:
@@ -1997,7 +1991,7 @@ def provision(logger, session_info, credentials, smbconf=None,
setup_name_mappings(idmap, sid=str(domainsid),
root_uid=root_uid, nobody_uid=nobody_uid,
- users_gid=users_gid, wheel_gid=wheel_gid)
+ users_gid=users_gid, root_gid=root_gid)
logger.info("Setting up SAM db")
samdb = setup_samdb(paths.samdb, session_info,
--
1.7.11.7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
