Re: [Samba] [PATCH] Re: can not change mandatory owner to administrators
On Wed, 2012-10-31 at 13:10 +0330, Mohammad Ebrahim Abravi wrote: > Hello > > Remove This Record and problem solved without add "server services = +smb > -s3fs " and " dcerpc endpoint servers = +winreg +srvsvc" to smb.conf > > idmap.ldb: > > dn: CN=S-1-5-32-544 > cn: S-1-5-32-544 > objectClass: sidMap > objectSid: S-1-5-32-544 > type: ID_TYPE_GID > xidNumber: 10 > distinguishedName: CN=S-1-5-32-544** > > *Note: BUG : Upgrade To samba rc4 and run samba-tool dbcheck but not fix > this record ;* Sadly we can't 'just fix' this, because it changes which unix gid files are owned by. We can however suggest it to administrators in release notes, I'll try and get that set when we fix the release branch. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: can not change mandatory owner to administrators
Hello Remove This Record and problem solved without add "server services = +smb -s3fs " and " dcerpc endpoint servers = +winreg +srvsvc" to smb.conf idmap.ldb: dn: CN=S-1-5-32-544 cn: S-1-5-32-544 objectClass: sidMap objectSid: S-1-5-32-544 type: ID_TYPE_GID xidNumber: 10 distinguishedName: CN=S-1-5-32-544** *Note: BUG : Upgrade To samba rc4 and run samba-tool dbcheck but not fix this record ;* On Tue, Oct 16, 2012 at 10:39 AM, Andrew Bartlett wrote: > On Tue, 2012-10-16 at 13:17 +1100, Andrew Bartlett wrote: > > On Sat, 2012-10-13 at 19:30 +1100, Andrew Bartlett wrote: > > > On Sat, 2012-10-13 at 09:58 +0330, Mohammad Ebrahim Abravi wrote: > > > > Solved > > > > > > > > Thanks a lot > > > > > > Thanks. > > > > > > The root of the issue is this automatically generated entry in your > > > idmap.ldb: > > > > > > # record 12 > > > dn: CN=S-1-5-32-544 > > > cn: S-1-5-32-544 > > > objectClass: sidMap > > > objectSid: S-1-5-32-544 > > > type: ID_TYPE_GID > > > xidNumber: 10 > > > distinguishedName: CN=S-1-5-32-544 > > > > > > > > > What we need to do in your case is to remove that record, so it becomes > > > regenerated as an IDMAP_BOTH. We also need to remove the generation of > > > that record from provision. > > > > > > The issue is that as a GID, you of course can't own a file. The ntvfs > > > file server papered over this issue (didn't deal with file ownership at > > > a unix level), but the smbd file server needs to correctly set posix > > > permissions. > > > > > > I hope this clarifies things. If you can please file a bug, I'll try > > > not to forget this. > > > > The attached patch should prevent this for a new provision. Are you > > able to test if this fixes things for you (on a new test domain?) > > This updated version uses the primary group of root (or the --root user) > rather than hoping that there will be a group by the same name. > > Andrew Bartlett > > -- > Andrew Bartletthttp://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: can not change mandatory owner to administrators
On Tue, 2012-10-16 at 18:09 +1100, Andrew Bartlett wrote: > On Tue, 2012-10-16 at 13:17 +1100, Andrew Bartlett wrote: > > On Sat, 2012-10-13 at 19:30 +1100, Andrew Bartlett wrote: > > > On Sat, 2012-10-13 at 09:58 +0330, Mohammad Ebrahim Abravi wrote: > > > > Solved > > > > > > > > Thanks a lot > > > > > > Thanks. > > > > > > The root of the issue is this automatically generated entry in your > > > idmap.ldb: > > > > > > # record 12 > > > dn: CN=S-1-5-32-544 > > > cn: S-1-5-32-544 > > > objectClass: sidMap > > > objectSid: S-1-5-32-544 > > > type: ID_TYPE_GID > > > xidNumber: 10 > > > distinguishedName: CN=S-1-5-32-544 > > > > > > > > > What we need to do in your case is to remove that record, so it becomes > > > regenerated as an IDMAP_BOTH. We also need to remove the generation of > > > that record from provision. > > > > > > The issue is that as a GID, you of course can't own a file. The ntvfs > > > file server papered over this issue (didn't deal with file ownership at > > > a unix level), but the smbd file server needs to correctly set posix > > > permissions. > > > > > > I hope this clarifies things. If you can please file a bug, I'll try > > > not to forget this. > > > > The attached patch should prevent this for a new provision. Are you > > able to test if this fixes things for you (on a new test domain?) > > This updated version uses the primary group of root (or the --root user) > rather than hoping that there will be a group by the same name. Fixing this and not breaking tests that subtly depend on idmap configuration is proving tricky, but I'll get this sorted soon. Andrew Bartlett -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: can not change mandatory owner to administrators
On Tue, 2012-10-16 at 13:17 +1100, Andrew Bartlett wrote:
> On Sat, 2012-10-13 at 19:30 +1100, Andrew Bartlett wrote:
> > On Sat, 2012-10-13 at 09:58 +0330, Mohammad Ebrahim Abravi wrote:
> > > Solved
> > >
> > > Thanks a lot
> >
> > Thanks.
