Re: [Samba] GPO Permissions _AGAIN_
On 09/10/2013 16:41, Alex Matthews wrote: Hi all, I'm afraid I'm back to my old issue of GPO permissions. I have two ADDCs providing an AD Domain (internal.stmaryscollege.co.uk (short-name 'SMC')). Servers are called 'ad-01' and 'tainan'. ad-01 is 'Version 4.0.10' and tainan is 'Version 4.1.0rc4' (the latest version in the package repos of the respective OSs (arch and gentoo)) I have set up a script that synchronises the two sysvol shares (using rsync) that I run manually when I make a change to a GPO. However I have found that even after running `samba-tool ntacl sysvolreset` I still get 'Access Denied' or the more long winded: 'Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied.' when accessing some 'gpt.ini' files. For reference here is the getfacl output for the GPT.INI file in question from the two servers: TAINAN: getfacl GPT.INI # file: GPT.INI # owner: SMC\134administrator # group: SMC\134Domain\040Admins user::rwx user:SMC\134administrator:rwx group::rwx group:SMC\134Domain\040Admins:rwx group:302:rwx group:303:r-x group:SMC\134Enterprise\040Admins:rwx group:311:r-x mask::rwx other::--- AD-01: getfacl GPT.INI # file: GPT.INI # owner: SMC\134administrator # group: SMC\134Domain\040Admins user::rwx user:SMC\134administrator:rwx group::rwx group:SMC\134Domain\040Admins:rwx group:SMC\134Enterprise\040Admins:rwx group:308:r-x group:316:rwx group:318:r-x mask::rwx other::--- I would assume the inconsisteny is due to idmap being different, I'm not sure. The output of `samba-tool ntacl sysvolcheck` from the two servers is as follows: tainan: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: DB ACL on GPO directory /vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File /usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py, line 249, in run lp) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1695, in checksysvolacl direct_db_access) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1646, in check_gpos_acl domainsid, direct_db_access) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1593, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) ad-01: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: DB ACL on GPO directory /srv/samba/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File /usr/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1685, in checksysvolacl direct_db_access) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1636, in check_gpos_acl domainsid, direct_db_access) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1586, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Would it also be possible, as an update to sysvolcheck, to not throw an uncaught exception but more gracefully give the errors and continue after the first one? Thanks, Alex Hi all, Just a quick follow up. I found a GPO entitled 'sysvol share compatibility' which has the following blurb: This setting controls whether or not the Sysvol share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled
Re: [Samba] GPO Permissions _AGAIN_
On 09/10/2013 16:41, Alex Matthews wrote: Hi all, I'm afraid I'm back to my old issue of GPO permissions. I have two ADDCs providing an AD Domain (internal.stmaryscollege.co.uk (short-name 'SMC')). Servers are called 'ad-01' and 'tainan'. ad-01 is 'Version 4.0.10' and tainan is 'Version 4.1.0rc4' (the latest version in the package repos of the respective OSs (arch and gentoo)) I have set up a script that synchronises the two sysvol shares (using rsync) that I run manually when I make a change to a GPO. However I have found that even after running `samba-tool ntacl sysvolreset` I still get 'Access Denied' or the more long winded: 'Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied.' when accessing some 'gpt.ini' files. For reference here is the getfacl output for the GPT.INI file in question from the two servers: TAINAN: getfacl GPT.INI # file: GPT.INI # owner: SMC\134administrator # group: SMC\134Domain\040Admins user::rwx user:SMC\134administrator:rwx group::rwx group:SMC\134Domain\040Admins:rwx group:302:rwx group:303:r-x group:SMC\134Enterprise\040Admins:rwx group:311:r-x mask::rwx other::--- AD-01: getfacl GPT.INI # file: GPT.INI # owner: SMC\134administrator # group: SMC\134Domain\040Admins user::rwx user:SMC\134administrator:rwx group::rwx group:SMC\134Domain\040Admins:rwx group:SMC\134Enterprise\040Admins:rwx group:308:r-x group:316:rwx group:318:r-x mask::rwx other::--- I would assume the inconsisteny is due to idmap being different, I'm not sure. The output of `samba-tool ntacl sysvolcheck` from the two servers is as follows: tainan: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: DB ACL on GPO directory /vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File /usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py, line 249, in run lp) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1695, in checksysvolacl direct_db_access) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1646, in check_gpos_acl domainsid, direct_db_access) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1593, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) ad-01: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: DB ACL on GPO directory /srv/samba/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File /usr/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1685, in checksysvolacl direct_db_access) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1636, in check_gpos_acl domainsid, direct_db_access) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1586, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Would it also be possible, as an update to sysvolcheck, to not throw an uncaught exception but more gracefully give the errors and continue after the first one? Thanks, Alex Hi all, Just a quick follow up. I found a GPO entitled 'sysvol share compatibility' which has the following blurb: This setting controls whether or not the Sysvol share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled
[Samba] GPO Permissions _AGAIN_
Hi all, I'm afraid I'm back to my old issue of GPO permissions. I have two ADDCs providing an AD Domain (internal.stmaryscollege.co.uk (short-name 'SMC')). Servers are called 'ad-01' and 'tainan'. ad-01 is 'Version 4.0.10' and tainan is 'Version 4.1.0rc4' (the latest version in the package repos of the respective OSs (arch and gentoo)) I have set up a script that synchronises the two sysvol shares (using rsync) that I run manually when I make a change to a GPO. However I have found that even after running `samba-tool ntacl sysvolreset` I still get 'Access Denied' or the more long winded: 'Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied.' when accessing some 'gpt.ini' files. For reference here is the getfacl output for the GPT.INI file in question from the two servers: TAINAN: getfacl GPT.INI # file: GPT.INI # owner: SMC\134administrator # group: SMC\134Domain\040Admins user::rwx user:SMC\134administrator:rwx group::rwx group:SMC\134Domain\040Admins:rwx group:302:rwx group:303:r-x group:SMC\134Enterprise\040Admins:rwx group:311:r-x mask::rwx other::--- AD-01: getfacl GPT.INI # file: GPT.INI # owner: SMC\134administrator # group: SMC\134Domain\040Admins user::rwx user:SMC\134administrator:rwx group::rwx group:SMC\134Domain\040Admins:rwx group:SMC\134Enterprise\040Admins:rwx group:308:r-x group:316:rwx group:318:r-x mask::rwx other::--- I would assume the inconsisteny is due to idmap being different, I'm not sure. The output of `samba-tool ntacl sysvolcheck` from the two servers is as follows: tainan: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: DB ACL on GPO directory /vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File /usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py, line 249, in run lp) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1695, in checksysvolacl direct_db_access) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1646, in check_gpos_acl domainsid, direct_db_access) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1593, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) ad-01: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: DB ACL on GPO directory /srv/samba/sysvol/internal.stmaryscollege.co.uk/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:PAR(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File /usr/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1685, in checksysvolacl direct_db_access) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1636, in check_gpos_acl domainsid, direct_db_access) File /usr/lib/python2.7/site-packages/samba/provision/__init__.py, line 1586, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Would it also be possible, as an update to sysvolcheck, to not throw an uncaught exception but more gracefully give the errors and continue after the first one? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] 'Administrator' account (UID 0) on Samba member of a Samba4 AD DC
Hi all, I have a samba server as member of an AD DC. In said AD DC there is the 'administrator' user which has the default UID of 0 (the same as root) from the ADDC: # id administrator uid=0(root) gid=513(SMC\Domain Users) groups=0(root),513(SMC\Domain Users),305(SMC\Group Policy Creator Owners),309(SMC\Enterprise Admins),512(SMC\Domain Admins),307(SMC\Schema Admins) from the member server: # id administrator id: administrator: no such user It also does not appear in wbinfo -u or getent passwd The issue is that if I log on to a windows machine as the administrator user I cannot access a share on the member server as it does not authenticate. my smb.conf is pretty simple: [global] workgroup = SMC realm = internal.stmaryscollege.co.uk netbios name = PVE-ARCH-S3-02 security = ADS encrypt passwords = yes server role = MEMBER SERVER idmap config *:backend = tdb idmap config *:range = 70001-8 idmap config SMC:backend = ad idmap config SMC:schema_mode = rfc2307 idmap config SMC:range = 0-4 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes (Note: I changed the idmap config SMC:range to include '0' as I thought this might encourage samba to idmap the root user... but no dice...) Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is nss_winbind required?
