Web lists-archives.com

Re: [Samba] sysvolreset doesn't reset all ACLs




On Thu, 24 Aug 2017 12:03:42 +0200
Sven Schwedas via samba <samba@xxxxxxxxxxxxxxx> wrote:

> > root@graz-dc-1b:~# samba --version
> > Version 4.5.8-Debian
> > root@graz-dc-1b:~# samba-tool ntacl sysvolreset && echo "no error"
> > no error
> > root@graz-dc-1b:~# samba-tool ntacl sysvolcheck 
> > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> > exception - ProvisioningError: DB ACL on GPO
> > directory /var/lib/samba/sysvol/ad.tao.at/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > does not match expected value
> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
> > from GPO object File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> > 176, in _run return self.run(*args, **kwargs) File
> > "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270,
> > in run lp) File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> > line 1723, in checksysvolacl direct_db_access) File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> > line 1674, in check_gpos_acl domainsid, direct_db_access) File
> > "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py",
> > line 1621, in check_dir_acl raise ProvisioningError('%s ACL on GPO
> > directory %s %s does not match expected value %s from GPO object' %
> > (acl_type(direct_db_access), path, fsacl_sddl, acl))
> 
> Where does the error come from, and why doesn't sysvolreset fix it?
> 

Mainly because (from my testing) sysvolcheck/sysvolreset is broken. I
do not write 'C' code and the problem seems to be in set_nt_acl from
source3/smbd/posix_acls.c 
It doesn't set the correct ACL.

I have opened a bug for this:

https://bugzilla.samba.org/show_bug.cgi?id=12924

Even when this gets fixed, the python code will need work, because it
doesn't do what windows does, also anybody who has set a gidNumber on
Domain Admins, will need to remove it, the group needs to own things in
sysvol and with a gidNumber it cannot.

The recommendation at the moment is to not use either sysvolreset or
sysvolcheck. Do everything from windows.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba