On 26/10/2012 00:34, Alex Matthews wrote:
On 25/10/2012 23:27, Andrew Bartlett wrote:
On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
On 25/10/2012 11:30, Andrew Bartlett wrote:
On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
samba-tool ntacl sysvolcheck shows:
sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: VFS ACL on GPO directory
/usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 245, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1574, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1526, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1476, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s
does not
match expected value %s from GPO object' %
(acl_type(direct_db_access),
path, fsacl_sddl, acl))
Drat.
So, assuming you have run 'samba-tool ntacl sysvolreset', this is
indeed
the issue we have had for a while. I had (incorrectly in your case)
assumed the issue was that IDMAP mappings imported from classic
domains
were breaking it. That's why I worked on my patches, which
improve the
situation by handling some details at a lower level.
On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset'
then
then, if you don't mind, getting me the level 10 debug log would
be very
helpful. Set 'log level = 10' in your smb.conf, then re-run and
send me
(personally) the result compressed with xz.
Andrew Bartlett
Just to be clear, those last two logs were taken from a samba compiled
with your fix-acls2 branch.
It is also a completely blank provisioned domain I have not migrated
anything.
What do you want the logs of? Starting samba + logging in from XP +
starting gpmc.msc + altering permissions manually?
Yeah, I was incredibly unclear: I need level 10 logs of just the
command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
in a very nice, self-contained way.
So, the issue is that this host doesn't return the ACL consistently.
What I mean is this:
When we store the NT ACL for the {12344...} folder, we store an xattr
with:
- the NT ACL we need to return to clients
- the hash of the posix ACL we set on disk (as read back from the OS)
When we do the sysvolcheck we fetch the xattr, read the hash and get the
posix ACL off disk again. On your host, these don't match!
Can you give me details about what your host is?
Just to be really sure we are doing this right, because I can't
reproduce this here, can you run:
bin/samba-tool domain provision --targetdir=/tmp/provision-root2
--realm=realm.com --domain=dom
Do this on master and on my fix-acls2 branch, with separate targetdir
for each, with this patch on top in both cases?
If that passes, can you give me the provision command you normally use,
and tell me if that fails?
If your normal command passes, then can you work out if there is a time
period involved before sysvolcheck fails? (that is, after X seconds it
fails). For this last thing, I'm clutching at caching straws, but this
is a real issue that we must get to the bottom of - beyond the AD DC,
the ACL facility we use here is critical to file server users in Samba
too.
Thanks,
Andrew Bartlett
I have the following directory tree:
/root/samba_test/samba-master
/root/samba_test/samba-aclfix
/root/samba_test/build-master
/root/samba_test/build-aclfix
I ran:
build-master/bin/samba-tool domain provision
--targetdir=/root/samba_test/provision_master --realm=realm.com
--domain=dom
build-aclfix/bin/samba-tool domain provision
--targetdir=/root/samba_test/provision_aclfix --realm=realm.com
--domain=dom
however when I run:
build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck
I get the following error:
ERROR(runtime): uncaught exception - samdb_domain_sid failed
File
"/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 240, in run
domain_sid = security.dom_sid(samdb.domain_sid)
File
"/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/samdb.py",
line 549, in get_domain_sid
return dsdb._samdb_get_domain_sid(self)
I assume this is due to the targetdir supplied in the provision step?
Thanks,
Alex
Instead of using targetdir I just ran the provision as is as and on both
trees sysvolcheck passes everytime.
I have run sysvolreset as well and sysvolcheck passes still.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