> >
> > The root of the issue is this automatically generated entry in your
> > idmap.ldb:
> >
> > # record 12
> > dn: CN=S-1-5-32-544
> > cn: S-1-5-32-544
> > objectClass: sidMap
> > objectSid: S-1-5-32-544
> > type: ID_TYPE_GID
> > xidNumber: 10
> > distinguishedName: CN=S-1-5-32-544
> >
> >
> > What we need to do in your case is to remove that record, so it becomes
> > regenerated as an IDMAP_BOTH. We also need to remove the generation of
> > that record from provision.
> >
> > The issue is that as a GID, you of course can't own a file. The ntvfs
> > file server papered over this issue (didn't deal with file ownership at
> > a unix level), but the smbd file server needs to correctly set posix
> > permissions.
> >
> > I hope this clarifies things. If you can please file a bug, I'll try
> > not to forget this.
>
> The attached patch should prevent this for a new provision. Are you
> able to test if this fixes things for you (on a new test domain?)
This updated version uses the primary group of root (or the --root user)
rather than hoping that there will be a group by the same name.
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 65b53382e4e8bae4a68fb7c3835b4d5a5f108a76 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Tue, 16 Oct 2012 13:08:22 +1100
Subject: [PATCH] provision: No longer use the wheel group in new AD Domains
The issue here is that if we set S-1-5-32-544 (administrators) to a GID only, then
users cannot force a mandetory profile to be owned by administrators (which is a requirement).
There is no particularly useful reason for us to enforce this matching a system
group.
Andrew Bartlett
---
source4/scripting/python/samba/netcmd/domain.py| 5 +---
.../scripting/python/samba/provision/__init__.py | 34 +-
2 files changed, 15 insertions(+), 24 deletions(-)
diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py
index 6e3f35a..4ba305c 100644
--- a/source4/scripting/python/samba/netcmd/domain.py
+++ b/source4/scripting/python/samba/netcmd/domain.py
@@ -186,8 +186,6 @@ class cmd_domain_provision(Command):
help="choose 'root' unix username"),
Option("--nobody", type="string", metavar="USERNAME",
help="choose 'nobody' user"),
- Option("--wheel", type="string", metavar="GROUPNAME",
-help="choose 'wheel' privileged group"),
Option("--users", type="string", metavar="GROUPNAME",
help="choose 'users' group"),
Option("--quiet", help="Be quiet", action="store_true"),
@@ -237,7 +235,6 @@ class cmd_domain_provision(Command):
ldapadminpass=None,
root=None,
nobody=None,
-wheel=None,
users=None,
quiet=None,
blank=None,
@@ -393,7 +390,7 @@ class cmd_domain_provision(Command):
krbtgtpass=krbtgtpass, machinepass=machinepass,
dns_backend=dns_backend, dns_forwarder=dns_forwarder,
dnspass=dnspass, root=root, nobody=nobody,
- wheel=wheel, users=users,
+ users=users,
serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
backend_type=ldap_backend_type,
ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls,
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index d9ba90c..0cec8a9 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -241,12 +241,6 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
else:
names.policyid_dc = None
-res9 = idmapdb.search(expression="(cn=%s)" %
-(security.SID_BUILTIN_ADMINISTRATORS),
-attrs=["xidNumber"])
-if len(res9) != 1:
-raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
-names.wheel_gid = res9[0]["xidNumber"]
return names
@@ -692,7 +686,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
-users_gid, wheel_gid):
+users_gid, root_gid):
"""setup reasonable name mappings for sam names to unix names.
:param samdb: SamDB object.
@@ -702,12 +696,14 @@ def setup_name_mappings(idmap, sid, roo
[Samba] [PATCH] Re: can not change mandatory owner to administrators
On Sat, 2012-10-13 at 19:30 +1100, Andrew Bartlett wrote:
> On Sat, 2012-10-13 at 09:58 +0330, Mohammad Ebrahim Abravi wrote:
> > Solved
> >
> > Thanks a lot
>
> Thanks.
