On Tue, 2012-10-16 at 13:17 +1100, Andrew Bartlett wrote: > On Sat, 2012-10-13 at 19:30 +1100, Andrew Bartlett wrote: > > On Sat, 2012-10-13 at 09:58 +0330, Mohammad Ebrahim Abravi wrote: > > > Solved > > > > > > Thanks a lot > > > > Thanks. > > > > The root of the issue is this automatically generated entry in your > > idmap.ldb: > > > > # record 12 > > dn: CN=S-1-5-32-544 > > cn: S-1-5-32-544 > > objectClass: sidMap > > objectSid: S-1-5-32-544 > > type: ID_TYPE_GID > > xidNumber: 10 > > distinguishedName: CN=S-1-5-32-544 > > > > > > What we need to do in your case is to remove that record, so it becomes > > regenerated as an IDMAP_BOTH. We also need to remove the generation of > > that record from provision. > > > > The issue is that as a GID, you of course can't own a file. The ntvfs > > file server papered over this issue (didn't deal with file ownership at > > a unix level), but the smbd file server needs to correctly set posix > > permissions. > > > > I hope this clarifies things. If you can please file a bug, I'll try > > not to forget this. > > The attached patch should prevent this for a new provision. Are you > able to test if this fixes things for you (on a new test domain?)
This updated version uses the primary group of root (or the --root user) rather than hoping that there will be a group by the same name. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
>From 65b53382e4e8bae4a68fb7c3835b4d5a5f108a76 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett <abart...@samba.org> Date: Tue, 16 Oct 2012 13:08:22 +1100 Subject: [PATCH] provision: No longer use the wheel group in new AD Domains The issue here is that if we set S-1-5-32-544 (administrators) to a GID only, then users cannot force a mandetory profile to be owned by administrators (which is a requirement). There is no particularly useful reason for us to enforce this matching a system group. Andrew Bartlett --- source4/scripting/python/samba/netcmd/domain.py | 5 +--- .../scripting/python/samba/provision/__init__.py | 34 +++++++++------------- 2 files changed, 15 insertions(+), 24 deletions(-) diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py index 6e3f35a..4ba305c 100644 --- a/source4/scripting/python/samba/netcmd/domain.py +++ b/source4/scripting/python/samba/netcmd/domain.py @@ -186,8 +186,6 @@ class cmd_domain_provision(Command): help="choose 'root' unix username"), Option("--nobody", type="string", metavar="USERNAME", help="choose 'nobody' user"), - Option("--wheel", type="string", metavar="GROUPNAME", - help="choose 'wheel' privileged group"), Option("--users", type="string", metavar="GROUPNAME", help="choose 'users' group"), Option("--quiet", help="Be quiet", action="store_true"), @@ -237,7 +235,6 @@ class cmd_domain_provision(Command): ldapadminpass=None, root=None, nobody=None, - wheel=None, users=None, quiet=None, blank=None, @@ -393,7 +390,7 @@ class cmd_domain_provision(Command): krbtgtpass=krbtgtpass, machinepass=machinepass, dns_backend=dns_backend, dns_forwarder=dns_forwarder, dnspass=dnspass, root=root, nobody=nobody, - wheel=wheel, users=users, + users=users, serverrole=server_role, dom_for_fun_level=dom_for_fun_level, backend_type=ldap_backend_type, ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls, diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py index d9ba90c..0cec8a9 100644 --- a/source4/scripting/python/samba/provision/__init__.py +++ b/source4/scripting/python/samba/provision/__init__.py @@ -241,12 +241,6 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf, names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","") else: names.policyid_dc = None - res9 = idmapdb.search(expression="(cn=%s)" % - (security.SID_BUILTIN_ADMINISTRATORS), - attrs=["xidNumber"]) - if len(res9) != 1: - raise ProvisioningError("Unable to find uid/gid for Domain Admins rid") - names.wheel_gid = res9[0]["xidNumber"] return names @@ -692,7 +686,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir, def setup_name_mappings(idmap, sid, root_uid, nobody_uid, - users_gid, wheel_gid): + users_gid, root_gid): """setup reasonable name mappings for sam names to unix names. :param samdb: SamDB object. @@ -702,12 +696,14 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid, :param root_uid: uid of the UNIX root user. :param nobody_uid: uid of the UNIX nobody user. :param users_gid: gid of the UNIX users group. - :param wheel_gid: gid of the UNIX wheel group. + :param root_gid: gid of the UNIX root group. """ idmap.setup_name_mapping("S-1-5-7", idmap.TYPE_UID, nobody_uid) - idmap.setup_name_mapping("S-1-5-32-544", idmap.TYPE_GID, wheel_gid) - idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid) + if (root_gid == root_uid): + idmap.setup_name_mapping(sid + "-500", idmap.TYPE_BOTH, root_uid) + else: + idmap.setup_name_mapping(sid + "-500", idmap.TYPE_UID, root_uid) idmap.setup_name_mapping(sid + "-513", idmap.TYPE_GID, users_gid) @@ -1644,7 +1640,7 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths, policyguid_dc) if not skip_sysvolacl: setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid, - paths.wheel_gid, domainsid, names.dnsdomain, + paths.root_gid, domainsid, names.dnsdomain, names.domaindn, lp, use_ntvfs) else: logger.info("Setting acl on sysvol skipped") @@ -1776,7 +1772,7 @@ def provision(logger, session_info, credentials, smbconf=None, krbtgtpass=None, domainguid=None, policyguid=None, policyguid_dc=None, dns_backend=None, dns_forwarder=None, dnspass=None, invocationid=None, machinepass=None, ntdsguid=None, - root=None, nobody=None, users=None, wheel=None, backup=None, aci=None, + root=None, nobody=None, users=None, backup=None, aci=None, serverrole=None, dom_for_fun_level=None, backend_type=None, sitename=None, ol_mmr_urls=None, ol_olc=None, slapd_path="/bin/false", useeadb=False, am_rodc=False, lp=None, use_ntvfs=False, @@ -1806,10 +1802,8 @@ def provision(logger, session_info, credentials, smbconf=None, root_uid = findnss_uid([root or "root"]) nobody_uid = findnss_uid([nobody or "nobody"]) users_gid = findnss_gid([users or "users", 'users', 'other', 'staff']) - if wheel is None: - wheel_gid = findnss_gid(["wheel", "adm"]) - else: - wheel_gid = findnss_gid([wheel]) + root_gid = pwd.getpwuid(root_uid).pw_gid + try: bind_gid = findnss_gid(["bind", "named"]) except KeyError: @@ -1872,7 +1866,7 @@ def provision(logger, session_info, credentials, smbconf=None, paths.bind_gid = bind_gid paths.root_uid = root_uid; - paths.wheel_gid = wheel_gid + paths.root_gid = root_gid if hostip is None: logger.info("Looking up IPv4 addresses") @@ -1923,7 +1917,7 @@ def provision(logger, session_info, credentials, smbconf=None, file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol)) try: try: - smbd.set_simple_acl(file.name, 0755, wheel_gid) + smbd.set_simple_acl(file.name, 0755, root_gid) except Exception: if not smbd.have_posix_acls(): # This clue is only strictly correct for RPM and @@ -1933,7 +1927,7 @@ def provision(logger, session_info, credentials, smbconf=None, raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.") try: - smbd.chown(file.name, root_uid, wheel_gid) + smbd.chown(file.name, root_uid, root_gid) except Exception: raise ProvisioningError("Unable to chown a file on your filesystem. You may not be running provision as root.") finally: @@ -1997,7 +1991,7 @@ def provision(logger, session_info, credentials, smbconf=None, setup_name_mappings(idmap, sid=str(domainsid), root_uid=root_uid, nobody_uid=nobody_uid, - users_gid=users_gid, wheel_gid=wheel_gid) + users_gid=users_gid, root_gid=root_gid) logger.info("Setting up SAM db") samdb = setup_samdb(paths.samdb, session_info, -- 1.7.11.7
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba