Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 02:31, Andrew Bartlett wrote: On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote: On 24/10/2012 17:25, Alex Matthews wrote: On 24/10/2012 12:09, Andrew Bartlett wrote: On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote: Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett I assume git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 should be: git checkout abartlet/fix-acls2 -b abartlet-fix-acls2 I'm rebuilding now, will keep you posted! Thanks, Alex I have tried your branch. Rebuilt and the XP machine still throws the same issue. Do I need to reprovision? You need to at least run 'samba-tool ntacl sysvolreset' to get the new ACLs on disk. Andrew Bartlett Hiya, No luck I'm afraid, still the same issue! Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On Thu, 2012-10-25 at 10:01 +0100, Alex Matthews wrote: On 25/10/2012 02:31, Andrew Bartlett wrote: On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote: On 24/10/2012 17:25, Alex Matthews wrote: On 24/10/2012 12:09, Andrew Bartlett wrote: On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote: Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett I assume git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 should be: git checkout abartlet/fix-acls2 -b abartlet-fix-acls2 I'm rebuilding now, will keep you posted! Thanks, Alex I have tried your branch. Rebuilt and the XP machine still throws the same issue. Do I need to reprovision? You need to at least run 'samba-tool ntacl sysvolreset' to get the new ACLs on disk. Andrew Bartlett Hiya, No luck I'm afraid, still the same issue! Drat. OK, we will need to dig in further. Can you show me your idmap.ldb? What does 'samba-tool ntacl sysvolcheck' show? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 10:20, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:01 +0100, Alex Matthews wrote: On 25/10/2012 02:31, Andrew Bartlett wrote: On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote: On 24/10/2012 17:25, Alex Matthews wrote: On 24/10/2012 12:09, Andrew Bartlett wrote: On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote: Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett I assume git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 should be: git checkout abartlet/fix-acls2 -b abartlet-fix-acls2 I'm rebuilding now, will keep you posted! Thanks, Alex I have tried your branch. Rebuilt and the XP machine still throws the same issue. Do I need to reprovision? You need to at least run 'samba-tool ntacl sysvolreset' to get the new ACLs on disk. Andrew Bartlett Hiya, No luck I'm afraid, still the same issue! Drat. OK, we will need to dig in further. Can you show me your idmap.ldb? What does 'samba-tool ntacl sysvolcheck' show? Andrew Bartlett samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck [sudo] password for qoole: lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] ldb_wrap open of idmap.ldb Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] Module 'acl_xattr' loaded Initialising custom vfs hooks from [dfs_samba4] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] Initialising custom vfs hooks from [dfs_samba4] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] Initialising custom vfs hooks from [dfs_samba4] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] Initialising custom vfs hooks from [dfs_samba4] ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does
Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c
Strange, as I used centos 6.3 32 bit but have no this problem. I did several times recompile and it was ok. have you done make clean before recompiling may be? De : Andrew Bartlett abart...@samba.org À : Mario Codeniera mario.codeni...@gmail.com Cc : samba@lists.samba.org Envoyé le : Jeudi 25 octobre 2012 5h40 Objet : Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c On Thu, 2012-10-25 at 14:31 +1300, Mario Codeniera wrote: Hi, It was the same thing that I encountered it will stop on that librpc/ndr/ndr_basic.c in which I posted before. But using a 64bit CentOS 6.3, no problems encountered as I tried it as I curious with the problems, but in 32 bit it will hang up in which the server currently running and can't upgrade to 64bit as of the moment. Another observation when RC3 was released, it compiled smoothly without any problems encountered. After which you can't recompile it, unless if you reinstall the CentOS (which I did, just to test it). That's why I didn't delete my compiled samba4. My assumptions there is an incompatibility issues (not sure with it), but why it works when RC3 was released? I also bit confused of this unusual problem. Without wiping the OS, does the problem happen if you build in a new tree? Does removing the ccache package help? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c
On Thu, 2012-10-25 at 10:40 +0100, Innocent Yevide wrote: Strange, as I used centos 6.3 32 bit but have no this problem. I did several times recompile and it was ok. have you done make clean before recompiling may be? I would urge anyone who can reproduce this *not* to just blow things away with a make clean. Somewhere here is either something very odd in a file being written out by Samba, or a gcc bug, or (perhaps) a ccache bug (if that's in use). We still want to pin down exactly what is going wrong where, if at all possible, so we can report it to the right upstream, or correct our code. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c
Hi, Sorry I have been so quiet but has been difficult for me to get some time to look into it. Basically this is what has happened for me so far (I am running virtual machines on KVM for this): I setup centos 6.3 x86_64 with all latest updates. I ran the yum install which is recommended in the OS Requirements documentation. Grabbed a copy of the samba-master and compiled and made it successfully. I provisioned a domain and everything seemed fine, until I could not add a windows 7 machine to the domain. It kept coming back with an error message on the windows machine whenever I tried to add it to the domain. I tried to debug this and I think it came down to the internal dns server not being able to update itself as there was no dns.keytab file or something like that. Anyway I decided that I would make uninstall and make clean and start again with a fresh compilation, so I started back at the ./configure.developer stage and never got passed hanging at compiling ndr_basic.c. In the end I thought I would scratch that setup and try on a fresh rebuild. So I started again, installed Centos 6.3 x86_64, installed all updates, ran the yum from the OS requirements and grabbed samba-master. This time it hang straight away at compiling ndr_basic.c. So I tried a packaged version which I think was RC4, same result. To answer a few things that have so far been asked, yes kernel-devel is installed and it doesn't make a difference. I have tried the gcc command from the bin folder, no change. A make clean doesn't make any difference it just starts from the beginning again. I will try and debug more (trying the strace) but I don't know how quickly I can to it. Thanks Ned On 25 October 2012 11:01, Andrew Bartlett abart...@samba.org wrote: On Thu, 2012-10-25 at 10:40 +0100, Innocent Yevide wrote: Strange, as I used centos 6.3 32 bit but have no this problem. I did several times recompile and it was ok. have you done make clean before recompiling may be? I would urge anyone who can reproduce this *not* to just blow things away with a make clean. Somewhere here is either something very odd in a file being written out by Samba, or a gcc bug, or (perhaps) a ccache bug (if that's in use). We still want to pin down exactly what is going wrong where, if at all possible, so we can report it to the right upstream, or correct our code. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Edward Ashley Developer e. n...@redmonkeysoftware.com u. www.redmonkeysoftware.com t. 0845 867 3849 f. 0845 867 4127 Red Monkey Software | Superior Software Solutions Red Monkey Software Ltd, 24 The Layne, Elmer Sands, Bognor Regis, West Sussex. PO22 6JL Registered in England and Wales no 5923420 Registered Office: 20 Springfield Road, Crawley, West Sussex, RH11 8AD -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c