>
> The root of the issue is this automatically generated entry in your
> idmap.ldb:
>
> # record 12
> dn: CN=S-1-5-32-544
> cn: S-1-5-32-544
> objectClass: sidMap
> objectSid: S-1-5-32-544
> type: ID_TYPE_GID
> xidNumber: 10
> distinguishedName: CN=S-1-5-32-544
>
>
> What we need to do in your case is to remove that record, so it becomes
> regenerated as an IDMAP_BOTH. We also need to remove the generation of
> that record from provision.
>
> The issue is that as a GID, you of course can't own a file. The ntvfs
> file server papered over this issue (didn't deal with file ownership at
> a unix level), but the smbd file server needs to correctly set posix
> permissions.
>
> I hope this clarifies things. If you can please file a bug, I'll try
> not to forget this.
The attached patch should prevent this for a new provision. Are you
able to test if this fixes things for you (on a new test domain?)
Thanks,
Andrew Bartlett
--
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From c5b4f82218041132210098dcfe2f269700de66bc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett
Date: Tue, 16 Oct 2012 13:08:22 +1100
Subject: [PATCH] provision: No longer use the wheel group in new AD Domains
The issue here is that if we set S-1-5-32-544 (administrators) to a GID only, then
users cannot force a mandetory profile to be owned by administrators (which is a requirement).
There is no particularly useful reason for us to enforce this matching a system
group.
Andrew Bartlett
---
source4/scripting/python/samba/netcmd/domain.py| 5 +---
.../scripting/python/samba/provision/__init__.py | 34 ++
2 files changed, 16 insertions(+), 23 deletions(-)
diff --git a/source4/scripting/python/samba/netcmd/domain.py b/source4/scripting/python/samba/netcmd/domain.py
index 6e3f35a..4ba305c 100644
--- a/source4/scripting/python/samba/netcmd/domain.py
+++ b/source4/scripting/python/samba/netcmd/domain.py
@@ -186,8 +186,6 @@ class cmd_domain_provision(Command):
help="choose 'root' unix username"),
Option("--nobody", type="string", metavar="USERNAME",
help="choose 'nobody' user"),
- Option("--wheel", type="string", metavar="GROUPNAME",
-help="choose 'wheel' privileged group"),
Option("--users", type="string", metavar="GROUPNAME",
help="choose 'users' group"),
Option("--quiet", help="Be quiet", action="store_true"),
@@ -237,7 +235,6 @@ class cmd_domain_provision(Command):
ldapadminpass=None,
root=None,
nobody=None,
-wheel=None,
users=None,
quiet=None,
blank=None,
@@ -393,7 +390,7 @@ class cmd_domain_provision(Command):
krbtgtpass=krbtgtpass, machinepass=machinepass,
dns_backend=dns_backend, dns_forwarder=dns_forwarder,
dnspass=dnspass, root=root, nobody=nobody,
- wheel=wheel, users=users,
+ users=users,
serverrole=server_role, dom_for_fun_level=dom_for_fun_level,
backend_type=ldap_backend_type,
ldapadminpass=ldapadminpass, ol_mmr_urls=ol_mmr_urls,
diff --git a/source4/scripting/python/samba/provision/__init__.py b/source4/scripting/python/samba/provision/__init__.py
index d9ba90c..ccf56962 100644
--- a/source4/scripting/python/samba/provision/__init__.py
+++ b/source4/scripting/python/samba/provision/__init__.py
@@ -241,12 +241,6 @@ def find_provision_key_parameters(samdb, secretsdb, idmapdb, paths, smbconf,
names.policyid_dc = str(res8[0]["cn"]).replace("{","").replace("}","")
else:
names.policyid_dc = None
-res9 = idmapdb.search(expression="(cn=%s)" %
-(security.SID_BUILTIN_ADMINISTRATORS),
-attrs=["xidNumber"])
-if len(res9) != 1:
-raise ProvisioningError("Unable to find uid/gid for Domain Admins rid")
-names.wheel_gid = res9[0]["xidNumber"]
return names
@@ -692,7 +686,7 @@ def make_smbconf(smbconf, hostname, domain, realm, targetdir,
def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
-users_gid, wheel_gid):
+users_gid, root_gid):
"""setup reasonable name mappings for sam names to unix names.
:param samdb: SamDB object.
@@ -702,12 +696,14 @@ def setup_name_mappings(idmap, sid, root_uid, nobody_uid,
:param root_uid: uid of the UNIX root user.
:param nobody_uid: uid of the UNIX nobody user.
:param users_gid: gid of the UNIX users group.
-:param wheel_gid: gid of the UNIX wheel group.
+:param root_gid: gid of the