On 09/05/2013 04:00, Andrew Bartlett wrote: On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: Hi all, Is it a necessity to use the winbind nss module? I have run a few tests and having it enabled creates a massive bottleneck. It's not nss_winbind itself that is the bottleneck but something in the background (I'm guessing uid/rid-username code). If I disable winbind in nsswitch.conf what impact will it have? Will the system continue to work? Please note this last test shows that it is not the nss_winbind module that it slow it is something 'behind the scenes'. Also note that this is not just applicable to the sysvolreset (it was just a convenient method of testing). Copying a directory consisting of many small files (eg a windows roaming profile) can be excruciatingly slow! 50s+ for a 50mb folder! I am sure that it is not a network or drive limitation, copying the folder locally and via NFS happen very quickly and copying the same folder from a standalone S3 install on the same hardware is 'fast' also. The issue is that the winbind in the Samba 4.0 AD DC is incredibly inefficient. It is required for the [homes] share to work, but we try to avoid needing it for other things. I understand this is incredibly frustrating, but what this highlights is that we really, really need to start on the project to replace it with running the winbindd code from source3. The challenge is that this is a lot of work, which will cause disruption in other parts of the system as we generalise stuff and add the plugins we need to hook into the AD DC. I'm increasingly of the view that this will need to be a priority soon, but it's still hard to get stuck into this stuff. Andrew Bartlett I see, I had figured it would be something along those lines. I for one, would love to see this pushed up the todo list! It seems like quite a large issue! So, are you saying that I can split the system into one AD DC serving home directories (with nss_windbind enabled) and all other files being served from a different AD DC with nss_winbind disabled. I appreciate this makes seeing permissions on linux that bit more tricky, but seeing as there aren't any real tools for manipulating them yet it's only a nicety. Would it make much of a difference? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is nss_winbind required?
On 09/05/2013 09:56, Andrew Bartlett wrote: On Thu, 2013-05-09 at 09:48 +0100, Alex Matthews wrote: On 09/05/2013 04:00, Andrew Bartlett wrote: On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: Hi all, Is it a necessity to use the winbind nss module? I have run a few tests and having it enabled creates a massive bottleneck. It's not nss_winbind itself that is the bottleneck but something in the background (I'm guessing uid/rid-username code). If I disable winbind in nsswitch.conf what impact will it have? Will the system continue to work? Please note this last test shows that it is not the nss_winbind module that it slow it is something 'behind the scenes'. Also note that this is not just applicable to the sysvolreset (it was just a convenient method of testing). Copying a directory consisting of many small files (eg a windows roaming profile) can be excruciatingly slow! 50s+ for a 50mb folder! I am sure that it is not a network or drive limitation, copying the folder locally and via NFS happen very quickly and copying the same folder from a standalone S3 install on the same hardware is 'fast' also. The issue is that the winbind in the Samba 4.0 AD DC is incredibly inefficient. It is required for the [homes] share to work, but we try to avoid needing it for other things. I understand this is incredibly frustrating, but what this highlights is that we really, really need to start on the project to replace it with running the winbindd code from source3. The challenge is that this is a lot of work, which will cause disruption in other parts of the system as we generalise stuff and add the plugins we need to hook into the AD DC. I'm increasingly of the view that this will need to be a priority soon, but it's still hard to get stuck into this stuff. Andrew Bartlett I see, I had figured it would be something along those lines. I for one, would love to see this pushed up the todo list! It seems like quite a large issue! So, are you saying that I can split the system into one AD DC serving home directories (with nss_windbind enabled) and all other files being served from a different AD DC with nss_winbind disabled. I appreciate this makes seeing permissions on linux that bit more tricky, but seeing as there aren't any real tools for manipulating them yet it's only a nicety. Would it make much of a difference? Making it a member server and a DC would be the better combination. Andrew Bartlett Sorry, could you elaborate slightly? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Is nss_winbind required?
On 09/05/2013 09:56, Andrew Bartlett wrote: On Thu, 2013-05-09 at 09:48 +0100, Alex Matthews wrote: On 09/05/2013 04:00, Andrew Bartlett wrote: On Wed, 2013-05-08 at 15:23 +0100, Alex Matthews wrote: Hi all, Is it a necessity to use the winbind nss module? I have run a few tests and having it enabled creates a massive bottleneck. It's not nss_winbind itself that is the bottleneck but something in the background (I'm guessing uid/rid-username code). If I disable winbind in nsswitch.conf what impact will it have? Will the system continue to work? Please note this last test shows that it is not the nss_winbind module that it slow it is something 'behind the scenes'. Also note that this is not just applicable to the sysvolreset (it was just a convenient method of testing). Copying a directory consisting of many small files (eg a windows roaming profile) can be excruciatingly slow! 50s+ for a 50mb folder! I am sure that it is not a network or drive limitation, copying the folder locally and via NFS happen very quickly and copying the same folder from a standalone S3 install on the same hardware is 'fast' also. The issue is that the winbind in the Samba 4.0 AD DC is incredibly inefficient. It is required for the [homes] share to work, but we try to avoid needing it for other things. I understand this is incredibly frustrating, but what this highlights is that we really, really need to start on the project to replace it with running the winbindd code from source3. The challenge is that this is a lot of work, which will cause disruption in other parts of the system as we generalise stuff and add the plugins we need to hook into the AD DC. I'm increasingly of the view that this will need to be a priority soon, but it's still hard to get stuck into this stuff. Andrew Bartlett I see, I had figured it would be something along those lines. I for one, would love to see this pushed up the todo list! It seems like quite a large issue! So, are you saying that I can split the system into one AD DC serving home directories (with nss_windbind enabled) and all other files being served from a different AD DC with nss_winbind disabled. I appreciate this makes seeing permissions on linux that bit more tricky, but seeing as there aren't any real tools for manipulating them yet it's only a nicety. Would it make much of a difference? Making it a member server and a DC would be the better combination. Andrew Bartlett Hiya, Having re-read your message. Is your suggestion to have an AD DC serving home directories and member servers (as described here: https://wiki.samba.org/index.php/Samba4/Domain_Member (but skipping the enabling nss_winbind step?) serving everything else? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Weird issue when accessing a samba4 domain member by IP vs hostname
Hi all, I seem to be posting a lot recently. I have just set up an S4 member server to a S4 AD DC. When trying to access from a windows XP client via \\xen-arch-s3-01 I get a username+password box which doesn't accept my credentials. If I try to access via \\192.168.0.111 I get straight on, no questions asked. Doing a loglevel 10 I see the following differences: \\xen-arch-s3-01 = log.smbd: Got user=[qoole] domain=[XEN-ARCH-S3-01] workstation=[R2-02] len1=24 len2=24 log.smbd: check_ntlm_password: Checking password for unmapped user [XEN-ARCH-S3-01]\[qoole]@[R2-02] with the new password interface log.smbd: check_ntlm_password: mapped user is: [XEN-ARCH-S3-01]\[qoole]@[R2-02] log.smbd: check_sam_security: Couldn't find user 'qoole' in passdb. log.smbd: check_ntlm_password: sam authentication for user [qoole] FAILED with error NT_STATUS_NO_SUCH_USER \\192.168.0.111 = log.smbd: Got user=[qoole] domain=[SMC] workstation=[R2-02] len1=24 len2=24 log.smbd: check_ntlm_password: Checking password for unmapped user [SMC]\[qoole]@[R2-02] with the new password interface log.smbd: check_ntlm_password: mapped user is: [SMC]\[qoole]@[R2-02] log.smbd: check_ntlm_password: winbind authentication for user [qoole] succeeded log.smbd: check_ntlm_password: PAM Account for user [SMC\qoole] succeeded log.smbd: check_ntlm_password: authentication for user [qoole] - [qoole] - [SMC\qoole] succeeded So, why does it think the domain is the hostname when connecting via said hostname? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] many smbd processes when sync'ing sysvol
On 08/05/2013 00:43, Michael Mol wrote: On May 7, 2013 4:56 PM, Alex Matthews qoole.sa...@lillimoth.com mailto:qoole.sa...@lillimoth.com wrote: Hi there, I have three S4 servers running as AD DCs. In order to keep the sysvol share in sync I'm using crontab to run the following command: /usr/bin/rsync -PavAX --delete root@masterPDC:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/ However everytime this command is run a couple of extra smbd processes are started on the masterPDC (between 2 and 5 processes) which never exit and just sit there taking up resources. So, quite quickly I had a system with over 500 smbd processes and no free memory which very abruptly fell over and stopped serving genuine clients. Has anyone else come across this issue/know what is causing it? I have taken some level 10 logs of the smbd processes that get formed. However I don't have access to them from my current location. I will email them in tomorrow from work. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Are you sure those are separate processes, and not simply threads? (Apologies for brief response; sending from phone.) Hi Michael! They show up in `ps aux` as separate smbd processes. They also generate their own log files when I set the log file output names based on PIDs. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] many smbd processes when sync'ing sysvol
For reference, my smbd.conf is as follows: # Global parameters [global] workgroup = SMC realm = internal.stmaryscollege.co.uk netbios name = XEN-ARCH-AD-01 server role = active directory domain controller printcap name = /etc/printcap load printers = no dns forwarder = 192.168.0.30 #DNS handled by BIND server services = -dns log level = 1 max log size = 10240 log file = /var/log/samba/samba.log.%d debug uid = yes debug timestamp = yes allow dns updates = secure nsupdate command = /usr/bin/nsupdate -g spn update command = /usr/sbin/samba_spnupdate idmap_ldb:use rfc2307 = yes winbind nss info = rfc2307 #Small file tuning read raw = no level2 oplocks = true On 08/05/2013 10:10, Andrew Bartlett wrote: On Tue, 2013-05-07 at 21:55 +0100, Alex Matthews wrote: Hi there, I have three S4 servers running as AD DCs. In order to keep the sysvol share in sync I'm using crontab to run the following command: /usr/bin/rsync -PavAX --delete root@masterPDC:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/ However everytime this command is run a couple of extra smbd processes are started on the masterPDC (between 2 and 5 processes) which never exit and just sit there taking up resources. So, quite quickly I had a system with over 500 smbd processes and no free memory which very abruptly fell over and stopped serving genuine clients. Has anyone else come across this issue/know what is causing it? I have taken some level 10 logs of the smbd processes that get formed. However I don't have access to them from my current location. I will email them in tomorrow from work. My best guess is that the winbind part of samba's AD DC is making a connection, but never closing it. Andrew Bartlett -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Is nss_winbind required?
Hi all, Is it a necessity to use the winbind nss module? I have run a few tests and having it enabled creates a massive bottleneck. It's not nss_winbind itself that is the bottleneck but something in the background (I'm guessing uid/rid-username code). If I disable winbind in nsswitch.conf what impact will it have? Will the system continue to work? eg: #nss_winbind enabled on group and passwd time samba-tool ntacl sysvolreset real3m58.240s user2m54.760s sys 0m27.030s #nss_winbind disabled time samba-tool ntacl sysvolreset real0m46.940s user0m35.057s sys 0m6.350s #nss_winbind enabled on only group time samba-tool ntacl sysvolreset real0m46.668s user0m34.790s sys 0m6.263s #nss_winbind enabled on only passwd time samba-tool ntacl sysvolreset real4m7.639s user2m56.987s sys 0m26.923s #nss_winbind enabled on group and passwd with enum groups and users disabled time samba-tool ntacl sysvolreset real4m1.464s user2m55.350s sys 0m26.660s #nss_winbind disabled and *nss-pam-ldap* enabled on passwd, shadow and group time samba-tool ntacl sysvolreset real3m57.029s user3m0.913s sys 0m30.570s Please note this last test shows that it is not the nss_winbind module that it slow it is something 'behind the scenes'. Also note that this is not just applicable to the sysvolreset (it was just a convenient method of testing). Copying a directory consisting of many small files (eg a windows roaming profile) can be excruciatingly slow! 50s+ for a 50mb folder! I am sure that it is not a network or drive limitation, copying the folder locally and via NFS happen very quickly and copying the same folder from a standalone S3 install on the same hardware is 'fast' also. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] many smbd processes when sync'ing sysvol
Hi there, I have three S4 servers running as AD DCs. In order to keep the sysvol share in sync I'm using crontab to run the following command: /usr/bin/rsync -PavAX --delete root@masterPDC:/var/lib/samba/sysvol/ /var/lib/samba/sysvol/ However everytime this command is run a couple of extra smbd processes are started on the masterPDC (between 2 and 5 processes) which never exit and just sit there taking up resources. So, quite quickly I had a system with over 500 smbd processes and no free memory which very abruptly fell over and stopped serving genuine clients. Has anyone else come across this issue/know what is causing it? I have taken some level 10 logs of the smbd processes that get formed. However I don't have access to them from my current location. I will email them in tomorrow from work. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] dns entries look weird in remote administration dns tool
Hiya, My Windows based DNS utility always looks like this: http://i.imgur.com/hhGmm0w.png Is that similar to what you're referring to Chantal? I've not noticed it cause a problem. Although I'm sure it shouldn't be like it! Thanks, Alex On 02/05/2013 08:13, Chantal Rosmuller wrote: Hi, On our samba 4 testserver we inserted the dns records from our dns server using samba-tool. Everything seems to work ok but when I look at the dns entries with the windows dns remote administration tool it all looks very weird. Here's an example: This is the insert command: samba-tool dns add samba4.example.com example.com www1 A 192.168.0.120 -U administrator When I query the dns with samba-tool I get this (looks fine to me); [root@samba4 ~]# samba-tool dns query localhost example.com www1 A -U administrator Password for [EXAMPLE\administrator]: Name=, Records=1, Children=0 A: 192.168.0.120 (flags=f0, serial=280, ttl=900) In the windows dns tools however the record for www1 shows up twice, one looks normal, the other doesn't have any values for type data and timestamp. Can anyone explain this, we would like to be sure everything is ok before we start using the server in our production environment. our OS: CentOS release 6.3 (Final) samba version: samba 4.0.3 Thanks! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Removing and recreating DNS from scratch.
Hi all! I want to recreate my DNS records from scratch and I am unable to find a way to do so. I have tried removing the DC=FORESTDNSZONES and DC=DOMAINDNSZONES ldb files and recreating them with samba_upgradedns but I get the following error: Creating DNS partitions Traceback (most recent call last): File /usr/sbin/samba_upgradedns, line 356, in module dnsadmins_sid) File /usr/lib/python2.7/site-packages/samba/provision/sambadns.py, line 947, in create_dns_partitions names.configdn, names.serverdn) File /usr/lib/python2.7/site-packages/samba/provision/sambadns.py, line 239, in setup_dns_partitions SECDESC : b64encode(descriptor) File /usr/lib/python2.7/site-packages/samba/provision/common.py, line 50, in setup_add_ldif ldb.add_ldif(data, controls) File /usr/lib/python2.7/site-packages/samba/__init__.py, line 224, in add_ldif self.add(msg, controls) _ldb.LdbError: (68, 'ldb_wait: Entry already exists (68)') I have tried with both SAMBA_INTERNAL and BIND9_DLZ both give me the same error. Is there any known method to achieve this? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Request to an old post - Having problem with Samba Internal DNS
Hiya, I am also having problems with this. When samba starts I get tsig verify failures: [2013/02/20 10:49:05, 0] ../source4/smbd/server.c:369(binary_smbd_main) samba version 4.0.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/02/20 10:49:06, 0] ../source4/smbd/server.c:475(binary_smbd_main) samba: using 'standard' process model [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure log level 3 = http://pastebin.com/ZJQR6hiJ Running dnsupdate shows it fails on the same records as above and dnsupdate --all-names fails on _ALL_ records. Is this correct behaviour? (I can't see that being the case) If not can someone suggest a way forward? Thanks! Alex On 18/01/2013 10:40, Christof König wrote: Hello all, I have installed Samba on a Cent OS 6.3. I followed the Samba4/HOW-TO. I'm using the samba internal dns. I can join the domain with a Win 7 Client but I have problems with the internal dns. I tried to test/debug the dynamic dns update by the help of the Samba4/HOW-TO. The summary of the error-message: ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 21 entries In the archive of the mailing list I found the same error. Unfortunately there is no solution for the problem but the user solved the Problem https://lists.samba.org/archive/samba/2012-October/169446.html Thanks beforehand, Christof -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Request to an old post - Having problem with Samba Internal DNS
On 20/02/2013 10:58, Andrew Bartlett wrote: On Wed, 2013-02-20 at 10:53 +, Alex Matthews wrote: Hiya, I am also having problems with this. When samba starts I get tsig verify failures: [2013/02/20 10:49:05, 0] ../source4/smbd/server.c:369(binary_smbd_main) samba version 4.0.3 started. Copyright Andrew Tridgell and the Samba Team 1992-2012 [2013/02/20 10:49:06, 0] ../source4/smbd/server.c:475(binary_smbd_main) samba: using 'standard' process model [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/02/20 10:49:07, 0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure log level 3 = http://pastebin.com/ZJQR6hiJ Running dnsupdate shows it fails on the same records as above and dnsupdate --all-names fails on _ALL_ records. Is this correct behaviour? (I can't see that being the case) If not can someone suggest a way forward? This is a known issue, that produces this cosmetic error. We have a patch to fix it, but want to add tests to ensure it does not regress again in the future. Thanks, Andrew Bartlett Hiya, Thanks for the response. So there are no known issues caused by this? It is 100% cosmetic as you put it? I hope this clears things up for other people too! Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow winbind lookups
Hiya, Having done horrific things (you don't want to know... believe me) I managed to remove the 'dead' server from my domain. No trace of it anywhere that I can find. The slowdown still remains. Can anyone point me in another direction I can persue? Thanks, Alex On 14/01/2013 11:18, Alex Matthews wrote: Hiya, I _might_ actually know what is causing this slow down. As I posted a while ago. My domain contains a 'dead' server that I am unable to remove. (post here: https://lists.samba.org/archive/samba/2012-December/170331.html) I think winbind is trying to connect to this dead server and timing out. Thus giving the delay. Is there any way to blacklist this server seeing as I am unable to remove it. Or would someone (Andrew??) Be willing to talk me through a way of manually removing it from my domain? Thanks, Alex On 10/01/2013 14:51, Alex Matthews wrote: On 10/01/2013 13:51, Hleb Valoshka wrote: On 1/10/13, Alex Matthews qoole.sa...@lillimoth.com wrote: wbinfo -u takes a long time to return a list of users I guess that if you attach output of strace wbinfo -u or may be even strace -f wbinfo -u you'll find assistance faster :) # strace -ftT wbinfo -u 14:09:01 execve(/usr/bin/wbinfo, [wbinfo, -u], [/* 37 vars */]) = 0 0.000259 14:09:01 brk(0) = 0xd9f000 0.31 14:09:01 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81143e4000 0.44 14:09:01 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) 0.30 14:09:01 open(/usr/lib64/tls/x86_64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.30 14:09:01 stat(/usr/lib64/tls/x86_64, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/tls/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.23 14:09:01 stat(/usr/lib64/tls, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.42 14:09:01 open(/usr/lib64/x86_64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.29 14:09:01 stat(/usr/lib64/x86_64, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = 3 0.28 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\240\347\0\0\0\0\0\0..., 832) = 832 0.29 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=214200, ...}) = 0 0.22 14:09:01 mmap(NULL, 2310096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113f9 0.24 14:09:01 mprotect(0x7f8113fc3000, 2093056, PROT_NONE) = 0 0.35 14:09:01 mmap(0x7f81141c2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x32000) = 0x7f81141c2000 0.29 14:09:01 close(3) = 0 0.21 14:09:01 open(/usr/lib64/libwbclient.so.0, O_RDONLY|O_CLOEXEC) = 3 0.34 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0P#\0\0\0\0\0\0..., 832) = 832 0.23 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=43160, ...}) = 0 0.22 14:09:01 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81143e3000 0.23 14:09:01 mmap(NULL, 2145544, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113d84000 0.30 14:09:01 mprotect(0x7f8113d8e000, 2093056, PROT_NONE) = 0 0.33 14:09:01 mmap(0x7f8113f8d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f8113f8d000 0.26 14:09:01 mmap(0x7f8113f8f000, 3336, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8113f8f000 0.24 14:09:01 close(3) = 0 0.26 14:09:01 open(/usr/lib64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.29 14:09:01 open(/usr/lib64/samba/tls/x86_64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.28 14:09:01 stat(/usr/lib64/samba/tls/x86_64, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/samba/tls/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.28 14:09:01 stat(/usr/lib64/samba/tls, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.28 14:09:01 open(/usr/lib64/samba/x86_64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.22 14:09:01 stat(/usr/lib64/samba/x86_64, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.27 14:09:01 open(/usr/lib64/samba/libreplace.so, O_RDONLY|O_CLOEXEC) = 3 0.29 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\220\16\0\0\0\0\0\0..., 832) = 832 0.22 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=10240, ...}) = 0 0.27 14:09:01 mmap(NULL, 2105896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113b81000 0.30 14:09:01 mprotect(0x7f8113b83000, 2093056, PROT_NONE) = 0 0.45 14:09:01 mmap(0x7f8113d82000, 8192, PROT_READ|PROT_WRITE
Re: [Samba] Slow winbind lookups
Hiya, I _might_ actually know what is causing this slow down. As I posted a while ago. My domain contains a 'dead' server that I am unable to remove. (post here: https://lists.samba.org/archive/samba/2012-December/170331.html) I think winbind is trying to connect to this dead server and timing out. Thus giving the delay. Is there any way to blacklist this server seeing as I am unable to remove it. Or would someone (Andrew??) Be willing to talk me through a way of manually removing it from my domain? Thanks, Alex On 10/01/2013 14:51, Alex Matthews wrote: On 10/01/2013 13:51, Hleb Valoshka wrote: On 1/10/13, Alex Matthews qoole.sa...@lillimoth.com wrote: wbinfo -u takes a long time to return a list of users I guess that if you attach output of strace wbinfo -u or may be even strace -f wbinfo -u you'll find assistance faster :) # strace -ftT wbinfo -u 14:09:01 execve(/usr/bin/wbinfo, [wbinfo, -u], [/* 37 vars */]) = 0 0.000259 14:09:01 brk(0) = 0xd9f000 0.31 14:09:01 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81143e4000 0.44 14:09:01 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) 0.30 14:09:01 open(/usr/lib64/tls/x86_64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.30 14:09:01 stat(/usr/lib64/tls/x86_64, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/tls/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.23 14:09:01 stat(/usr/lib64/tls, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.42 14:09:01 open(/usr/lib64/x86_64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.29 14:09:01 stat(/usr/lib64/x86_64, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = 3 0.28 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\240\347\0\0\0\0\0\0..., 832) = 832 0.29 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=214200, ...}) = 0 0.22 14:09:01 mmap(NULL, 2310096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113f9 0.24 14:09:01 mprotect(0x7f8113fc3000, 2093056, PROT_NONE) = 0 0.35 14:09:01 mmap(0x7f81141c2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x32000) = 0x7f81141c2000 0.29 14:09:01 close(3) = 0 0.21 14:09:01 open(/usr/lib64/libwbclient.so.0, O_RDONLY|O_CLOEXEC) = 3 0.34 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0P#\0\0\0\0\0\0..., 832) = 832 0.23 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=43160, ...}) = 0 0.22 14:09:01 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81143e3000 0.23 14:09:01 mmap(NULL, 2145544, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113d84000 0.30 14:09:01 mprotect(0x7f8113d8e000, 2093056, PROT_NONE) = 0 0.33 14:09:01 mmap(0x7f8113f8d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f8113f8d000 0.26 14:09:01 mmap(0x7f8113f8f000, 3336, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8113f8f000 0.24 14:09:01 close(3) = 0 0.26 14:09:01 open(/usr/lib64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.29 14:09:01 open(/usr/lib64/samba/tls/x86_64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.28 14:09:01 stat(/usr/lib64/samba/tls/x86_64, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/samba/tls/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.28 14:09:01 stat(/usr/lib64/samba/tls, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.28 14:09:01 open(/usr/lib64/samba/x86_64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.22 14:09:01 stat(/usr/lib64/samba/x86_64, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.27 14:09:01 open(/usr/lib64/samba/libreplace.so, O_RDONLY|O_CLOEXEC) = 3 0.29 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\220\16\0\0\0\0\0\0..., 832) = 832 0.22 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=10240, ...}) = 0 0.27 14:09:01 mmap(NULL, 2105896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113b81000 0.30 14:09:01 mprotect(0x7f8113b83000, 2093056, PROT_NONE) = 0 0.45 14:09:01 mmap(0x7f8113d82000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f8113d82000 0.26 14:09:01 close(3) = 0 0.26 14:09:01 open(/usr/lib64/libsamba-hostconfig.so.0, O_RDONLY|O_CLOEXEC) = 3 0.44 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\\347\0\0\0\0\0\0..., 832) = 832
[Samba] Slow winbind lookups
Hi all, I have a Samba 4.0.0 domain running on a Gentoo box with a 3.7.0 kernel. I have added 'winbind' to the passwd and group lines in /etc/nsswitch.conf wbinfo -t returns immediately saying trust checking succeeded. wbinfo -g returns immediately with a list of groups wbinfo -u takes a long time to return a list of users # time wbinfo -u | wc -l 336 real0m4.211s user0m0.000s sys 0m0.000s 4s might not seem like a great deal but this delay seems to occur whenever anything looks up data from winbind. getent passwd also has a similar delay. It returns local users immediately but winbind users are delayed. Whilst gathering data for this post I have noticed that the results also seem to be sporadic. The following 3 commands were run in quick succession: # date time getent passwd | wc -l Thu Jan 10 09:41:22 GMT 2013 376 real0m5.677s user0m0.010s sys 0m0.000s # date time getent passwd | wc -l Thu Jan 10 09:41:29 GMT 2013 220 real0m2.633s user0m0.000s sys 0m0.000s # date time getent passwd | wc -l Thu Jan 10 09:41:32 GMT 2013 235 real0m4.014s user0m0.000s sys 0m0.010s Another example would be samba-tool sysvolreset: # time samba-tool ntacl sysvolreset real5m26.076s user3m7.500s sys 0m13.480s and if I disable winbind in nsswitch.conf # time samba-tool ntacl sysvolreset real1m13.851s user0m46.500s sys 0m3.140s (1m still seems to be a long time for this process to complete but I'll save that for my other post) Is this correct speed? Is there anything I can do to improve performance? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] ACL on GPO directory does not match expected value from GPO object. AGAIN.