On Thu, 2012-10-25 at 11:24 +0100, Edward Ashley wrote: Hi, Sorry I have been so quiet but has been difficult for me to get some time to look into it. Basically this is what has happened for me so far (I am running virtual machines on KVM for this): I setup centos 6.3 x86_64 with all latest updates. I ran the yum install which is recommended in the OS Requirements documentation. Grabbed a copy of the samba-master and compiled and made it successfully. I provisioned a domain and everything seemed fine, until I could not add a windows 7 machine to the domain. It kept coming back with an error message on the windows machine whenever I tried to add it to the domain. I tried to debug this and I think it came down to the internal dns server not being able to update itself as there was no dns.keytab file or something like that. Anyway I decided that I would make uninstall and make clean and start again with a fresh compilation, so I started back at the ./configure.developer stage and never got passed hanging at compiling ndr_basic.c. In the end I thought I would scratch that setup and try on a fresh rebuild. So I started again, installed Centos 6.3 x86_64, installed all updates, ran the yum from the OS requirements and grabbed samba-master. This time it hang straight away at compiling ndr_basic.c. So I tried a packaged version which I think was RC4, same result. To answer a few things that have so far been asked, yes kernel-devel is installed and it doesn't make a difference. I have tried the gcc command from the bin folder, no change. A make clean doesn't make any difference it just starts from the beginning again. is ccache installed? does a 'ccache -C' help? Certainly let's work from the gcc command run from the bin folder, as that avoids all the waf lines. An interesting idea would be to see if a copy of this exact tree, run on a different (currently successful) host succeeds for fails. I will try and debug more (trying the strace) but I don't know how quickly I can to it. Thanks Ned Please do the strace of the gcc command. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] new Win7 security setting broke Samba
On Wed, 2012-10-24 at 08:48 -0500, Snyder, Gabrielle S. (LARC-D322)[HP ES] wrote: Good day all! I administer two Samba servers (RHEL 4.5) which, up to recently, had been working well. Our security officials changed the LAN Manager group policy for the new Win7 systems from 'Send NTLMv2 response only; Refuse LM' to 'Send NTLMv2 response only; Refuse LM NTLM'. We were running samba 3.0.33. I have upgraded to 3.6.8-44. I have tried a variety of different smb.conf file options to get the new version to work with the mandated security policy. We only use Samba to map Linux shares onto Win7 clients. The Win7 clients are part of a domain but the Linux servers are not. Any help with how to setup Samba to work in this environment would be greatly appreciated. Can you send in your smb.conf? Samba has, since 3.0, accepted NTLMv2 passwords, so something else is going wrong here. Perhaps they also set a smb signing policy, and you didn't enable smb signing, or you are running 'security=server', which is incompatible with NTLMv2? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Compiling Samba4 RC3 on AIX 6.1 with IBM vac
Hi, I'm trying to get a samba4 build on AIX 6.1, and run into a couple of problems: 1. The entire Kerberos Heindal #includes need to be explicity included(with path) 2. In order to get the ldap definitions (ldap.h etc) I've installed openldap 2.4.28. 3. Learning to hate '//' line comments :-) 4. I get the following error and the make stops [2358/3381] Compiling source3/passdb/pdb_ldap_util.c /usr/include/stdio.h, line 528.12: 1506-343 (S) Redeclaration of fgetpos64 differs from previous declaration on line 323 of /usr/include/stdio.h. /usr/include/stdio.h, line 528.12: 1506-377 (I) The type long long* of parameter 2 differs from the previous type long*. /usr/include/stdio.h, line 531.12: 1506-343 (S) Redeclaration of fseeko64 differs from previous declaration on line 471 of /usr/include/stdio.h. /usr/include/stdio.h, line 531.12: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/stdio.h, line 532.12: 1506-343 (S) Redeclaration of fsetpos64 differs from previous declaration on line 325 of /usr/include/stdio.h. /usr/include/stdio.h, line 532.12: 1506-377 (I) The type const long long* of parameter 2 differs from the previous type const long*. /usr/include/stdio.h, line 533.16: 1506-343 (S) Redeclaration of ftello64 differs from previous declaration on line 472 of /usr/include/stdio.h. /usr/include/stdio.h, line 533.16: 1506-050 (I) Return type long long in redeclaration is not compatible with the previous return type long. /usr/include/unistd.h, line 171.17: 1506-343 (S) Redeclaration of lseek64 differs from previous declaration on line 169 of /usr/include/unistd.h. /usr/include/unistd.h, line 171.17: 1506-050 (I) Return type long long in redeclaration is not compatible with the previous return type long. /usr/include/unistd.h, line 171.17: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/sys/lockf.h, line 64.20: 1506-343 (S) Redeclaration of lockf64 differs from previous declaration on line 62 of /usr/include/sys/lockf.h. /usr/include/sys/lockf.h, line 64.20: 1506-377 (I) The type long long of parameter 3 differs from the previous type long. /usr/include/unistd.h, line 809.33: 1506-343 (S) Redeclaration of ftruncate64 differs from previous declaration on line 807 of /usr/include/unistd.h. /usr/include/unistd.h, line 809.33: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/unistd.h, line 845.33: 1506-343 (S) Redeclaration of truncate64 differs from previous declaration on line 843 of /usr/include/unistd.h. /usr/include/unistd.h, line 845.33: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/unistd.h, line 862.33: 1506-343 (S) Redeclaration of pread64 differs from previous declaration on line 859 of /usr/include/unistd.h. /usr/include/unistd.h, line 862.33: 1506-377 (I) The type long long of parameter 4 differs from the previous type long. /usr/include/unistd.h, line 863.33: 1506-343 (S) Redeclaration of pwrite64 differs from previous declaration on line 860 of /usr/include/unistd.h. /usr/include/unistd.h, line 863.33: 1506-377 (I) The type long long of parameter 4 differs from the previous type long. /usr/include/unistd.h, line 942.25: 1506-343 (S) Redeclaration of fclear64 differs from previous declaration on line 939 of /usr/include/unistd.h. /usr/include/unistd.h, line 942.25: 1506-050 (I) Return type long long in redeclaration is not compatible with the previous return type long. /usr/include/unistd.h, line 942.25: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/unistd.h, line 943.25: 1506-343 (S) Redeclaration of fsync_range64 differs from previous declaration on line 940 of /usr/include/unistd.h. /usr/include/unistd.h, line 943.25: 1506-377 (I) The type long long of parameter 3 differs from the previous type long. Waf: Leaving directory `/app/RpmBuild/Work/samba-4.0.0rc3/bin' Build failed: - task failed (err #1): {task: cc pdb_ldap_util.c - pdb_ldap_util_17.o} gmake: *** [all] Error 1 If I start make again it seems to go to the next few files, but then fails agin. My Environment CC=cc CXX=xlC F77=xlf LDFLAGS=-L/opt/freeware/lib -Wl,-bmaxdata:0x8000 FFLAGS=-qmaxmem=16384 -O -I/opt/freeware/include CFLAGS=-qmaxmem=-1 -DSYSV -D_AIX -D_AIX32 -D_AIX41 -D_AIX43 -D_AIX51 -D_AIX52 -D_AIX53 -D_AIX61 -D_AIX71 -D_ALL_SOURCE -O -I/opt/pware/openldap/2.4.28/include -L/opt/pware/openldap/2.4.28/lib -I/opt/freeware/include -L/opt/freeware/lib Thanks Howard VERTRAULICHKEIT: Diese Nachricht ist ausschließlich für denjenigen bestimmt, an den sie adressiert ist und kann vertrauliche Informationen enthalten. Falls Sie nicht der Empfänger dieser Nachricht sind, weisen wir Sie darauf hin, dass die unberechtigte Weitergabe oder Verwendung sowie das
[Samba] Compiling Samba4 RC3 on AIX 6.1 with IBM vac
Sorry - the first post got sent as a response to an unrelated thread :-( ... Hi, I'm trying to get a samba4 build on AIX 6.1, and run into a couple of problems: 1. The entire Kerberos Heindal #includes need to be explicity included(with path) 2. In order to get the ldap definitions (ldap.h etc) I've installed openldap 2.4.28. 3. Learning to hate '//' line comments :-) 4. I get the following error and the make stops [2358/3381] Compiling source3/passdb/pdb_ldap_util.c /usr/include/stdio.h, line 528.12: 1506-343 (S) Redeclaration of fgetpos64 differs from previous declaration on line 323 of /usr/include/stdio.h. /usr/include/stdio.h, line 528.12: 1506-377 (I) The type long long* of parameter 2 differs from the previous type long*. /usr/include/stdio.h, line 531.12: 1506-343 (S) Redeclaration of fseeko64 differs from previous declaration on line 471 of /usr/include/stdio.h. /usr/include/stdio.h, line 531.12: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/stdio.h, line 532.12: 1506-343 (S) Redeclaration of fsetpos64 differs from previous declaration on line 325 of /usr/include/stdio.h. /usr/include/stdio.h, line 532.12: 1506-377 (I) The type const long long* of parameter 2 differs from the previous type const long*. /usr/include/stdio.h, line 533.16: 1506-343 (S) Redeclaration of ftello64 differs from previous declaration on line 472 of /usr/include/stdio.h. /usr/include/stdio.h, line 533.16: 1506-050 (I) Return type long long in redeclaration is not compatible with the previous return type long. /usr/include/unistd.h, line 171.17: 1506-343 (S) Redeclaration of lseek64 differs from previous declaration on line 169 of /usr/include/unistd.h. /usr/include/unistd.h, line 171.17: 1506-050 (I) Return type long long in redeclaration is not compatible with the previous return type long. /usr/include/unistd.h, line 171.17: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/sys/lockf.h, line 64.20: 1506-343 (S) Redeclaration of lockf64 differs from previous declaration on line 62 of /usr/include/sys/lockf.h. /usr/include/sys/lockf.h, line 64.20: 1506-377 (I) The type long long of parameter 3 differs from the previous type long. /usr/include/unistd.h, line 809.33: 1506-343 (S) Redeclaration of ftruncate64 differs from previous declaration on line 807 of /usr/include/unistd.h. /usr/include/unistd.h, line 809.33: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/unistd.h, line 845.33: 1506-343 (S) Redeclaration of truncate64 differs from previous declaration on line 843 of /usr/include/unistd.h. /usr/include/unistd.h, line 845.33: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/unistd.h, line 862.33: 1506-343 (S) Redeclaration of pread64 differs from previous declaration on line 859 of /usr/include/unistd.h. /usr/include/unistd.h, line 862.33: 1506-377 (I) The type long long of parameter 4 differs from the previous type long. /usr/include/unistd.h, line 863.33: 1506-343 (S) Redeclaration of pwrite64 differs from previous declaration on line 860 of /usr/include/unistd.h. /usr/include/unistd.h, line 863.33: 1506-377 (I) The type long long of parameter 4 differs from the previous type long. /usr/include/unistd.h, line 942.25: 1506-343 (S) Redeclaration of fclear64 differs from previous declaration on line 939 of /usr/include/unistd.h. /usr/include/unistd.h, line 942.25: 1506-050 (I) Return type long long in redeclaration is not compatible with the previous return type long. /usr/include/unistd.h, line 942.25: 1506-377 (I) The type long long of parameter 2 differs from the previous type long. /usr/include/unistd.h, line 943.25: 1506-343 (S) Redeclaration of fsync_range64 differs from previous declaration on line 940 of /usr/include/unistd.h. /usr/include/unistd.h, line 943.25: 1506-377 (I) The type long long of parameter 3 differs from the previous type long. Waf: Leaving directory `/app/RpmBuild/Work/samba-4.0.0rc3/bin' Build failed: - task failed (err #1): {task: cc pdb_ldap_util.c - pdb_ldap_util_17.o} gmake: *** [all] Error 1 If I start make again it seems to go to the next few files, but then fails agin. My Environment CC=cc CXX=xlC F77=xlf LDFLAGS=-L/opt/freeware/lib -Wl,-bmaxdata:0x8000 FFLAGS=-qmaxmem=16384 -O -I/opt/freeware/include CFLAGS=-qmaxmem=-1 -DSYSV -D_AIX -D_AIX32 -D_AIX41 -D_AIX43 -D_AIX51 -D_AIX52 -D_AIX53 -D_AIX61 -D_AIX71 -D_ALL_SOURCE -O -I/opt/pware/openldap/2.4.28/include -L/opt/pware/openldap/2.4.28/lib -I/opt/freeware/include -L/opt/freeware/lib Thanks Howard VERTRAULICHKEIT: Diese Nachricht ist ausschließlich für denjenigen bestimmt, an den sie adressiert ist und kann vertrauliche Informationen enthalten. Falls Sie nicht der Empfänger dieser Nachricht
Re: [Samba] new Win7 security setting broke Samba
It must have been the smb signing. I hadn't looked at that because I wasn't aware that policy had changed in our environment. I added 'client signing = required' and 'server signing = required' to my smb.conf and was able to map a drive from the server to my Win7 PC. Thank you!!! -Original Message- From: Andrew Bartlett [mailto:abart...@samba.org] Sent: Thursday, October 25, 2012 6:47 AM To: Snyder, Gabrielle S. (LARC-D322)[HP ES] Cc: samba@lists.samba.org Subject: Re: [Samba] new Win7 security setting broke Samba On Wed, 2012-10-24 at 08:48 -0500, Snyder, Gabrielle S. (LARC-D322)[HP ES] wrote: Good day all! I administer two Samba servers (RHEL 4.5) which, up to recently, had been working well. Our security officials changed the LAN Manager group policy for the new Win7 systems from 'Send NTLMv2 response only; Refuse LM' to 'Send NTLMv2 response only; Refuse LM NTLM'. We were running samba 3.0.33. I have upgraded to 3.6.8-44. I have tried a variety of different smb.conf file options to get the new version to work with the mandated security policy. We only use Samba to map Linux shares onto Win7 clients. The Win7 clients are part of a domain but the Linux servers are not. Any help with how to setup Samba to work in this environment would be greatly appreciated. Can you send in your smb.conf? Samba has, since 3.0, accepted NTLMv2 passwords, so something else is going wrong here. Perhaps they also set a smb signing policy, and you didn't enable smb signing, or you are running 'security=server', which is incompatible with NTLMv2? Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c
Hi, ccache is not installed. I have run the strace like this: #strace /usr/bin/gcc -DDEVELOPER -DDEBUG_PASSWORD -fPIC -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall -g -Wshadow -Werror=strict-prototypes -Wstrict-prototypes -Werror=pointer-arith -Wpointer-arith -Wcast-align -Werror=write-strings -Wwrite-strings -Werror-implicit-function-declaration -Wformat=2 -Wno-format-y2k -Wmissing-prototypes -fno-common -Werror=address -Wcast-qual -Werror=format -DSTATIC_ndr_MODULES=NULL -DSTATIC_ndr_MODULES_PROTO -MD -Idefault/librpc -I../librpc -Idefault/include/public -I../include/public -Idefault/source4 -I../source4 -Idefault/lib -I../lib -Idefault/source4/lib -I../source4/lib -Idefault/source4/include -I../source4/include -Idefault/include -I../include -Idefault/lib/replace -I../lib/replace -Idefault -I.. -Idefault/lib/socket_wrapper -I../lib/socket_wrapper -Idefault/lib/talloc -I../lib/talloc -Idefault/lib/util/charset -I../lib/util/charset -Idefault/lib/crypto -I../lib/crypto -Idefault/libcli/util -I../libcli/util -Idefault/lib/nss_wrapper -I../lib/nss_wrapper -Idefault/lib/uid_wrapper -I../lib/uid_wrapper -Idefault/dynconfig -I../dynconfig -I/ -I/usr/local/include -D_SAMBA_BUILD_=4 -DHAVE_CONFIG_H=1 -D_GNU_SOURCE=1 -D_XOPEN_SOURCE_EXTENDED=1 ../librpc/ndr/ndr_basic.c -c -o default/librpc/ndr/ndr_basic_156.o execve(/usr/bin/gcc, [/usr/bin/gcc, -DDEVELOPER, -DDEBUG_PASSWORD, -fPIC, -D_REENTRANT, -D_POSIX_PTHREAD_SEMANTICS, -Wall, -g, -Wshadow, -Werror=strict-prototypes, -Wstrict-prototypes, -Werror=pointer-arith, -Wpointer-arith, -Wcast-align, -Werror=write-strings, -Wwrite-strings, ...], [/* 29 vars */]) = 0 brk(0) = 0xd2e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9489257000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=60481, ...}) = 0 mmap(NULL, 60481, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f9489248000 close(3)= 0 open(/lib64/libc.so.6, O_RDONLY) = 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360\355a\2332\0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1922112, ...}) = 0 mmap(0x329b60, 3745960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x329b60 mprotect(0x329b789000, 2097152, PROT_NONE) = 0 mmap(0x329b989000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x189000) = 0x329b989000 mmap(0x329b98e000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x329b98e000 close(3)= 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9489247000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9489246000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9489245000 arch_prctl(ARCH_SET_FS, 0x7f9489246700) = 0 mprotect(0x329b989000, 16384, PROT_READ) = 0 mprotect(0x329b01f000, 4096, PROT_READ) = 0 munmap(0x7f9489248000, 60481) = 0 brk(0) = 0xd2e000 brk(0xd4f000) = 0xd4f000 open(/usr/lib/locale/locale-archive, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=99158576, ...}) = 0 mmap(NULL, 99158576, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f94833b4000 close(3)= 0 open(/usr/share/locale/locale.alias, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2512, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9489256000 read(3, # Locale name alias data base.\n#..., 4096) = 2512 read(3, , 4096) = 0 close(3)= 0 munmap(0x7f9489256000, 4096)= 0 open(/usr/share/locale/en_US.UTF-8/LC_MESSAGES/gcc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en_US.utf8/LC_MESSAGES/gcc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en_US/LC_MESSAGES/gcc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en.UTF-8/LC_MESSAGES/gcc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en.utf8/LC_MESSAGES/gcc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) open(/usr/share/locale/en/LC_MESSAGES/gcc.mo, O_RDONLY) = -1 ENOENT (No such file or directory) rt_sigaction(SIGINT, {SIG_IGN, [INT], SA_RESTORER|SA_RESTART, 0x329b632920}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGINT, {0x403017, [INT], SA_RESTORER|SA_RESTART, 0x329b632920}, {SIG_IGN, [INT], SA_RESTORER|SA_RESTART, 0x329b632920}, 8) = 0 rt_sigaction(SIGHUP, {SIG_IGN, [HUP], SA_RESTORER|SA_RESTART, 0x329b632920}, {SIG_DFL, [], 0}, 8) = 0 rt_sigaction(SIGHUP, {0x403017, [HUP], SA_RESTORER|SA_RESTART, 0x329b632920}, {SIG_IGN, [HUP], SA_RESTORER|SA_RESTART, 0x329b632920}, 8) = 0 rt_sigaction(SIGTERM, {SIG_IGN, [TERM], SA_RESTORER|SA_RESTART, 0x329b632920}, {SIG_DFL, [],
[Samba] Logon hours problem
Hi there. I had a problem with logon hours after the daylight saving time update. The users can't login on the network until 8 o'clock, but the time is set to permit login since 7 o'clock. Before the time update, the logon hours worked fine. I use samba 3.6.6 with ldap -- Natália Vaz Silva Administradora de redes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Restricting DC Roles?
I have a small AD forest of two Windows 2008 R2 domain controllers. I would like to add a Samba 4 DC to this forest. After running into some problems with group policies, I realized that Samba 4 does not currently implement file replication. I would like to have the Samba 4 domain controller replicate user/computer schema with the Windows machines, but I would like for DNS and group policy administration to happen strictly on the Windows Machines. Is this possible? If I don't do any manual replication to the Samba 4 machine, will client machines occasionally pick the S4 box when logging in and attempt to mount the SYSVOL share from it? Because that would come up empty and fail. Is it possible to restrict logins to only certain DC's? Thanks! -- View this message in context: http://samba.2283325.n4.nabble.com/Restricting-DC-Roles-tp4639427.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c
Hi On 25 October 2012 15:29, Edward Ashley n...@redmonkeysoftware.com wrote: Hi, ccache is not installed. I have run the strace like this: [...] stat(/usr/libexec/gcc/x86_64-redhat-linux/4.4.6/cc1, {st_mode=S_IFREG|0755, st_size=9326392, ...}) = 0 access(/usr/libexec/gcc/x86_64-redhat-linux/4.4.6/cc1, X_OK) = 0 vfork() = 12573 wait4(12573, 0xd36a70, 0, NULL) = ? ERESTARTSYS (To be restarted) --- SIGWINCH (Window changed) @ 0 (0) --- wait4(12573, It's waiting for the process with PID 12573 to finish. I suppose cc1? HTH, if I need to use a different strace command or switch please let me know. Thanks Ned It might help to use strace -f to trace the child processes too. -- Michael Wood esiot...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c
Hi, Thanks for that, the latest output is quite long but ends up with this: [pid 22991] open(/usr/include/netinet/ip.h, O_RDONLY|O_NOCTTY) = 4 [pid 22991] fstat(4, {st_mode=S_IFREG|0644, st_size=9522, ...}) = 0 [pid 22991] read(4, /* Copyright (C) 1991,92,93,95,9..., 9522) = 9522 [pid 22991] close(4)= 0 [pid 22991] open(default/librpc/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../librpc/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/include/public/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../include/public/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/source4/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../source4/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/source4/lib/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../source4/lib/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/source4/include/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../source4/include/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/include/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../include/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/replace/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/replace/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/socket_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/socket_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/talloc/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/talloc/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/util/charset/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/util/charset/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/crypto/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/crypto/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/libcli/util/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../libcli/util/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/nss_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/nss_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/uid_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/uid_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/dynconfig/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../dynconfig/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(/net/if.h, O_RDONLY|O_NOCTTY Would you like me to copy more in or is this enough? Thanks Ned On 25 October 2012 17:01, Michael Wood esiot...@gmail.com wrote: Hi On 25 October 2012 15:29, Edward Ashley n...@redmonkeysoftware.com wrote: Hi, ccache is not installed. I have run the strace like this: [...] stat(/usr/libexec/gcc/x86_64-redhat-linux/4.4.6/cc1, {st_mode=S_IFREG|0755, st_size=9326392, ...}) = 0 access(/usr/libexec/gcc/x86_64-redhat-linux/4.4.6/cc1, X_OK) = 0 vfork() = 12573 wait4(12573, 0xd36a70, 0, NULL) = ? ERESTARTSYS (To be restarted) --- SIGWINCH (Window changed) @ 0 (0) --- wait4(12573, It's waiting for the process with PID 12573 to finish. I suppose cc1? HTH, if I need to use a different strace command or switch please let me know. Thanks Ned It might help to use strace -f to trace the child processes too. -- Michael Wood esiot...@gmail.com Edward Ashley Developer e. n...@redmonkeysoftware.com u. www.redmonkeysoftware.com t. 0845 867 3849 f. 0845 867 4127 Red Monkey Software | Superior Software Solutions Red Monkey Software Ltd, 24 The
Re: [Samba] samba Digest, Vol 118, Issue 26
Pessoal, bom dia! Estarei de férias no período de 05/10 a 28/10, retornando no dia 29/10/2012. Na minha ausência as dúvidas poderão ser resolvidas pela seguinte equipe: Ricardo: Coordenação da equipe TI, e-mails e servidores – AMP e Inpacom - (011) 3616-1417 Igor: Gemma - AMP e Inpacom - (011) 3616-1438 Luciano e Vagner: Ginjo/ Silbra - Todos os sistemas - (011) 3659-3096 Robson: Indisa - Todos os sistemas - (019) 3765-6000 Essa é uma resposta automática. Até mais. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Bloqueio de login devido ao horário de verão
Boa tarde pessoal. Estou com um problema na rede devido a alteração do horário de verão. As liberações e bloqueios de horário funcionavam corretamente até o último fim de semana, como os relógios foram adiantados em um hora, o sistema só está permitindo login uma hora depois do tempo liberado. Por exemplo, todos os usuário podem efetuar logon na rede após as 7am (isso é o que está definido), mas o samba só libera o login a partir das 8am. O horário das estações de trabalho está sincronizado com o do servidor. A mensagem retornada no log é: [2012/10/25 07:56:57.013090, 1] auth/check_samsec.c:159(logon_hours_ok) logon_hours_ok: Account for user *not allowed to logon at this time (Thu Oct 25 07:56:57 2012 ). Alguém tem idéia do que pode ser feito? -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Compiling samba4 hangs at [1815/3978] Compiling librpc/ndr/ndr_basic.c
On Thu, 2012-10-25 at 17:45 +0100, Edward Ashley wrote: Hi, Thanks for that, the latest output is quite long but ends up with this: [pid 22991] open(/usr/include/netinet/ip.h, O_RDONLY|O_NOCTTY) = 4 [pid 22991] fstat(4, {st_mode=S_IFREG|0644, st_size=9522, ...}) = 0 [pid 22991] read(4, /* Copyright (C) 1991,92,93,95,9..., 9522) = 9522 [pid 22991] close(4)= 0 [pid 22991] open(default/librpc/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../librpc/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/include/public/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../include/public/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/source4/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../source4/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/source4/lib/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../source4/lib/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/source4/include/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../source4/include/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/include/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../include/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/replace/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/replace/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/socket_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/socket_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/talloc/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/talloc/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/util/charset/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/util/charset/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/crypto/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/crypto/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/libcli/util/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../libcli/util/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/nss_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/nss_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/lib/uid_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../lib/uid_wrapper/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(default/dynconfig/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(../dynconfig/net/if.h, O_RDONLY|O_NOCTTY) = -1 ENOENT (No such file or directory) [pid 22991] open(/net/if.h, O_RDONLY|O_NOCTTY THIS is the critical clue. The problem is caused by two things: automount and -I/ We need to work out how -I/ got into the gcc command line (ie, what dependency declared -I/). Now I know what I'm looking for, I'll go hunting. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Old FBSD 4.x Samba 2.2 can't serve Apple OS X 10.8
At OS X 10.7 there was a sysctl allowing PreXP-Samba servers. Apple diodn't like it so now I can no longer edit content on the FBSD file structure with Samba from the MAC. Q1. What is the eldest Samba playing nice with Apple OS X Mountain Lion 10.8? Q2. Any other ideas? Like trying to use NFS. Goal is using MacVim (visual vi, like emacs) to edit content on the BSD web server. NO I can't bring the BSD box forward. -- R/ Everett Batey / Skype: wa6cre-10 / efba...@gmail.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Restricting DC Roles?
On Thu, 2012-10-25 at 07:19 -0700, zbethel wrote: I have a small AD forest of two Windows 2008 R2 domain controllers. I would like to add a Samba 4 DC to this forest. After running into some problems with group policies, I realized that Samba 4 does not currently implement file replication. I would like to have the Samba 4 domain controller replicate user/computer schema with the Windows machines, but I would like for DNS and group policy administration to happen strictly on the Windows Machines. Is this possible? If I don't do any manual replication to the Samba 4 machine, will client machines occasionally pick the S4 box when logging in and attempt to mount the SYSVOL share from it? Because that would come up empty and fail. Is it possible to restrict logins to only certain DC's? No, it's not possible to do this. We know this is a major limitation, and our only suggestion is to manually replicate the sysvol share. Sadly we don't have a tool for that either. We know this is not a great situation, but it just hasn't been possible to handle yet. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org From 85aeb4bdbf7838a3d6402844e33faf7790eab8ec Mon Sep 17 00:00:00 2001 From: Andrew Bartlett abart...@samba.org Date: Fri, 26 Oct 2012 09:14:05 +1100 Subject: [PATCH] provision: Always check the sysvol ACLs worked after provision This avoids creating domains on hosts where we can not for some reason correctly store
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 23:27, Andrew Bartlett wrote: On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett My host is a VirtualBox VM Running Ubuntu 12.04 LTS Server. Kernel = 3.2.0-32-generic I have followed all posts I could find about ext4 filesystems+samba4 / is mounted with the options: acl,user_xattr,barrier=1 this is where all the samba stuff is located. What else would you like to know? I am downloading/building now. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 23:27, Andrew Bartlett wrote: On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett I have the following directory tree: /root/samba_test/samba-master /root/samba_test/samba-aclfix /root/samba_test/build-master /root/samba_test/build-aclfix I ran: build-master/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_master --realm=realm.com --domain=dom build-aclfix/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_aclfix --realm=realm.com --domain=dom however when I run: build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck I get the following error: ERROR(runtime): uncaught exception -
Re: [Samba] SYSVOL ACLs and GPOs
On 26/10/2012 00:34, Alex Matthews wrote: On 25/10/2012 23:27, Andrew Bartlett wrote: On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett I have the following directory tree: /root/samba_test/samba-master /root/samba_test/samba-aclfix /root/samba_test/build-master /root/samba_test/build-aclfix I ran: build-master/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_master --realm=realm.com --domain=dom build-aclfix/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_aclfix --realm=realm.com --domain=dom however when I run: build-{master|aclfix}/bin/samba-tool ntacl
Re: [Samba] SYSVOL ACLs and GPOs
On Fri, 2012-10-26 at 00:34 +0100, Alex Matthews wrote: On 25/10/2012 23:27, Andrew Bartlett wrote: On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett I have the following directory tree: /root/samba_test/samba-master /root/samba_test/samba-aclfix /root/samba_test/build-master /root/samba_test/build-aclfix I ran: build-master/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_master --realm=realm.com --domain=dom build-aclfix/bin/samba-tool domain
[SCM] CTDB repository - branch master updated - ctdb-1.13-333-g9be3b23
The branch, master has been updated via 9be3b23adbfc844b71bf1d4ddf0fbc3b269f15fa (commit) from e2213db479129ce9c2b2fb88ec8c53cbd33d54b3 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=master - Log - commit 9be3b23adbfc844b71bf1d4ddf0fbc3b269f15fa Author: Volker Lendecke v...@samba.org Date: Tue Oct 23 21:49:34 2012 +0200 Add a \n to an error message --- Summary of changes: server/ctdb_ltdb_server.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) Changeset truncated at 500 lines: diff --git a/server/ctdb_ltdb_server.c b/server/ctdb_ltdb_server.c index e012067..0432e49 100644 --- a/server/ctdb_ltdb_server.c +++ b/server/ctdb_ltdb_server.c @@ -1117,7 +1117,7 @@ int32_t ctdb_control_db_attach(struct ctdb_context *ctdb, TDB_DATA indata, if (db) { if (db-persistent != persistent) { DEBUG(DEBUG_ERR, (ERROR: DB Attach %spersistent to %spersistent - database %s, persistent ? : non-, + database %s\n, persistent ? : non-, db- persistent ? : non-, db_name)); return -1; } -- CTDB repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via e9b6b23 selftest: Add many more tests for our posix ACL handling via 3cdd888 pysmbd: Fix pysmbd octal mode handling from 9dbb645 dsdb-cracknames: Return DRSUAPI_DS_NAME_STATUS_NO_MAPPING when there is no SID http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit e9b6b23fbdafff700ceb788dbff2ba69584ff833 Author: Andrew Bartlett abart...@samba.org Date: Thu Oct 25 16:27:19 2012 +1100 selftest: Add many more tests for our posix ACL handling This tests the mapping of posix ACLs to NT ACLs, the invalidation of NT ACLs stored as an xattr and ensures this security-critical code continues to work in the long term. Andrew Bartlett Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Thu Oct 25 10:05:16 CEST 2012 on sn-devel-104 commit 3cdd888093e57a8cfc29d82ea47c8887a50e73a4 Author: Andrew Bartlett abart...@samba.org Date: Thu Oct 25 16:25:22 2012 +1100 pysmbd: Fix pysmbd octal mode handling It is clearly too long since Computer Science 101... ;-) Andrew Bartlett --- Summary of changes: source3/smbd/pysmbd.c|4 +- source4/scripting/python/samba/tests/posixacl.py | 237 +- 2 files changed, 238 insertions(+), 3 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c index 66aba21..5e2daa1 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c @@ -158,8 +158,8 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) mode_t mode = SMB_ACL_READ|SMB_ACL_WRITE; - mode_t mode_user = (chmod_mode 0700) 16; - mode_t mode_group = (chmod_mode 070) 8; + mode_t mode_user = (chmod_mode 0700) 6; + mode_t mode_group = (chmod_mode 070) 3; mode_t mode_other = chmod_mode 07; SMB_ACL_ENTRY_T entry; SMB_ACL_T acl = sys_acl_init(frame); diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py index 78a07f7..449a87c 100644 --- a/source4/scripting/python/samba/tests/posixacl.py +++ b/source4/scripting/python/samba/tests/posixacl.py @@ -18,7 +18,7 @@ Tests for the Samba3 NT - posix ACL layer -from samba.ntacls import setntacl, getntacl +from samba.ntacls import setntacl, getntacl, checkset_backend from samba.dcerpc import xattr, security, smb_acl, idmap from samba.param import LoadParm from samba.tests import TestCase @@ -61,6 +61,70 @@ class PosixAclMappingTests(TestCase): self.assertEquals(facl.as_sddl(anysid),acl) os.unlink(tempf) +def test_setntacl_smbd_setposixacl_getntacl(self): +random.seed() +lp = LoadParm() +path = None +path = os.environ['SELFTEST_PREFIX'] +acl = O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512) +tempf = os.path.join(path,pytests+str(int(10*random.random( +open(tempf, 'w').write(empty) +setntacl(lp,tempf,acl,S-1-5-21-2212615479-2695158682-2101375467, use_ntvfs=True) + +# This will invalidate the ACL, as we have a hook! +smbd.set_simple_acl(tempf, 0640) + +# However, this only asks the xattr +try: +facl = getntacl(lp,tempf, direct_db_access=True) +self.assertTrue(False) +except TypeError: +pass +os.unlink(tempf) + +def test_setntacl_smbd_chmod_getntacl(self): +random.seed() +lp = LoadParm() +path = None +path = os.environ['SELFTEST_PREFIX'] +acl = O:S-1-5-21-2212615479-2695158682-2101375467-512G:S-1-5-21-2212615479-2695158682-2101375467-513D:(A;OICI;0x001f01ff;;;S-1-5-21-2212615479-2695158682-2101375467-512) +tempf = os.path.join(path,pytests+str(int(10*random.random( +open(tempf, 'w').write(empty) +setntacl(lp,tempf,acl,S-1-5-21-2212615479-2695158682-2101375467, use_ntvfs=True) + +# This should invalidate the ACL, as we include the posix ACL in the hash +(backend_obj, dbname) = checkset_backend(lp, None, None) +backend_obj.wrap_setxattr(dbname, + tempf, system.fake_access_acl, ) + +#however, as this is direct DB access, we do not notice it +facl = getntacl(lp,tempf, direct_db_access=True) +anysid = security.dom_sid(security.SID_NT_SELF) +self.assertEquals(acl, facl.as_sddl(anysid)) +os.unlink(tempf) + +def test_setntacl_smbd_chmod_getntacl_smbd(self): +random.seed() +lp = LoadParm() +path = None +path = os.environ['SELFTEST_PREFIX'] +acl =
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via a2d5326 python-ntacls: Cope with ACL revision 4 via f8e6bb4 dbwrap: use talloc_stackframe() in db_tdb_log_key() via 1008f6f selftest: Always unlink the tempf in posixacl test via 117d5f4 selftest: Cover the important non-Samba invalidation of the NT ACL via 53244c9 selftest: Cover one more NT ACL invalidation case and improve comments from e9b6b23 selftest: Add many more tests for our posix ACL handling http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit a2d53262e835b0c74282d389b1dd6dad2395f0f1 Author: Andrew Bartlett abart...@samba.org Date: Wed Oct 24 18:24:12 2012 +1100 python-ntacls: Cope with ACL revision 4 This is the new revision with the hash of the posix or system ACL. Andrew Bartlett Autobuild-User(master): Andrew Bartlett abart...@samba.org Autobuild-Date(master): Thu Oct 25 15:04:39 CEST 2012 on sn-devel-104 commit f8e6bb46c005e82d5a8646e691de9282828005cc Author: Andrew Bartlett abart...@samba.org Date: Wed Oct 24 18:23:04 2012 +1100 dbwrap: use talloc_stackframe() in db_tdb_log_key() We can not be sure that there is already a talloc_stackframe() in place so we must create one. Andrew Bartlett commit 1008f6fbf49d5b797c7d968ea7ffdcb29d623644 Author: Andrew Bartlett abart...@samba.org Date: Thu Oct 25 20:18:28 2012 +1100 selftest: Always unlink the tempf in posixacl test commit 117d5f4c372c02d69106df45e12ac69d1c047f50 Author: Andrew Bartlett abart...@samba.org Date: Thu Oct 25 20:17:55 2012 +1100 selftest: Cover the important non-Samba invalidation of the NT ACL This covers the case where we have a valid hash of the posix ACL (or the NT ACL from the POSIX ACL) and we notice it no longer matches. Andrew Bartlett commit 53244c915113cef87692756e9ad545ff75074df0 Author: Andrew Bartlett abart...@samba.org Date: Thu Oct 25 19:58:15 2012 +1100 selftest: Cover one more NT ACL invalidation case and improve comments This tries to show the difference between the cases where we trap the POSIX ACL change and where we actually detect an OS-level change. Andrew Bartlett --- Summary of changes: lib/dbwrap/dbwrap_tdb.c |7 ++-- source4/scripting/python/samba/ntacls.py |2 + source4/scripting/python/samba/tests/posixacl.py | 41 + 3 files changed, 39 insertions(+), 11 deletions(-) Changeset truncated at 500 lines: diff --git a/lib/dbwrap/dbwrap_tdb.c b/lib/dbwrap/dbwrap_tdb.c index 80d41b4..a3a6c87 100644 --- a/lib/dbwrap/dbwrap_tdb.c +++ b/lib/dbwrap/dbwrap_tdb.c @@ -42,10 +42,11 @@ static void db_tdb_log_key(const char *prefix, TDB_DATA key) { size_t len; char *keystr; - + TALLOC_CTX *frame; if (DEBUGLEVEL 10) { return; } + frame = talloc_stackframe(); len = key.dsize; if (DEBUGLEVEL == 10) { /* @@ -53,10 +54,10 @@ static void db_tdb_log_key(const char *prefix, TDB_DATA key) */ len = MIN(10, key.dsize); } - keystr = hex_encode_talloc(talloc_tos(), (unsigned char *)(key.dptr), + keystr = hex_encode_talloc(frame, (unsigned char *)(key.dptr), len); DEBUG(10, (%s key %s\n, prefix, keystr)); - TALLOC_FREE(keystr); + TALLOC_FREE(frame); } static int db_tdb_record_destr(struct db_record* data) diff --git a/source4/scripting/python/samba/ntacls.py b/source4/scripting/python/samba/ntacls.py index 44cbbe9..f304047 100644 --- a/source4/scripting/python/samba/ntacls.py +++ b/source4/scripting/python/samba/ntacls.py @@ -78,6 +78,8 @@ def getntacl(lp, file, backend=None, eadbfile=None, direct_db_access=True): return ntacl.info.sd elif ntacl.version == 3: return ntacl.info.sd +elif ntacl.version == 4: +return ntacl.info.sd else: return smbd.get_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL) diff --git a/source4/scripting/python/samba/tests/posixacl.py b/source4/scripting/python/samba/tests/posixacl.py index 449a87c..482b48b 100644 --- a/source4/scripting/python/samba/tests/posixacl.py +++ b/source4/scripting/python/samba/tests/posixacl.py @@ -82,7 +82,7 @@ class PosixAclMappingTests(TestCase): pass os.unlink(tempf) -def test_setntacl_smbd_chmod_getntacl(self): +def test_setntacl_invalidate_getntacl(self): random.seed() lp = LoadParm() path = None @@ -103,25 +103,47 @@ class PosixAclMappingTests(TestCase): self.assertEquals(acl, facl.as_sddl(anysid)) os.unlink(tempf) -
