On Fri, 2012-10-26 at 16:56 +0000, Bethel, Zach wrote:
> Okay, I copied the files over and ran those two commands. Both of them
> returned nothing (which I assume is a good thing?) and the file permissions
> appear to have extended ACLs in the sysvol folder. So I'm assuming that
> worked.
>
> However, when my Windows client attempts to `gpupdate /force` (as the domain
> admin) from the samba machine, I get the following error message for the
> computer policy:
>
> "The processing of Group Policy failed. Windows attempted to read the file
> \\csetest.taylor.edu\sysvol\csetest.taylor.edu\Policies\{GUID}\gpt.ini from a
> domain controller and was not successful. Group Policy settings may not be
> applied until this event is resolved. This issue may be transient and could
> be caused by one or more of the following:
>
> a) Name Resolution/Network Connectivity to the current domain controller.
> b) File Replication Service Latency (a file created on another domain
> controller has not replicated to the current domain controller).
> c) The Distributed File System (DFS) client has been disabled."
>
> The user policy gets applied just fine.
> When I look in the event viewer, I get error code 5 with "Access is Denied"
> as the description. The same event has a DCName field which points at the
> samba machine, so I know that it's trying to talk to samba. I can mount the
> sysvol share manually as the domain administrator and see all the files just
> fine.
>
> Any idea what might be going on?
This fix I just put in master is almost certainly for this problem.
If it doesn't apply, then just run 'sh -c 'umask 0 && samba-tool ntacl
sysvolreset' to remove the umask for the duration of this operation.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 88df69b860c3d503846872d7624cd38f969185a7 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <[email protected]>
Date: Fri, 26 Oct 2012 14:22:07 +1100
Subject: [PATCH 2/3] pysmbd: Set umask to 0 during smbd operations
---
source3/smbd/pysmbd.c | 43 ++++++++++++++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 9 deletions(-)
diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c
index 2767c11..e7bef8a 100644
--- a/source3/smbd/pysmbd.c
+++ b/source3/smbd/pysmbd.c
@@ -43,6 +43,7 @@ static NTSTATUS set_sys_acl_no_snum(const char *fname,
connection_struct *conn;
NTSTATUS status = NT_STATUS_OK;
int ret;
+ mode_t saved_umask;
conn = talloc_zero(NULL, connection_struct);
if (conn == NULL) {
@@ -56,6 +57,10 @@ static NTSTATUS set_sys_acl_no_snum(const char *fname,
return NT_STATUS_NO_MEMORY;
}
+ /* we want total control over the permissions on created files,
+ so set our umask to 0 */
+ saved_umask = umask(0);
+
conn->params->service = -1;
set_conn_connectpath(conn, "/");
@@ -69,6 +74,8 @@ static NTSTATUS set_sys_acl_no_snum(const char *fname,
"returned zero.\n"));
}
+ umask(saved_umask);
+
conn_free(conn);
return status;
@@ -83,9 +90,16 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname,
files_struct *fsp;
struct smb_filename *smb_fname = NULL;
int flags;
+ mode_t saved_umask;
+
+ if (!posix_locking_init(false)) {
+ TALLOC_FREE(frame);
+ return NT_STATUS_NO_MEMORY;
+ }
conn = talloc_zero(frame, connection_struct);
if (conn == NULL) {
+ TALLOC_FREE(frame);
DEBUG(0, ("talloc failed\n"));
return NT_STATUS_NO_MEMORY;
}
@@ -96,15 +110,6 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname,
return NT_STATUS_NO_MEMORY;
}
- conn->params->service = -1;
-
- set_conn_connectpath(conn, "/");
-
- smbd_vfs_init(conn);
- if (!posix_locking_init(false)) {
- return NT_STATUS_NO_MEMORY;
- }
-
fsp = talloc_zero(frame, struct files_struct);
if (fsp == NULL) {
TALLOC_FREE(frame);
@@ -117,10 +122,21 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname,
}
fsp->conn = conn;
+ /* we want total control over the permissions on created files,
+ so set our umask to 0 */
+ saved_umask = umask(0);
+
+ conn->params->service = -1;
+
+ set_conn_connectpath(conn, "/");
+
+ smbd_vfs_init(conn);
+
status = create_synthetic_smb_fname_split(fsp, fname, NULL,
&smb_fname);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(frame);
+ umask(saved_umask);
return status;
}
@@ -140,6 +156,7 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname,
if (fsp->fh->fd == -1) {
printf("open: error=%d (%s)\n", errno, strerror(errno));
TALLOC_FREE(frame);
+ umask(saved_umask);
return NT_STATUS_UNSUCCESSFUL;
}
@@ -153,6 +170,7 @@ static NTSTATUS set_nt_acl_no_snum(const char *fname,
conn_free(conn);
TALLOC_FREE(frame);
+ umask(saved_umask);
return status;
}
@@ -297,6 +315,7 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args)
char *fname;
int uid, gid;
TALLOC_CTX *frame;
+ mode_t saved_umask;
if (!PyArg_ParseTuple(args, "sii", &fname, &uid, &gid))
return NULL;
@@ -314,6 +333,10 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args)
return NULL;
}
+ /* we want total control over the permissions on created files,
+ so set our umask to 0 */
+ saved_umask = umask(0);
+
conn->params->service = -1;
set_conn_connectpath(conn, "/");
@@ -326,6 +349,8 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args)
DEBUG(0,("chown returned failure: %s\n", strerror(errno)));
}
+ umask(saved_umask);
+
conn_free(conn);
TALLOC_FREE(frame);
--
1.7.11.7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