Hi all, Some (then all) of our workstations were complaining about incorrect ACLs on GPOs and were unable to read the gpt.ini to apply the GPOs. So I did a sysvolcheck and sure enough I'd lost the ACLs when I moved our sysvol share to a new location on the server (whoops, mea culpa). I ran a sysvolreset which took a long time to return (some 5 minutes, please see my post on slow winbind lookups). Just to make sure everything went as planned I re-ran the sysvolcheck and I get the following error: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: DB ACL on GPO directory /vol/samba/shares/sysvol/internal.stmaryscollege.co.uk/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File /usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/lib64/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1599, in checksysvolacl direct_db_access) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1550, in check_gpos_acl domainsid, direct_db_access) File /usr/lib64/python2.7/site-packages/samba/provision/__init__.py, line 1500, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Comparing the two ACLs O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) The only difference I can see is the 'DAG' vs 'LAG' at the beginning (Directory ACL vs File ACL?) Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Slow winbind lookups
On 10/01/2013 13:51, Hleb Valoshka wrote: On 1/10/13, Alex Matthews qoole.sa...@lillimoth.com wrote: wbinfo -u takes a long time to return a list of users I guess that if you attach output of strace wbinfo -u or may be even strace -f wbinfo -u you'll find assistance faster :) # strace -ftT wbinfo -u 14:09:01 execve(/usr/bin/wbinfo, [wbinfo, -u], [/* 37 vars */]) = 0 0.000259 14:09:01 brk(0) = 0xd9f000 0.31 14:09:01 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81143e4000 0.44 14:09:01 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) 0.30 14:09:01 open(/usr/lib64/tls/x86_64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.30 14:09:01 stat(/usr/lib64/tls/x86_64, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/tls/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.23 14:09:01 stat(/usr/lib64/tls, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.42 14:09:01 open(/usr/lib64/x86_64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.29 14:09:01 stat(/usr/lib64/x86_64, 0x7fffdba49910) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/libsamba-util.so.0, O_RDONLY|O_CLOEXEC) = 3 0.28 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\240\347\0\0\0\0\0\0..., 832) = 832 0.29 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=214200, ...}) = 0 0.22 14:09:01 mmap(NULL, 2310096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113f9 0.24 14:09:01 mprotect(0x7f8113fc3000, 2093056, PROT_NONE) = 0 0.35 14:09:01 mmap(0x7f81141c2000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x32000) = 0x7f81141c2000 0.29 14:09:01 close(3) = 0 0.21 14:09:01 open(/usr/lib64/libwbclient.so.0, O_RDONLY|O_CLOEXEC) = 3 0.34 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0P#\0\0\0\0\0\0..., 832) = 832 0.23 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=43160, ...}) = 0 0.22 14:09:01 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f81143e3000 0.23 14:09:01 mmap(NULL, 2145544, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113d84000 0.30 14:09:01 mprotect(0x7f8113d8e000, 2093056, PROT_NONE) = 0 0.33 14:09:01 mmap(0x7f8113f8d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x9000) = 0x7f8113f8d000 0.26 14:09:01 mmap(0x7f8113f8f000, 3336, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f8113f8f000 0.24 14:09:01 close(3) = 0 0.26 14:09:01 open(/usr/lib64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.29 14:09:01 open(/usr/lib64/samba/tls/x86_64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.28 14:09:01 stat(/usr/lib64/samba/tls/x86_64, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.22 14:09:01 open(/usr/lib64/samba/tls/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.28 14:09:01 stat(/usr/lib64/samba/tls, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.28 14:09:01 open(/usr/lib64/samba/x86_64/libreplace.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.22 14:09:01 stat(/usr/lib64/samba/x86_64, 0x7fffdba498b0) = -1 ENOENT (No such file or directory) 0.27 14:09:01 open(/usr/lib64/samba/libreplace.so, O_RDONLY|O_CLOEXEC) = 3 0.29 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\220\16\0\0\0\0\0\0..., 832) = 832 0.22 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=10240, ...}) = 0 0.27 14:09:01 mmap(NULL, 2105896, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113b81000 0.30 14:09:01 mprotect(0x7f8113b83000, 2093056, PROT_NONE) = 0 0.45 14:09:01 mmap(0x7f8113d82000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0x7f8113d82000 0.26 14:09:01 close(3) = 0 0.26 14:09:01 open(/usr/lib64/libsamba-hostconfig.so.0, O_RDONLY|O_CLOEXEC) = 3 0.44 14:09:01 read(3, \177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0\0\1\0\0\\347\0\0\0\0\0\0..., 832) = 832 0.27 14:09:01 fstat(3, {st_mode=S_IFREG|0755, st_size=237984, ...}) = 0 0.21 14:09:01 mmap(NULL, 2333224, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f8113947000 0.29 14:09:01 mprotect(0x7f8113979000, 2097152, PROT_NONE) = 0 0.34 14:09:01 mmap(0x7f8113b79000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x32000) = 0x7f8113b79000 0.30 14:09:01 close(3) = 0 0.21 14:09:01 open(/usr/lib64/libcliauth.so, O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory) 0.24 14:09:01 open(/usr/lib64
Re: [Samba] Remove dead server from domain.
Hi all, Sorry to bump my own thread but are there any suggestions for this issue? Thanks, Alex On 05/12/2012 12:53, Thomas Simmons wrote: Just to note, I have seen the same problem deleting real Windows Server DCs with rc4 and rc5. The first time I try deleting the DC via ADUC, I get the error: *Windows cannot delete object LDAP://10.1.1.254/CN=ADC2,OU=Domain http://10.1.1.254/CN=ADC2,OU=Domain Controllers,DC=internal,DC=testdom,DC=com because: The parameter is incorrect. On subsequent tries, the following error is displayed: Windows cannot delete object LDAP://10.1.1.254/CN=ADC2,OU=Domain http://10.1.1.254/CN=ADC2,OU=Domain Controllers,DC=internal,DC=testdom,DC=com because: The specified module could not be found.* * * *My testing has shown that Windows Servers often fail to demote in various circumstances, so a solution to remove them from AD would be very useful.* On Wed, Dec 5, 2012 at 7:36 AM, Alex Matthews qoole.sa...@lillimoth.com mailto:qoole.sa...@lillimoth.com wrote: Hiya, I have an S4 domain running that I added another S4 machine to as an extra domain controller. That machine, unfotunately died (quite spectacularly I must say, think magic blue smoke). I would like to remove the dead domain controller from the domain. In ADUC I can see the DC under 'Domain Controllers' but when I try to delete it (having ticked the 'permanently offline' box) I get the following error: Windows cannot delete object LDAP://tainan.internal.stmaryscollege.co.uk/CN=PEFW01,OU=Domain http://tainan.internal.stmaryscollege.co.uk/CN=PEFW01,OU=Domain Controllers,DC=internal,DC=stmaryscollege,DC=co,DC=uk because: The specified module could not be found. Is there a command line tool that I could try (samba-tool doesn't seem to have an option to remove the machine). Any other suggestions? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Remove dead server from domain.
