On 06/11/2012 11:43, Alex Matthews wrote:
On 05/11/2012 02:10, Andrew Bartlett wrote:
It is certainly very helpful to have this happen with samba-tool. Can
you remind me the history of this domain, is it the upgrade I was trying
to suggest you do, or a fresh provision?
If you can tell me what provision command-line you run, if it was
provisioned with an older version, which branch and git revision that
was and what branch and git revision as you running now?
I've tried to replicate this in 'make test' but failed (the tests pass).
The patch for that is attached for review.
Thanks,
Andrew Bartlett
Ok, I think we've got a bit lost in issues here, so I'll start from
the very beginning (I've heard it's a very good place to start).
I have set up two domains:
home.lillimoth.com - a test domain set up on virtual machines at home.
This domain has been provisioned from scratch.
internal.stmaryscollege.co.uk - a production domain at my work place.
This domain was migrated from a samba 3 domain.
My issue is that when I run gpmc (the group policy management console)
on a windows machine (XP or 7) and selected a gpo to edit I get the
message:
"The permissions for this GPO in the SYSVOL folder are inconsistent
with those in Active Directory.
It is recommended that these permissions be consistent.
To change the SYSVOL permissions to those in Active Directory, click
OK." - Please see: http://support.microsoft.com/kb/828760
This occurs on both domains.
Clicking 'ok' to the popup should correct the ACLs on the
files/folders it believes are incorrect.
Please note that before clicking 'ok' sysvolcheck passes with no
errors however after clicking it would fail with the following error:
"ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception - ProvisioningError: VFS ACL on GPO directory
/usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object"
This suggests that the gpmc did change the ACLs however when
reselecting the same GPO it pops up with the same message again!
Both servers have the correct mount options (user_xattr,acl) and acls
work when set manually.
I did some research into what the ACLs should be on the sysvol share
and came up with these: http://pastebin.com/sSURWrDf which were taken
from a WS2003 machine.
I have not yet attempted to set these on my S4 server but will try
that tonight.
The issue seems to revolve around:
Incorrect initial ACLs on the sysvol share and its subfolders.
The inability of the GPMC to correct the issue. Suggesting that
there is some issue setting ACLs on the sysvol share from a windows
client.
There we a couple of issues with samba-tool creating GPOs but I will
run through those in an email later this evening when I have had
chance to test them on my test domain.
Thanks,
Alex
I have just attempted to set the ACL on the sysvol directory using
samba-tool ntacl set and got the following message:
/usr/local/samba/var/locks# ../../bin/samba-tool ntacl set
"D:AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)"
sysvol -d 2
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Unknown flag - FA in FA
Badly formatted SDDL
'AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)'
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to
parse SDDL
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 90, in run
setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file,
use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line 89, in setntacl
sd = security.descriptor.from_sddl(sddl, sid)
FA is listed on the Microsoft ACE String page as FILE_ALL_ACCESS
(http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928(v=vs.85).aspx
<http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx>)
Is it correct that the sddl parser cannot parse FA?
Thanks,
Alex
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