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 52ace67 s3:smbd:durable: factor stat checks out into vfs_default_durable_reconnect_check_stat() from a2d5326 python-ntacls: Cope with ACL revision 4 http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 52ace6767fddb389e3393c4b19685e59782c6a90 Author: Michael Adam ob...@samba.org Date: Tue Oct 23 13:00:02 2012 +0200 s3:smbd:durable: factor stat checks out into vfs_default_durable_reconnect_check_stat() This makes vfs_default_durable_reconnect() simpler to read and it reduces code duplication in the failure case handling. Signed-off-by: Michael Adam ob...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Oct 25 23:03:13 CEST 2012 on sn-devel-104 --- Summary of changes: source3/smbd/durable.c | 653 +++- 1 files changed, 261 insertions(+), 392 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/smbd/durable.c b/source3/smbd/durable.c index 4c6ff67..5d276f3 100644 --- a/source3/smbd/durable.c +++ b/source3/smbd/durable.c @@ -298,6 +298,263 @@ NTSTATUS vfs_default_durable_disconnect(struct files_struct *fsp, return NT_STATUS_OK; } + +/** + * Check whether a cookie-stored struct info is the same + * as a given SMB_STRUCT_STAT, as coming with the fsp. + */ +static bool vfs_default_durable_reconnect_check_stat( + struct vfs_default_durable_stat *cookie_st, + SMB_STRUCT_STAT *fsp_st, + const char *name) +{ + int ret; + + if (cookie_st-st_ex_dev != fsp_st-st_ex_dev) { + DEBUG(1, (vfs_default_durable_reconnect (%s): + stat_ex.%s differs: + cookie:%llu != stat:%llu, + denying durable reconnect\n, + name, + st_ex_dev, + (unsigned long long)cookie_st-st_ex_dev, + (unsigned long long)fsp_st-st_ex_dev)); + return false; + } + + if (cookie_st-st_ex_ino != fsp_st-st_ex_ino) { + DEBUG(1, (vfs_default_durable_reconnect (%s): + stat_ex.%s differs: + cookie:%llu != stat:%llu, + denying durable reconnect\n, + name, + st_ex_ino, + (unsigned long long)cookie_st-st_ex_ino, + (unsigned long long)fsp_st-st_ex_ino)); + return false; + } + + if (cookie_st-st_ex_mode != fsp_st-st_ex_mode) { + DEBUG(1, (vfs_default_durable_reconnect (%s): + stat_ex.%s differs: + cookie:%llu != stat:%llu, + denying durable reconnect\n, + name, + st_ex_mode, + (unsigned long long)cookie_st-st_ex_mode, + (unsigned long long)fsp_st-st_ex_mode)); + return false; + } + + if (cookie_st-st_ex_nlink != fsp_st-st_ex_nlink) { + DEBUG(1, (vfs_default_durable_reconnect (%s): + stat_ex.%s differs: + cookie:%llu != stat:%llu, + denying durable reconnect\n, + name, + st_ex_nlink, + (unsigned long long)cookie_st-st_ex_nlink, + (unsigned long long)fsp_st-st_ex_nlink)); + return false; + } + + if (cookie_st-st_ex_uid != fsp_st-st_ex_uid) { + DEBUG(1, (vfs_default_durable_reconnect (%s): + stat_ex.%s differs: + cookie:%llu != stat:%llu, + denying durable reconnect\n, + name, + st_ex_uid, + (unsigned long long)cookie_st-st_ex_uid, + (unsigned long long)fsp_st-st_ex_uid)); + return false; + } + + if (cookie_st-st_ex_gid != fsp_st-st_ex_gid) { + DEBUG(1, (vfs_default_durable_reconnect (%s): + stat_ex.%s differs: + cookie:%llu != stat:%llu, + denying durable reconnect\n, + name, + st_ex_gid, + (unsigned long long)cookie_st-st_ex_gid, + (unsigned long long)fsp_st-st_ex_gid)); + return
autobuild: intermittent test failure detected
The autobuild test system has detected an intermittent failing test in the current master tree. The autobuild log of the failure is available here: http://git.samba.org/autobuild.flakey/2012-10-26-0627/flakey.log The samba3 build logs are available here: http://git.samba.org/autobuild.flakey/2012-10-26-0627/samba3.stderr http://git.samba.org/autobuild.flakey/2012-10-26-0627/samba3.stdout The source4 build logs are available here: http://git.samba.org/autobuild.flakey/2012-10-26-0627/samba.stderr http://git.samba.org/autobuild.flakey/2012-10-26-0627/samba.stdout The top commit at the time of the failure was: commit 52ace6767fddb389e3393c4b19685e59782c6a90 Author: Michael Adam ob...@samba.org Date: Tue Oct 23 13:00:02 2012 +0200 s3:smbd:durable: factor stat checks out into vfs_default_durable_reconnect_check_stat() This makes vfs_default_durable_reconnect() simpler to read and it reduces code duplication in the failure case handling. Signed-off-by: Michael Adam ob...@samba.org Reviewed-by: Stefan Metzmacher me...@samba.org Reviewed-by: Jeremy Allison j...@samba.org Autobuild-User(master): Jeremy Allison j...@samba.org Autobuild-Date(master): Thu Oct 25 23:03:13 CEST 2012 on sn-devel-104
[SCM] CTDB repository - branch 1.2.40 updated - ctdb-1.2.52-2-g046f879
The branch, 1.2.40 has been updated via 046f8799361794997cedae3d4ff812216661e04e (commit) via f1f2a3b74674120993bf7a51ecb1437095eb9318 (commit) from 39196986c69f3a7751f2b3a69f242263d6864514 (commit) http://gitweb.samba.org/?p=ctdb.git;a=shortlog;h=1.2.40 - Log - commit 046f8799361794997cedae3d4ff812216661e04e Author: Amitay Isaacs ami...@gmail.com Date: Fri Oct 26 16:19:35 2012 +1100 New version 1.2.53 Signed-off-by: Amitay Isaacs ami...@gmail.com commit f1f2a3b74674120993bf7a51ecb1437095eb9318 Author: Martin Schwenke mar...@meltin.net Date: Wed Mar 28 14:50:36 2012 +1100 Initscript - add backup of corrupt non-persistent databases Corrupt non-persistent databases never get analysed because ctdbd zeroes them at startup. Modify the initscript so that corrupt non-persistent databases are moved aside to a backup. If the number of backups for a particular database exceeds $CTDB_MAX_CORRUPT_DB_BACKUPS (default 10) then the oldest excess backups are garbage collected. Abstracts from and cleans up the code for checking persistent databases. Logging of related messages is done to syslog or a log file as specified. Signed-off-by: Martin Schwenke mar...@meltin.net Cherry-picked-from: 00cd75595685dae829758abf1a4cb644af7ed50e Conflicts: config/ctdb.init --- Summary of changes: config/ctdb.init | 156 ++-- packaging/RPM/ctdb.spec.in |4 +- 2 files changed, 96 insertions(+), 64 deletions(-) Changeset truncated at 500 lines: diff --git a/config/ctdb.init b/config/ctdb.init index 68850c0..7c75726 100755 --- a/config/ctdb.init +++ b/config/ctdb.init @@ -111,85 +111,112 @@ build_ctdb_options () { maybe_set --max-persistent-check-errors $CTDB_MAX_PERSISTENT_CHECK_ERRORS } -check_tdb () { - local PDBASE=$1 - - test x$TDBTOOL_HAS_CHECK = x1 { - # - # Note tdbtool always exits with 0 - # - local OK=`/usr/bin/tdbtool $PDBASE check | grep Database integrity is OK | wc -l` - test x$OK = x1 || { - return 1; - } - - return 0; - } - - /usr/bin/tdbdump $PDBASE /dev/null 2/dev/null || { - return $?; - } - - return 0; -} - -check_persistent_databases () { -PERSISTENT_DB_DIR=${CTDB_DBDIR:-/var/ctdb}/persistent -mkdir -p $PERSISTENT_DB_DIR 2/dev/null -local ERRCOUNT=$CTDB_MAX_PERSISTENT_CHECK_ERRORS +# Log given message or stdin to either syslog or a CTDB log file +do_log () +{ +if [ $CTDB_SYSLOG = yes -o \ + ${CTDB_OPTIONS#*--syslog} != $CTDB_OPTIONS ] ; then -test -z $ERRCOUNT { - ERRCOUNT=0 -} -test x$ERRCOUNT != x0 { - return 0; -} - -if test -x /usr/bin/tdbtool ; then -HAVE_TDBTOOL=1 + logger -t ctdb.init $@ else -HAVE_TDBTOOL=0 + _l=${CTDB_LOGFILE:-/var/log/log.ctdb} + { + date + if [ -n $* ] ; then + echo $* + else + cat + fi + } $_l fi +} -if test x$HAVE_TDBTOOL = x1 ; then -TDBTOOL_HAS_CHECK=`echo help | /usr/bin/tdbtool | grep check | wc -l` +select_tdb_checker () +{ +# Find the best TDB consistency check available. +use_tdb_tool_check=false +if [ -x /usr/bin/tdbtool ] \ + echo help | /usr/bin/tdbtool | grep -q check ; then + + use_tdb_tool_check=true +elif [ -x /usr/bin/tdbtool -a -x /usr/bin/tdbdump ] ; then + do_log EOF +WARNING: The installed 'tdbtool' does not offer the 'check' subcommand. + Using 'tdbdump' for database checks. + Consider updating 'tdbtool' for better checks! +EOF +elif [ -x /usr/bin/tdbdump ] ; then + do_log EOF +WARNING: 'tdbtool' is not available. + Using 'tdbdump' to check the databases. + Consider installing a recent 'tdbtool' for better checks! +EOF else -TDBTOOL_HAS_CHECK=0 + do_log EOF +WARNING: Cannot check databases since neither + 'tdbdump' nor 'tdbtool check' is available. + Consider installing tdbtool or at least tdbdump! +EOF +return 1 fi +} + +check_tdb () +{ +_db=$1 -if test -x /usr/bin/tdbdump ; then -HAVE_TDBDUMP=1 +if $use_tdb_tool_check ; then + # tdbtool always exits with 0 :-( + if tdbtool $_db check 2/dev/null | + grep -q Database integrity is OK ; then + return 0 + else + return 1 + fi else -HAVE_TDBDUMP=0 + tdbdump $_db /dev/null 2/dev/null + return $? fi +} -if test x$HAVE_TDBDUMP = x0 -a x$TDBTOOL_HAS_CHECK = x0 ; then -echo WARNING: Cannot check persistent databases since -echo
[SCM] CTDB repository - annotated tag ctdb-1.2.53 created - ctdb-1.2.53
The annotated tag, ctdb-1.2.53 has been created at bb30317d1e132a7cce2664b1225340902554cc2a (tag) tagging 046f8799361794997cedae3d4ff812216661e04e (commit) replaces ctdb-1.2.52 tagged by Amitay Isaacs on Fri Oct 26 16:19:53 2012 +1100 - Log - new version 1.2.53 Amitay Isaacs (1): New version 1.2.53 Martin Schwenke (1): Initscript - add backup of corrupt non-persistent databases --- -- CTDB repository
[SCM] CTDB repository - annotated tag ctdb-2.0.0 created - ctdb-2.0.0
The annotated tag, ctdb-2.0.0 has been created at e29f936515e60dd057627d3fc72ae67b3075305b (tag) tagging e2213db479129ce9c2b2fb88ec8c53cbd33d54b3 (commit) replaces ctdb-1.13 tagged by Amitay Isaacs on Wed Oct 24 19:04:42 2012 +1100 - Log - CTDB version 2.0.0 Amitay Isaacs (82): build: Add rules to create ctags/etags packaging: Setup directories for rpmbuild build: Remove re-definition of same variable build: Display correct LIB_FLAGS while building build: Use system talloc library if available build: Use system tevent library if available build: Use system tdb library if available recovery: Add prototypes for tdb internal functions build: Substitute POPT macros once and reuse variables tests/tool: Fix the nodestatus test tests/tool: New nodestatus test tests: exportfs always outputs with options in brackets tests: Add a script to run cluster tests and make target test_cluster tests: Add regular expression parsing for hop_count_buckets tests: Fix the error messages in test event script ctdbd: Fix the error message string tests: Check for assigned IP addresses only if we are on real cluster tests: Check assigned IPs from ctdb output tests: Set the debug level = 3 when running local tests tests: Use CTDB_TEST_REAL_CLUSTER to decide if tests use local daemons recoverd: Fix spurious warnings when running with --nopublicipcheck ctdbd: Fix spurious warnings when running with --nopublicipcheck includes: Move special tevent defines from tevent.h to includes.h Remove explicit include of lib/tevent/tevent.h. ctdb_test: Remove faked wrappers for tevent functions in stub testing lib/tevent: Remove local modifications to tevent lib/tevent: Remove the files required to build tevent as a library lib/tevent: Sync tevent from samba git tree lib/talloc: Remove the files required to build talloc as a library lib/talloc: Sync talloc from samba git tree lib/tdb: Remove the files required to build tdb as a library lib/tdb: Sync tdb from samba git tree tests/tool: Fix the nodestatus test tests/tool: New nodestatus test tests: Fix wrapper scripts tests: CTDB_TEST_WRAPPER has to be an absolute path on a real cluster tests: test_wrap needs to set TEST_SCRIPTS_DIR tests/simple: Fix typo in the test message server: locking: Provide a common API for non-blocking locking of TDBs Revert server: locking: Provide a common API for non-blocking locking of TDBs tests: Use per node log files when running tests with local daemons packaging: make ctdb-tests package depend on nc server: Replace BOOL datatype with bool, True/False with true/false tests: Fix flakey behavior of ctdb_fetch test tests: Fix ctdb_fetch test (parse extra lines of output) tests: Increment RSN always in ctdb_update_record_persistent test Fix compiler warnings. util: Do not try to lockdown memory when running in local daemons mode ctdbd: Return explicit boolean values for function returning bool Remove tevent_loop_allow_nesting() web: Add my name to the developer list. util: Do not lock down memory when running with local daemons doc: Fix path string of /etc/sysconfig/ctdb file Revert when creating/adding a public ip, set the initial interface to be the first interface specified doc: Fix the hyperlink for Testing CTDB page scripts: Remove duplicate code from init script to set tunables doc: Fix documentation for setup event doc: Add info about execute permissions on event scripts header: Added DB statistics update macros common: Add routines to get process and lock information ctdbd: locking: Provide non-blocking API for locking of TDB record/db/alldb tools/ctdb: Display the locking statistics tests: Fix statistics test for new output lines from locking API ctdbd_test: Include ctdb_lock.c code for test stubs ctdb_freeze: Replace locking functions with locking API ctdb_recover: Replace static locking functions with locking API ctdbd: Replace lockwait with locking API and remove ctdb_lockwait.c locking: Schedule a new lock request everytime a lock is released locking: Add database priority handling for older versions of samba locking: Do not use ctdb_kill() to kill smbd processes build: Set CTDB_PATH to /tmp/ctdb.socket if SOCKPATH is not defined web: Remove reference to non-existent config files web: Add the links to ftp/http ctdb download area web: Add posix locking information to prerequisites doc: README - add information about CTDB, license and website build: Extract building of manpages in a separate Makefile packaging:
[SCM] CTDB repository - annotated tag ctdb-2.0.0 deleted - ctdb-1.13-332-ge2213db
The annotated tag, ctdb-2.0.0 has been deleted was e29f936515e60dd057627d3fc72ae67b3075305b --- tag ctdb-2.0.0 CTDB version 2.0.0 e2213db479129ce9c2b2fb88ec8c53cbd33d54b3 Avoid a bashism in 60.ganesha --- -- CTDB repository