Hiya, I have an S4 domain running that I added another S4 machine to as an extra domain controller. That machine, unfotunately died (quite spectacularly I must say, think magic blue smoke). I would like to remove the dead domain controller from the domain. In ADUC I can see the DC under 'Domain Controllers' but when I try to delete it (having ticked the 'permanently offline' box) I get the following error: Windows cannot delete object LDAP://tainan.internal.stmaryscollege.co.uk/CN=PEFW01,OU=Domain Controllers,DC=internal,DC=stmaryscollege,DC=co,DC=uk because: The specified module could not be found. Is there a command line tool that I could try (samba-tool doesn't seem to have an option to remove the machine). Any other suggestions? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: SYSVOL ACLs and GPOs
On 05/11/2012 02:10, Andrew Bartlett wrote: It is certainly very helpful to have this happen with samba-tool. Can you remind me the history of this domain, is it the upgrade I was trying to suggest you do, or a fresh provision? If you can tell me what provision command-line you run, if it was provisioned with an older version, which branch and git revision that was and what branch and git revision as you running now? I've tried to replicate this in 'make test' but failed (the tests pass). The patch for that is attached for review. Thanks, Andrew Bartlett Ok, I think we've got a bit lost in issues here, so I'll start from the very beginning (I've heard it's a very good place to start). I have set up two domains: home.lillimoth.com - a test domain set up on virtual machines at home. This domain has been provisioned from scratch. internal.stmaryscollege.co.uk - a production domain at my work place. This domain was migrated from a samba 3 domain. My issue is that when I run gpmc (the group policy management console) on a windows machine (XP or 7) and selected a gpo to edit I get the message: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. - Please see: http://support.microsoft.com/kb/828760 This occurs on both domains. Clicking 'ok' to the popup should correct the ACLs on the files/folders it believes are incorrect. Please note that before clicking 'ok' sysvolcheck passes with no errors however after clicking it would fail with the following error: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object This suggests that the gpmc did change the ACLs however when reselecting the same GPO it pops up with the same message again! Both servers have the correct mount options (user_xattr,acl) and acls work when set manually. I did some research into what the ACLs should be on the sysvol share and came up with these: http://pastebin.com/sSURWrDf which were taken from a WS2003 machine. I have not yet attempted to set these on my S4 server but will try that tonight. The issue seems to revolve around: Incorrect initial ACLs on the sysvol share and its subfolders. The inability of the GPMC to correct the issue. Suggesting that there is some issue setting ACLs on the sysvol share from a windows client. There we a couple of issues with samba-tool creating GPOs but I will run through those in an email later this evening when I have had chance to test them on my test domain. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] [PATCH] Re: SYSVOL ACLs and GPOs
On 06/11/2012 11:43, Alex Matthews wrote: On 05/11/2012 02:10, Andrew Bartlett wrote: It is certainly very helpful to have this happen with samba-tool. Can you remind me the history of this domain, is it the upgrade I was trying to suggest you do, or a fresh provision? If you can tell me what provision command-line you run, if it was provisioned with an older version, which branch and git revision that was and what branch and git revision as you running now? I've tried to replicate this in 'make test' but failed (the tests pass). The patch for that is attached for review. Thanks, Andrew Bartlett Ok, I think we've got a bit lost in issues here, so I'll start from the very beginning (I've heard it's a very good place to start). I have set up two domains: home.lillimoth.com - a test domain set up on virtual machines at home. This domain has been provisioned from scratch. internal.stmaryscollege.co.uk - a production domain at my work place. This domain was migrated from a samba 3 domain. My issue is that when I run gpmc (the group policy management console) on a windows machine (XP or 7) and selected a gpo to edit I get the message: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. - Please see: http://support.microsoft.com/kb/828760 This occurs on both domains. Clicking 'ok' to the popup should correct the ACLs on the files/folders it believes are incorrect. Please note that before clicking 'ok' sysvolcheck passes with no errors however after clicking it would fail with the following error: ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object This suggests that the gpmc did change the ACLs however when reselecting the same GPO it pops up with the same message again! Both servers have the correct mount options (user_xattr,acl) and acls work when set manually. I did some research into what the ACLs should be on the sysvol share and came up with these: http://pastebin.com/sSURWrDf which were taken from a WS2003 machine. I have not yet attempted to set these on my S4 server but will try that tonight. The issue seems to revolve around: Incorrect initial ACLs on the sysvol share and its subfolders. The inability of the GPMC to correct the issue. Suggesting that there is some issue setting ACLs on the sysvol share from a windows client. There we a couple of issues with samba-tool creating GPOs but I will run through those in an email later this evening when I have had chance to test them on my test domain. Thanks, Alex I have just attempted to set the ACL on the sysvol directory using samba-tool ntacl set and got the following message: /usr/local/samba/var/locks# ../../bin/samba-tool ntacl set D:AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO) sysvol -d 2 lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section [netlogon] Processing section [sysvol] Unknown flag - FA in FA Badly formatted SDDL 'AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)' ERROR(type 'exceptions.TypeError'): uncaught exception - Unable to parse SDDL File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 90, in run setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs) File /usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py, line 89, in setntacl sd = security.descriptor.from_sddl(sddl, sid) FA is listed on the Microsoft ACE String page as FILE_ALL_ACCESS (http://msdn.microsoft.com/en-gb/library
Re: [Samba] SYSVOL ACLs and GPOs
On 30/10/2012 00:08, Jeremy Allison wrote: On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote: be a particular trigger - but it shouldn't be able to make a modification that doesn't go via vfs_acl_xattr. For Alex, before running the Group Policy tools on WinXP, he gets (at level 10 on samba-tool ntacl sysvolcheck): get_nt_acl_internal: blob hash matches for file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} then after, he gets: get_nt_acl_internal: blob hash does not match for file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping. Is this message from smbd, or from samba-tool ? That's what vfs_acl_common is printing, being run from samba-tool ntacl sysvolcheck. It links to the VFS layer. So this looks like it's running the Group Policy tools on WinXP that causes the problem ? Can we get a debug level 10 log of that activity going on against smbd ? Jeremy. Ok I have some additional info. Using the GPMC I cannot create new GPOs. I get the message: This security ID may not be assigned as the owner of this object If I use samba-tool gpo create I get the following: # bin/samba-tool gpo create SMC Students ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - dsdb_access: Access check failed on CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk File /vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 952, in run self.samdb.add(m) If I supply administrator as username I get: # bin/samba-tool gpo create SMC Students -U administrator Password for [SMC\administrator]: ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File /vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py, line 987, in run conn.set_acl(sharepath, fs_sd, sio) However this time it has successfully created the GPO. (GPMC still throws the same warnings about inconsistent ACLs). bin/samba-tool gpo create SMC Students -d 10: http://pastebin.com/tjutA68u bin/samba-tool gpo create SMC Students -U administrator -d 10: http://pastebin.com/8kkVEy7V I would hazard a guess and say the GPMC error (when creating a GPO) is the same error as the samba-tool error. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 24/10/2012 17:25, Alex Matthews wrote: On 24/10/2012 12:09, Andrew Bartlett wrote: On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote: Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett I assume git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 should be: git checkout abartlet/fix-acls2 -b abartlet-fix-acls2 I'm rebuilding now, will keep you posted! Thanks, Alex I have tried your branch. Rebuilt and the XP machine still throws the same issue. Do I need to reprovision? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 26/10/2012 02:37, Andrew Bartlett wrote: On Fri, 2012-10-26 at 00:34 +0100, Alex Matthews wrote: On 25/10/2012 23:27, Andrew Bartlett wrote: On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett I have the following directory tree: /root/samba_test/samba-master /root/samba_test/samba-aclfix /root/samba_test/build-master /root/samba_test/build-aclfix I ran: build-master/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_master --realm=realm.com --domain=dom build-aclfix/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_aclfix --realm=realm.com --domain=dom however when I run: build-{master
Re: [Samba] SYSVOL ACLs and GPOs
On 26/10/2012 11:03, Andrew Bartlett wrote: On Fri, 2012-10-26 at 10:44 +0100, Alex Matthews wrote: I'm assuming because of the way I laid my directory tree out I could also just provision as normal and run the tests? Just makes it difficult to un-provision. I did a bit of testing last night and sysvolcheck returns no errors until the point that run the gpmc.msc on the XP domain member and click ok to fix the inconsistent ACLs. At that point it returns the same error. Running sysvolreset does not fix it either. OK. This is more interesting. Can you show me first the output, and then the level 10 log of that sysvolcheck command? I'm particularly curious that a sysvolreset can't fix it. A network capture of what gpmc does may be instructive also. This is true, atleast, for the master branch, I haven't tested the aclfix branch yet. OK. Given this info on the essential components involved (running gpmc.msc once seems key), I think I have the steps to reproduce this here, which I'll try tonight or tomorrow. Thanks, Andrew Bartlett # bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;ED)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;;0x00120089;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Level 10 sysvolcheck log: http://pastebin.com/QBHTKkqL Do you want a wireshark packet log of GPMC or a samba level 10 log? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 02:31, Andrew Bartlett wrote: On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote: On 24/10/2012 17:25, Alex Matthews wrote: On 24/10/2012 12:09, Andrew Bartlett wrote: On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote: Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett I assume git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 should be: git checkout abartlet/fix-acls2 -b abartlet-fix-acls2 I'm rebuilding now, will keep you posted! Thanks, Alex I have tried your branch. Rebuilt and the XP machine still throws the same issue. Do I need to reprovision? You need to at least run 'samba-tool ntacl sysvolreset' to get the new ACLs on disk. Andrew Bartlett Hiya, No luck I'm afraid, still the same issue! Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 10:20, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:01 +0100, Alex Matthews wrote: On 25/10/2012 02:31, Andrew Bartlett wrote: On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote: On 24/10/2012 17:25, Alex Matthews wrote: On 24/10/2012 12:09, Andrew Bartlett wrote: On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote: Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett I assume git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 should be: git checkout abartlet/fix-acls2 -b abartlet-fix-acls2 I'm rebuilding now, will keep you posted! Thanks, Alex I have tried your branch. Rebuilt and the XP machine still throws the same issue. Do I need to reprovision? You need to at least run 'samba-tool ntacl sysvolreset' to get the new ACLs on disk. Andrew Bartlett Hiya, No luck I'm afraid, still the same issue! Drat. OK, we will need to dig in further. Can you show me your idmap.ldb? What does 'samba-tool ntacl sysvolcheck' show? Andrew Bartlett samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck [sudo] password for qoole: lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) params.c:pm_process() - Processing configuration file /usr/local/samba/etc/smb.conf Processing section [global] Processing section [netlogon] Processing section [sysvol] ldb_wrap open of idmap.ldb Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] Module 'acl_xattr' loaded Initialising custom vfs hooks from [dfs_samba4] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] Initialising custom vfs hooks from [dfs_samba4] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] Initialising custom vfs hooks from [dfs_samba4] Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] Initialising custom vfs hooks from [acl_xattr] Initialising custom vfs hooks from [dfs_samba4] ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 23:27, Andrew Bartlett wrote: On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett My host is a VirtualBox VM Running Ubuntu 12.04 LTS Server. Kernel = 3.2.0-32-generic I have followed all posts I could find about ext4 filesystems+samba4 / is mounted with the options: acl,user_xattr,barrier=1 this is where all the samba stuff is located. What else would you like to know? I am downloading/building now. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 25/10/2012 23:27, Andrew Bartlett wrote: On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett I have the following directory tree: /root/samba_test/samba-master /root/samba_test/samba-aclfix /root/samba_test/build-master /root/samba_test/build-aclfix I ran: build-master/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_master --realm=realm.com --domain=dom build-aclfix/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_aclfix --realm=realm.com --domain=dom however when I run: build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck I get the following error: ERROR(runtime): uncaught exception
Re: [Samba] SYSVOL ACLs and GPOs
On 26/10/2012 00:34, Alex Matthews wrote: On 25/10/2012 23:27, Andrew Bartlett wrote: On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote: On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote: On 25/10/2012 11:30, Andrew Bartlett wrote: On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote: samba-tool ntacl sysvolcheck shows: sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck ERROR(class 'samba.provision.ProvisioningError'): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py, line 175, in _run return self.run(*args, **kwargs) File /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py, line 245, in run lp) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1574, in checksysvolacl direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1526, in check_gpos_acl domainsid, direct_db_access) File /usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py, line 1476, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl)) Drat. So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed the issue we have had for a while. I had (incorrectly in your case) assumed the issue was that IDMAP mappings imported from classic domains were breaking it. That's why I worked on my patches, which improve the situation by handling some details at a lower level. On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then then, if you don't mind, getting me the level 10 debug log would be very helpful. Set 'log level = 10' in your smb.conf, then re-run and send me (personally) the result compressed with xz. Andrew Bartlett Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch. It is also a completely blank provisioned domain I have not migrated anything. What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually? Yeah, I was incredibly unclear: I need level 10 logs of just the command 'samba-tool ntacl sysvolcheck' command, as that shows the issue in a very nice, self-contained way. So, the issue is that this host doesn't return the ACL consistently. What I mean is this: When we store the NT ACL for the {12344...} folder, we store an xattr with: - the NT ACL we need to return to clients - the hash of the posix ACL we set on disk (as read back from the OS) When we do the sysvolcheck we fetch the xattr, read the hash and get the posix ACL off disk again. On your host, these don't match! Can you give me details about what your host is? Just to be really sure we are doing this right, because I can't reproduce this here, can you run: bin/samba-tool domain provision --targetdir=/tmp/provision-root2 --realm=realm.com --domain=dom Do this on master and on my fix-acls2 branch, with separate targetdir for each, with this patch on top in both cases? If that passes, can you give me the provision command you normally use, and tell me if that fails? If your normal command passes, then can you work out if there is a time period involved before sysvolcheck fails? (that is, after X seconds it fails). For this last thing, I'm clutching at caching straws, but this is a real issue that we must get to the bottom of - beyond the AD DC, the ACL facility we use here is critical to file server users in Samba too. Thanks, Andrew Bartlett I have the following directory tree: /root/samba_test/samba-master /root/samba_test/samba-aclfix /root/samba_test/build-master /root/samba_test/build-aclfix I ran: build-master/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_master --realm=realm.com --domain=dom build-aclfix/bin/samba-tool domain provision --targetdir=/root/samba_test/provision_aclfix --realm=realm.com --domain=dom however when I run: build-{master|aclfix}/bin/samba-tool ntacl
[Samba] SYSVOL ACLs and GPOs
Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 24/10/2012 12:09, Andrew Bartlett wrote: On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote: Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett I assume git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 should be: git checkout abartlet/fix-acls2 -b abartlet-fix-acls2 I'm rebuilding now, will keep you posted! Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] SYSVOL ACLs and GPOs
On 24/10/2012 17:25, Alex Matthews wrote: On 24/10/2012 12:09, Andrew Bartlett wrote: On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote: Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: domain name - Domains - domain name - Group Policy Objects - Default Domain [Controller | Policy] I get the following error: The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK. Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was fixed a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\pdc\sysvol\domain name\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: errors=remount-ro,acl,user_xattr,barrier=1. I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett I assume git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 should be: git checkout abartlet/fix-acls2 -b abartlet-fix-acls2 I'm rebuilding now, will keep you posted! Thanks, Alex I have tried your branch. Rebuilt and the XP machine still throws the same issue. Do I need to reprovision? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] DNS Domain Name vs Samba4 Domain Name vs NT4 Domain Name
Hi, I am unclear on the relationship between the hostname, DNS domain, server's FQDN, NT4 domain name, etc. Quoting the HOWTO: For the rest of the HOWTO we will assume that your DNS domain name is samdom.example.com, your short (also known as NT4) domain name is samdom, your Samba server's hostname is samba and the IP Address of your Samba server is 192.168.1.2. What is the standard when it comes to these? Using the example from the howto: Samba server's name is:samba Samba server's FQDN is:samba.samdom.example.com DNS Domain is: samdom.example.com Samba4 domain is: samdom.example.com NT4 Domain is: samdom Therefore, for my setup: My samba server's name is: tainan My samba server's FQDN is: tainan.internal.stmaryscollege.co.uk My DNS domain is:internal.stmaryscollege.co.uk Samba4 Domain is: ??? internal.stmaryscollege.co.uk ??? My NT4 Domain is: ??? internal ??? I currently have a s3 domain set up called SMC (I am _NOT_ going to attempt migrate it to a samba4 domain). Does my NT4 domain have to be the first part of my Samba4 domain? Can I make the NT4 domain name SMC also? Thanks, Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba