Re: [Samba] SYSVOL ACLs and GPOs

[Alex Matthews]

On 25/10/2012 10:20, Andrew Bartlett wrote:
On Thu, 2012-10-25 at 10:01 +0100, Alex Matthews wrote:
On 25/10/2012 02:31, Andrew Bartlett wrote:
On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote:
On 24/10/2012 17:25, Alex Matthews wrote:
On 24/10/2012 12:09, Andrew Bartlett wrote:
On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
Hi,
I have installed a virtual testing network consisting of one samba4 PDC
(latest git master) and one Windows XP Pro SP3 (fully updated)machine.

I have successfully provisioned an AD Domain and joined the XP machine
to it.
When I run the gpmc on the XP Pro machine and select:
Forest: <domain name> -> Domains -> <domain name> -> Group Policy
Objects -> Default Domain [Controller | Policy]
I get the following error:

"The permissions for this GPO in the SYSVOL folder are inconsistent
with
those in Active Directory.
It is recommended that these permissions be consistent.
To change the SYSVOL permissions to those in Active Directory, click
OK."

Hitting ok I get no error but as soon as I reselect THE SAME entry I
get
the same error, it doesn't seem to be able to fix the ACL.

I have found one post about this on the list
(https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
"fixed" a long time ago.
Seeing as I'm using the latest version I would assume this is a
different issue.

If I try to change any of the ACLs on either of the folders in
\\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
the change doesn't stick.


Looking at the samba log files:

I get this when I start gpmc and click ok:
http://pastebin.com/7rBKyU1B

I get this when I start gpmc and don't click ok:
http://pastebin.com/B3DMSE1T

I get this when I alter the ACLs manually (after line 479 is when I
actually alter the ACLs):
http://pastebin.com/2mEvWX6K

My smb.conf is stock. No alterations.
The server OS is Ubuntu 12.04.
The filesystem is ext4 mounted with the following options:
"errors=remount-ro,acl,user_xattr,barrier=1".
I have all acl packages installed that I have seen referenced by samba
or in posts of a similar nature.
If you are in the mood for some testing, can you try my acl-fixes2
branch?

git remote add abartlet git://git.samba.org/abartlet/samba.git
git fetch abartlet
git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2

I'm trying to get these changes into master, but I'm not quite finished.
You should only put these on a test server, as I may change data formats
etc.

I would be very curious to know if this fixes the issue.

Otherwise or in addition, if you can show me the contents of your
idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
going wrong here, and fix it.

Thanks,

Andrew Bartlett

I assume

git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2

should be:

git checkout abartlet/fix-acls2 -b abartlet-fix-acls2

I'm rebuilding now, will keep you posted!

Thanks,

Alex

I have tried your branch. Rebuilt and the XP machine still throws the
same issue.

Do I need to reprovision?
You need to at least run 'samba-tool ntacl sysvolreset' to get the new
ACLs on disk.

Andrew Bartlett

Hiya,

No luck I'm afraid, still the same issue!
Drat.  OK, we will need to dig in further.  Can you show me your
idmap.ldb?

What does 'samba-tool ntacl sysvolcheck' show?

Andrew Bartlett

samba-tool ntacl sysvolcheck shows:

sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
[sudo] password for qoole:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file 
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: VFS ACL on GPO directory 
/usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} 
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) 
does not match expected value 
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) 
from GPO object
  File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
    return self.run(*args, **kwargs)
  File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
line 245, in run
    lp)
  File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1574, in checksysvolacl
    direct_db_access)
  File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1526, in check_gpos_acl
    domainsid, direct_db_access)
  File 
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1476, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
path, fsacl_sddl, acl))




idmap.ldb contains:


# ldbsearch -H idmap.ldb
# record 1
dn: CN=S-1-1-0
cn: S-1-1-0
objectClass: sidMap
objectSid:: AQEAAAAAAAEAAAAA
type: ID_TYPE_BOTH
xidNumber: 3000013
distinguishedName: CN=S-1-1-0

# record 2
dn: CN=CONFIG
cn: CONFIG
lowerBound: 3000000
upperBound: 4000000
xidNumber: 3000018
distinguishedName: CN=CONFIG

# record 3
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid:: AQEAAAAAAAULAAAA
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11

# record 4
dn: CN=S-1-5-9
cn: S-1-5-9
objectClass: sidMap
objectSid:: AQEAAAAAAAUJAAAA
type: ID_TYPE_BOTH
xidNumber: 3000010
distinguishedName: CN=S-1-5-9

# record 5
dn: CN=S-1-5-7
cn: S-1-5-7
objectClass: sidMap
objectSid:: AQEAAAAAAAUHAAAA
type: ID_TYPE_UID
xidNumber: 65534
distinguishedName: CN=S-1-5-7

# record 6
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-572
cn: S-1-5-21-3528014533-2888711523-1744986056-572
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoPAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000005
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-572

# record 7
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-520
cn: S-1-5-21-3528014533-2888711523-1744986056-520
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoCAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000004
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-520

# record 8
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-515
cn: S-1-5-21-3528014533-2888711523-1744986056-515
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAwIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000017
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-515

# record 9
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-514
cn: S-1-5-21-3528014533-2888711523-1744986056-514
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000012
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-514

# record 10
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-513
cn: S-1-5-21-3528014533-2888711523-1744986056-513
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAQIAAA==
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-513

# record 11
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-512
cn: S-1-5-21-3528014533-2888711523-1744986056-512
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-512

# record 12
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-501
cn: S-1-5-21-3528014533-2888711523-1744986056-501
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJo9QEAAA==
type: ID_TYPE_BOTH
xidNumber: 3000011
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-501

# record 13
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-500
cn: S-1-5-21-3528014533-2888711523-1744986056-500
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJo9AEAAA==
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-500

# record 14
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-1103
cn: S-1-5-21-3528014533-2888711523-1744986056-1103
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoTwQAAA==
type: ID_TYPE_BOTH
xidNumber: 3000016
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-1103

# record 15
dn: CN=S-1-5-32-545
cn: S-1-5-32-545
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIQIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-5-32-545

# record 16
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544

# record 17
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-519
cn: S-1-5-21-3528014533-2888711523-1744986056-519
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoBwIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000006
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-519

# record 18
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-518
cn: S-1-5-21-3528014533-2888711523-1744986056-518
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoBgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000007
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-518

# record 19
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAJQIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549

# record 20
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid:: AQEAAAAAAAUSAAAA
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18

# record 21
dn: CN=S-1-5-2
cn: S-1-5-2
objectClass: sidMap
objectSid:: AQEAAAAAAAUCAAAA
type: ID_TYPE_BOTH
xidNumber: 3000014
distinguishedName: CN=S-1-5-2

# record 22
dn: CN=S-1-5-32-546
cn: S-1-5-32-546
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000015
distinguishedName: CN=S-1-5-32-546

# returned 22 records
# 22 entries
# 0 referrals



Thanks,

Alex
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba