On Thu, 2012-11-01 at 14:54 +0000, Alex Matthews wrote:
> On 30/10/2012 00:08, Jeremy Allison wrote:
> > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> >>>> be a particular trigger - but it shouldn't be able to make a
> >>>> modification that doesn't go via vfs_acl_xattr.
> >>>>
> >>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
> >>>> level 10 on samba-tool ntacl sysvolcheck):
> >>>>
> >>>> get_nt_acl_internal: blob hash matches for
> >>>> file
> >>>> /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> >>>>
> >>>> then after, he gets:
> >>>>
> >>>> get_nt_acl_internal: blob hash does not match for
> >>>> file
> >>>> /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> >>>> - returning file system SD mapping.
> >>> Is this message from smbd, or from samba-tool ?
> >> That's what vfs_acl_common is printing, being run from samba-tool ntacl
> >> sysvolcheck. It links to the VFS layer.
> > So this looks like it's running the Group Policy tools on WinXP
> > that causes the problem ?
> >
> > Can we get a debug level 10 log of that activity going on
> > against smbd ?
> >
> > Jeremy.
> Ok I have some additional info.
>
> Using the GPMC I cannot create new GPOs. I get the message: "This
> security ID may not be assigned as the owner of this object"
>
> If I use samba-tool gpo create I get the following:
>
> # bin/samba-tool gpo create "SMC Students"
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
> CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
> File
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
> line 952, in run
> self.samdb.add(m)
>
> If I supply administrator as username I get:
>
> # bin/samba-tool gpo create "SMC Students" -U administrator
> Password for [SMC\administrator]:
> ERROR(runtime): uncaught exception - (-1073741734,
> 'NT_STATUS_INVALID_OWNER')
> File
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
> return self.run(*args, **kwargs)
> File
> "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py",
> line 987, in run
> conn.set_acl(sharepath, fs_sd, sio)
>
> However this time it has successfully created the GPO. (GPMC still
> throws the same warnings about inconsistent ACLs).
>
> bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u
> bin/samba-tool gpo create "SMC Students" -U administrator -d 10:
> http://pastebin.com/8kkVEy7V
>
> I would hazard a guess and say the GPMC error (when creating a GPO) is
> the same error as the samba-tool error.
It is certainly very helpful to have this happen with samba-tool. Can
you remind me the history of this domain, is it the upgrade I was trying
to suggest you do, or a fresh provision?
If you can tell me what provision command-line you run, if it was
provisioned with an older version, which branch and git revision that
was and what branch and git revision as you running now?
I've tried to replicate this in 'make test' but failed (the tests pass).
The patch for that is attached for review.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
>From 34bd98e04151e48e5ae7a4e5c88ddb872528238a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <[email protected]>
Date: Mon, 5 Nov 2012 12:57:17 +1100
Subject: [PATCH] selfltest: check that samba-tool gpo works for basic
operations
---
selftest/target/Samba4.pm | 2 +-
.../scripting/python/samba/tests/samba_tool/gpo.py | 59 ++++++++++++++++++++++
source4/selftest/tests.py | 2 +
3 files changed, 62 insertions(+), 1 deletion(-)
create mode 100644 source4/scripting/python/samba/tests/samba_tool/gpo.py
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index fbc8117..20114c9 100644
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -799,7 +799,7 @@ sub provision($$$$$$$$$)
[sysvol]
path = $ctx->{statedir}/sysvol
- read only = yes
+ read only = no
[netlogon]
path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
diff --git a/source4/scripting/python/samba/tests/samba_tool/gpo.py b/source4/scripting/python/samba/tests/samba_tool/gpo.py
new file mode 100644
index 0000000..0cd39dc
--- /dev/null
+++ b/source4/scripting/python/samba/tests/samba_tool/gpo.py
@@ -0,0 +1,59 @@
+# Unix SMB/CIFS implementation.
+# Copyright (C) Andrew Bartlett 2012
+#
+# based on time.py:
+# Copyright (C) Sean Dague <[email protected]> 2011
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import os
+from samba.tests.samba_tool.base import SambaToolCmdTest
+
+class GpoCmdTestCase(SambaToolCmdTest):
+ """Tests for samba-tool time subcommands"""
+
+ gpo_name = "testgpo"
+
+ def test_gpo_list(self):
+ """Run gpo list against the server and make sure it looks accurate"""
+ (result, out, err) = self.runsubcmd("gpo", "listall", "-H", "ldap://%s"; % os.environ["SERVER"])
+ self.assertCmdSuccess(result, "Ensuring gpo listall ran successfully")
+
+ def test_fetchfail(self):
+ """Run against a non-existent GPO, and make sure it fails (this hard-coded UUID is very unlikely to exist"""
+ (result, out, err) = self.runsubcmd("gpo", "fetch", "c25cac17-a02a-4151-835d-fae17446ee43", "-H", "ldap://%s"; %
+os.environ["SERVER"])
+ self.assertEquals(result, -1, "check for result code")
+
+ def test_fetch(self):
+ """Run against a real GPO, and make sure it passes"""
+ (result, out, err) = self.runsubcmd("gpo", "fetch", self.gpo_guid, "-H", "ldap://%s"; % os.environ["SERVER"], "--tmpdir", os.environ['SELFTEST_PREFIX'])
+ self.assertCmdSuccess(result, "Ensuring gpo fetched successfully")
+
+ def setUp(self):
+ """set up a tempoary GPO to work with"""
+ super(GpoCmdTestCase, self).setUp()
+ (result, out, err) = self.runsubcmd("gpo", "create", self.gpo_name, "-H", "ldap://%s"; % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
+ self.gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
+
+ self.assertCmdSuccess(result, "Ensuring gpo created successfully")
+
+ def tearDown(self):
+ """remote the tempoary GPO to work with"""
+ (result, out, err) = self.runsubcmd("gpo", "del", self.gpo_guid, "-H", "ldap://%s"; % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
+ self.assertCmdSuccess(result, "Ensuring gpo deleted successfully")
+ super(GpoCmdTestCase, self).tearDown()
+
+
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index ca5bdd3..61540d0 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -405,6 +405,8 @@ planpythontestsuite("dc:local", "samba.tests.dcerpc.bare")
planpythontestsuite("dc:local", "samba.tests.dcerpc.unix")
planpythontestsuite("dc:local", "samba.tests.dcerpc.srvsvc")
planpythontestsuite("dc:local", "samba.tests.samba_tool.timecmd")
+planpythontestsuite("dc:local", "samba.tests.samba_tool.gpo")
+planpythontestsuite("plugin_s4_dc:local", "samba.tests.samba_tool.gpo")
planpythontestsuite("dc:local", "samba.tests.samba_tool.processes")
planpythontestsuite("dc:local", "samba.tests.samba_tool.user")
planpythontestsuite("dc:local", "samba.tests.samba_tool.group")
--
1.7.11.7
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
