I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
I have successfully provisioned an AD Domain and joined the XP machine to it.
When I run the gpmc on the XP Pro machine and select:
Forest: <domain name> -> Domains -> <domain name> -> Group Policy Objects -> Default Domain [Controller | Policy]
I get the following error:
"The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory.
It is recommended that these permissions be consistent.
To change the SYSVOL permissions to those in Active Directory, click OK."
Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL.
I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was "fixed" a long time ago.
Seeing as I'm using the latest version I would assume this is a different issue.
If I try to change any of the ACLs on either of the folders in \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however the change doesn't stick.
I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs):
http://pastebin.com/2mEvWX6K
My smb.conf is stock. No alterations.
The server OS is Ubuntu 12.04.
The filesystem is ext4 mounted with the following options: "errors=remount-ro,acl,user_xattr,barrier=1".
I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature.
On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
> Hi,
> I have installed a virtual testing network consisting of one samba4 PDC > (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
> I have successfully provisioned an AD Domain and joined the XP machine > to it.
> When I run the gpmc on the XP Pro machine and select:
> Forest: <domain name> -> Domains -> <domain name> -> Group Policy > Objects -> Default Domain [Controller | Policy]
> I get the following error:
> "The permissions for this GPO in the SYSVOL folder are inconsistent with > those in Active Directory.
> It is recommended that these permissions be consistent.
> To change the SYSVOL permissions to those in Active Directory, click OK."
> Hitting ok I get no error but as soon as I reselect THE SAME entry I get > the same error, it doesn't seem to be able to fix the ACL.
> I have found one post about this on the list > (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was > "fixed" a long time ago.
> Seeing as I'm using the latest version I would assume this is a > different issue.
> If I try to change any of the ACLs on either of the folders in > \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however > the change doesn't stick.
> I get this when I alter the ACLs manually (after line 479 is when I > actually alter the ACLs):
> http://pastebin.com/2mEvWX6K
> My smb.conf is stock. No alterations.
> The server OS is Ubuntu 12.04.
> The filesystem is ext4 mounted with the following options: > "errors=remount-ro,acl,user_xattr,barrier=1".
> I have all acl packages installed that I have seen referenced by samba > or in posts of a similar nature.
If you are in the mood for some testing, can you try my acl-fixes2
branch?
I'm trying to get these changes into master, but I'm not quite finished.
You should only put these on a test server, as I may change data formats
etc.
I would be very curious to know if this fixes the issue.
Otherwise or in addition, if you can show me the contents of your
idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
going wrong here, and fix it.
> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>> Hi,
>> I have installed a virtual testing network consisting of one samba4 PDC
>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>> I have successfully provisioned an AD Domain and joined the XP machine
>> to it.
>> When I run the gpmc on the XP Pro machine and select:
>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>> Objects -> Default Domain [Controller | Policy]
>> I get the following error:
>> "The permissions for this GPO in the SYSVOL folder are inconsistent with
>> those in Active Directory.
>> It is recommended that these permissions be consistent.
>> To change the SYSVOL permissions to those in Active Directory, click OK."
>> Hitting ok I get no error but as soon as I reselect THE SAME entry I get
>> the same error, it doesn't seem to be able to fix the ACL.
>> I have found one post about this on the list
>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>> "fixed" a long time ago.
>> Seeing as I'm using the latest version I would assume this is a
>> different issue.
>> If I try to change any of the ACLs on either of the folders in
>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>> the change doesn't stick.
>> I get this when I alter the ACLs manually (after line 479 is when I
>> actually alter the ACLs):
>> http://pastebin.com/2mEvWX6K
>> My smb.conf is stock. No alterations.
>> The server OS is Ubuntu 12.04.
>> The filesystem is ext4 mounted with the following options:
>> "errors=remount-ro,acl,user_xattr,barrier=1".
>> I have all acl packages installed that I have seen referenced by samba
>> or in posts of a similar nature.
> If you are in the mood for some testing, can you try my acl-fixes2
> branch?
> I'm trying to get these changes into master, but I'm not quite finished.
> You should only put these on a test server, as I may change data formats
> etc.
> I would be very curious to know if this fixes the issue.
> Otherwise or in addition, if you can show me the contents of your
> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
> going wrong here, and fix it.
> On 24/10/2012 12:09, Andrew Bartlett wrote:
>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>>> Hi,
>>> I have installed a virtual testing network consisting of one samba4 PDC
>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>>> I have successfully provisioned an AD Domain and joined the XP machine
>>> to it.
>>> When I run the gpmc on the XP Pro machine and select:
>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>>> Objects -> Default Domain [Controller | Policy]
>>> I get the following error:
>>> "The permissions for this GPO in the SYSVOL folder are inconsistent >>> with
>>> those in Active Directory.
>>> It is recommended that these permissions be consistent.
>>> To change the SYSVOL permissions to those in Active Directory, click >>> OK."
>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I >>> get
>>> the same error, it doesn't seem to be able to fix the ACL.
>>> I have found one post about this on the list
>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>>> "fixed" a long time ago.
>>> Seeing as I'm using the latest version I would assume this is a
>>> different issue.
>>> If I try to change any of the ACLs on either of the folders in
>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>>> the change doesn't stick.
>>> I get this when I alter the ACLs manually (after line 479 is when I
>>> actually alter the ACLs):
>>> http://pastebin.com/2mEvWX6K
>>> My smb.conf is stock. No alterations.
>>> The server OS is Ubuntu 12.04.
>>> The filesystem is ext4 mounted with the following options:
>>> "errors=remount-ro,acl,user_xattr,barrier=1".
>>> I have all acl packages installed that I have seen referenced by samba
>>> or in posts of a similar nature.
>> If you are in the mood for some testing, can you try my acl-fixes2
>> branch?
>> I'm trying to get these changes into master, but I'm not quite finished.
>> You should only put these on a test server, as I may change data formats
>> etc.
>> I would be very curious to know if this fixes the issue.
>> Otherwise or in addition, if you can show me the contents of your
>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
>> going wrong here, and fix it.
On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote:
> On 24/10/2012 17:25, Alex Matthews wrote:
> > On 24/10/2012 12:09, Andrew Bartlett wrote:
> >> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
> >>> Hi,
> >>> I have installed a virtual testing network consisting of one samba4 PDC
> >>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
> >>> I have successfully provisioned an AD Domain and joined the XP machine
> >>> to it.
> >>> When I run the gpmc on the XP Pro machine and select:
> >>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
> >>> Objects -> Default Domain [Controller | Policy]
> >>> I get the following error:
> >>> "The permissions for this GPO in the SYSVOL folder are inconsistent > >>> with
> >>> those in Active Directory.
> >>> It is recommended that these permissions be consistent.
> >>> To change the SYSVOL permissions to those in Active Directory, click > >>> OK."
> >>> Hitting ok I get no error but as soon as I reselect THE SAME entry I > >>> get
> >>> the same error, it doesn't seem to be able to fix the ACL.
> >>> I have found one post about this on the list
> >>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
> >>> "fixed" a long time ago.
> >>> Seeing as I'm using the latest version I would assume this is a
> >>> different issue.
> >>> If I try to change any of the ACLs on either of the folders in
> >>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
> >>> the change doesn't stick.
> >>> I get this when I alter the ACLs manually (after line 479 is when I
> >>> actually alter the ACLs):
> >>> http://pastebin.com/2mEvWX6K
> >>> My smb.conf is stock. No alterations.
> >>> The server OS is Ubuntu 12.04.
> >>> The filesystem is ext4 mounted with the following options:
> >>> "errors=remount-ro,acl,user_xattr,barrier=1".
> >>> I have all acl packages installed that I have seen referenced by samba
> >>> or in posts of a similar nature.
> >> If you are in the mood for some testing, can you try my acl-fixes2
> >> branch?
> >> I'm trying to get these changes into master, but I'm not quite finished.
> >> You should only put these on a test server, as I may change data formats
> >> etc.
> >> I would be very curious to know if this fixes the issue.
> >> Otherwise or in addition, if you can show me the contents of your
> >> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
> >> going wrong here, and fix it.
> On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote:
>> On 24/10/2012 17:25, Alex Matthews wrote:
>>> On 24/10/2012 12:09, Andrew Bartlett wrote:
>>>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>>>>> Hi,
>>>>> I have installed a virtual testing network consisting of one samba4 PDC
>>>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>>>>> I have successfully provisioned an AD Domain and joined the XP machine
>>>>> to it.
>>>>> When I run the gpmc on the XP Pro machine and select:
>>>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>>>>> Objects -> Default Domain [Controller | Policy]
>>>>> I get the following error:
>>>>> "The permissions for this GPO in the SYSVOL folder are inconsistent
>>>>> with
>>>>> those in Active Directory.
>>>>> It is recommended that these permissions be consistent.
>>>>> To change the SYSVOL permissions to those in Active Directory, click
>>>>> OK."
>>>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I
>>>>> get
>>>>> the same error, it doesn't seem to be able to fix the ACL.
>>>>> I have found one post about this on the list
>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>>>>> "fixed" a long time ago.
>>>>> Seeing as I'm using the latest version I would assume this is a
>>>>> different issue.
>>>>> If I try to change any of the ACLs on either of the folders in
>>>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>>>>> the change doesn't stick.
>>>>> I get this when I alter the ACLs manually (after line 479 is when I
>>>>> actually alter the ACLs):
>>>>> http://pastebin.com/2mEvWX6K
>>>>> My smb.conf is stock. No alterations.
>>>>> The server OS is Ubuntu 12.04.
>>>>> The filesystem is ext4 mounted with the following options:
>>>>> "errors=remount-ro,acl,user_xattr,barrier=1".
>>>>> I have all acl packages installed that I have seen referenced by samba
>>>>> or in posts of a similar nature.
>>>> If you are in the mood for some testing, can you try my acl-fixes2
>>>> branch?
>>>> I'm trying to get these changes into master, but I'm not quite finished.
>>>> You should only put these on a test server, as I may change data formats
>>>> etc.
>>>> I would be very curious to know if this fixes the issue.
>>>> Otherwise or in addition, if you can show me the contents of your
>>>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
>>>> going wrong here, and fix it.
On Thu, 2012-10-25 at 10:01 +0100, Alex Matthews wrote:
> On 25/10/2012 02:31, Andrew Bartlett wrote:
> > On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote:
> >> On 24/10/2012 17:25, Alex Matthews wrote:
> >>> On 24/10/2012 12:09, Andrew Bartlett wrote:
> >>>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
> >>>>> Hi,
> >>>>> I have installed a virtual testing network consisting of one samba4 PDC
> >>>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
> >>>>> I have successfully provisioned an AD Domain and joined the XP machine
> >>>>> to it.
> >>>>> When I run the gpmc on the XP Pro machine and select:
> >>>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
> >>>>> Objects -> Default Domain [Controller | Policy]
> >>>>> I get the following error:
> >>>>> "The permissions for this GPO in the SYSVOL folder are inconsistent
> >>>>> with
> >>>>> those in Active Directory.
> >>>>> It is recommended that these permissions be consistent.
> >>>>> To change the SYSVOL permissions to those in Active Directory, click
> >>>>> OK."
> >>>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I
> >>>>> get
> >>>>> the same error, it doesn't seem to be able to fix the ACL.
> >>>>> I have found one post about this on the list
> >>>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
> >>>>> "fixed" a long time ago.
> >>>>> Seeing as I'm using the latest version I would assume this is a
> >>>>> different issue.
> >>>>> If I try to change any of the ACLs on either of the folders in
> >>>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
> >>>>> the change doesn't stick.
> >>>>> I get this when I alter the ACLs manually (after line 479 is when I
> >>>>> actually alter the ACLs):
> >>>>> http://pastebin.com/2mEvWX6K
> >>>>> My smb.conf is stock. No alterations.
> >>>>> The server OS is Ubuntu 12.04.
> >>>>> The filesystem is ext4 mounted with the following options:
> >>>>> "errors=remount-ro,acl,user_xattr,barrier=1".
> >>>>> I have all acl packages installed that I have seen referenced by samba
> >>>>> or in posts of a similar nature.
> >>>> If you are in the mood for some testing, can you try my acl-fixes2
> >>>> branch?
> >>>> I'm trying to get these changes into master, but I'm not quite finished.
> >>>> You should only put these on a test server, as I may change data formats
> >>>> etc.
> >>>> I would be very curious to know if this fixes the issue.
> >>>> Otherwise or in addition, if you can show me the contents of your
> >>>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
> >>>> going wrong here, and fix it.
> On Thu, 2012-10-25 at 10:01 +0100, Alex Matthews wrote:
>> On 25/10/2012 02:31, Andrew Bartlett wrote:
>>> On Wed, 2012-10-24 at 18:36 +0100, Alex Matthews wrote:
>>>> On 24/10/2012 17:25, Alex Matthews wrote:
>>>>> On 24/10/2012 12:09, Andrew Bartlett wrote:
>>>>>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>>>>>>> Hi,
>>>>>>> I have installed a virtual testing network consisting of one samba4 PDC
>>>>>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>>>>>>> I have successfully provisioned an AD Domain and joined the XP machine
>>>>>>> to it.
>>>>>>> When I run the gpmc on the XP Pro machine and select:
>>>>>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>>>>>>> Objects -> Default Domain [Controller | Policy]
>>>>>>> I get the following error:
>>>>>>> "The permissions for this GPO in the SYSVOL folder are inconsistent
>>>>>>> with
>>>>>>> those in Active Directory.
>>>>>>> It is recommended that these permissions be consistent.
>>>>>>> To change the SYSVOL permissions to those in Active Directory, click
>>>>>>> OK."
>>>>>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I
>>>>>>> get
>>>>>>> the same error, it doesn't seem to be able to fix the ACL.
>>>>>>> I have found one post about this on the list
>>>>>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>>>>>>> "fixed" a long time ago.
>>>>>>> Seeing as I'm using the latest version I would assume this is a
>>>>>>> different issue.
>>>>>>> If I try to change any of the ACLs on either of the folders in
>>>>>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>>>>>>> the change doesn't stick.
>>>>>>> I get this when I alter the ACLs manually (after line 479 is when I
>>>>>>> actually alter the ACLs):
>>>>>>> http://pastebin.com/2mEvWX6K
>>>>>>> My smb.conf is stock. No alterations.
>>>>>>> The server OS is Ubuntu 12.04.
>>>>>>> The filesystem is ext4 mounted with the following options:
>>>>>>> "errors=remount-ro,acl,user_xattr,barrier=1".
>>>>>>> I have all acl packages installed that I have seen referenced by samba
>>>>>>> or in posts of a similar nature.
>>>>>> If you are in the mood for some testing, can you try my acl-fixes2
>>>>>> branch?
>>>>>> I'm trying to get these changes into master, but I'm not quite finished.
>>>>>> You should only put these on a test server, as I may change data formats
>>>>>> etc.
>>>>>> I would be very curious to know if this fixes the issue.
>>>>>> Otherwise or in addition, if you can show me the contents of your
>>>>>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
>>>>>> going wrong here, and fix it.
On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
> samba-tool ntacl sysvolcheck shows:
> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: VFS ACL on GPO directory > /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9} > O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) > does not match expected value > O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) > from GPO object
> File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run
> return self.run(*args, **kwargs)
> File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", > line 245, in run
> lp)
> File > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1574, in checksysvolacl
> direct_db_access)
> File > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1526, in check_gpos_acl
> domainsid, direct_db_access)
> File > "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", > line 1476, in check_dir_acl
> raise ProvisioningError('%s ACL on GPO directory %s %s does not > match expected value %s from GPO object' % (acl_type(direct_db_access), > path, fsacl_sddl, acl))
Drat.
So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
the issue we have had for a while. I had (incorrectly in your case)
assumed the issue was that IDMAP mappings imported from classic domains
were breaking it. That's why I worked on my patches, which improve the
situation by handling some details at a lower level.
On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
then, if you don't mind, getting me the level 10 debug log would be very
helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
(personally) the result compressed with xz.
On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
> On 25/10/2012 11:30, Andrew Bartlett wrote:
> > On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
> >> samba-tool ntacl sysvolcheck shows:
> >> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
> >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> >> ProvisioningError: VFS ACL on GPO directory
> >> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9}
> >> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
> >> does not match expected value
> >> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> >> from GPO object
> >> File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >> line 175, in _run
> >> return self.run(*args, **kwargs)
> >> File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> >> line 245, in run
> >> lp)
> >> File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >> line 1574, in checksysvolacl
> >> direct_db_access)
> >> File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >> line 1526, in check_gpos_acl
> >> domainsid, direct_db_access)
> >> File
> >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >> line 1476, in check_dir_acl
> >> raise ProvisioningError('%s ACL on GPO directory %s %s does not
> >> match expected value %s from GPO object' % (acl_type(direct_db_access),
> >> path, fsacl_sddl, acl))
> > Drat.
> > So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
> > the issue we have had for a while. I had (incorrectly in your case)
> > assumed the issue was that IDMAP mappings imported from classic domains
> > were breaking it. That's why I worked on my patches, which improve the
> > situation by handling some details at a lower level.
> > On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
> > then, if you don't mind, getting me the level 10 debug log would be very
> > helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
> > (personally) the result compressed with xz.
> > Andrew Bartlett
> Just to be clear, those last two logs were taken from a samba compiled > with your fix-acls2 branch.
> It is also a completely blank provisioned domain I have not migrated > anything.
> What do you want the logs of? Starting samba + logging in from XP + > starting gpmc.msc + altering permissions manually?
Yeah, I was incredibly unclear: I need level 10 logs of just the
command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
in a very nice, self-contained way.
> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
>> samba-tool ntacl sysvolcheck shows:
>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>> ProvisioningError: VFS ACL on GPO directory
>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9}
>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
>> does not match expected value
>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>> from GPO object
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 175, in _run
>> return self.run(*args, **kwargs)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>> line 245, in run
>> lp)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1574, in checksysvolacl
>> direct_db_access)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1526, in check_gpos_acl
>> domainsid, direct_db_access)
>> File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>> line 1476, in check_dir_acl
>> raise ProvisioningError('%s ACL on GPO directory %s %s does not
>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>> path, fsacl_sddl, acl))
> Drat.
> So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
> the issue we have had for a while. I had (incorrectly in your case)
> assumed the issue was that IDMAP mappings imported from classic domains
> were breaking it. That's why I worked on my patches, which improve the
> situation by handling some details at a lower level.
> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
> then, if you don't mind, getting me the level 10 debug log would be very
> helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
> (personally) the result compressed with xz.
> Andrew Bartlett
Just to be clear, those last two logs were taken from a samba compiled with your fix-acls2 branch.
It is also a completely blank provisioned domain I have not migrated anything.
What do you want the logs of? Starting samba + logging in from XP + starting gpmc.msc + altering permissions manually?
On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
> > On 25/10/2012 11:30, Andrew Bartlett wrote:
> > > On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
> > >> samba-tool ntacl sysvolcheck shows:
> > >> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
> > >> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> > >> ProvisioningError: VFS ACL on GPO directory
> > >> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9}
> > >> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
> > >> does not match expected value
> > >> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> > >> from GPO object
> > >> File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > >> line 175, in _run
> > >> return self.run(*args, **kwargs)
> > >> File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> > >> line 245, in run
> > >> lp)
> > >> File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> > >> line 1574, in checksysvolacl
> > >> direct_db_access)
> > >> File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> > >> line 1526, in check_gpos_acl
> > >> domainsid, direct_db_access)
> > >> File
> > >> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> > >> line 1476, in check_dir_acl
> > >> raise ProvisioningError('%s ACL on GPO directory %s %s does not
> > >> match expected value %s from GPO object' % (acl_type(direct_db_access),
> > >> path, fsacl_sddl, acl))
> > > Drat.
> > > So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
> > > the issue we have had for a while. I had (incorrectly in your case)
> > > assumed the issue was that IDMAP mappings imported from classic domains
> > > were breaking it. That's why I worked on my patches, which improve the
> > > situation by handling some details at a lower level.
> > > On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
> > > then, if you don't mind, getting me the level 10 debug log would be very
> > > helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
> > > (personally) the result compressed with xz.
> > > Andrew Bartlett
> > Just to be clear, those last two logs were taken from a samba compiled > > with your fix-acls2 branch.
> > It is also a completely blank provisioned domain I have not migrated > > anything.
> > What do you want the logs of? Starting samba + logging in from XP + > > starting gpmc.msc + altering permissions manually?
> Yeah, I was incredibly unclear: I need level 10 logs of just the
> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
> in a very nice, self-contained way.
So, the issue is that this host doesn't return the ACL consistently.
What I mean is this:
When we store the NT ACL for the {12344...} folder, we store an xattr
with:
- the NT ACL we need to return to clients
- the hash of the posix ACL we set on disk (as read back from the OS)
When we do the sysvolcheck we fetch the xattr, read the hash and get the
posix ACL off disk again. On your host, these don't match!
Can you give me details about what your host is?
Just to be really sure we are doing this right, because I can't
reproduce this here, can you run:
Do this on master and on my fix-acls2 branch, with separate targetdir
for each, with this patch on top in both cases?
If that passes, can you give me the provision command you normally use,
and tell me if that fails?
If your normal command passes, then can you work out if there is a time
period involved before sysvolcheck fails? (that is, after X seconds it
fails). For this last thing, I'm clutching at caching straws, but this
is a real issue that we must get to the bottom of - beyond the AD DC,
the ACL facility we use here is critical to file server users in Samba
too.
> On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
>> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
>>> On 25/10/2012 11:30, Andrew Bartlett wrote:
>>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
>>>>> samba-tool ntacl sysvolcheck shows:
>>>>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>>>>> ProvisioningError: VFS ACL on GPO directory
>>>>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9}
>>>>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
>>>>> does not match expected value
>>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>> from GPO object
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>> line 175, in _run
>>>>> return self.run(*args, **kwargs)
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>>> line 245, in run
>>>>> lp)
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>> line 1574, in checksysvolacl
>>>>> direct_db_access)
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>> line 1526, in check_gpos_acl
>>>>> domainsid, direct_db_access)
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>> line 1476, in check_dir_acl
>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>>>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>>>>> path, fsacl_sddl, acl))
>>>> Drat.
>>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
>>>> the issue we have had for a while. I had (incorrectly in your case)
>>>> assumed the issue was that IDMAP mappings imported from classic domains
>>>> were breaking it. That's why I worked on my patches, which improve the
>>>> situation by handling some details at a lower level.
>>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
>>>> then, if you don't mind, getting me the level 10 debug log would be very
>>>> helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
>>>> (personally) the result compressed with xz.
>>>> Andrew Bartlett
>>> Just to be clear, those last two logs were taken from a samba compiled
>>> with your fix-acls2 branch.
>>> It is also a completely blank provisioned domain I have not migrated
>>> anything.
>>> What do you want the logs of? Starting samba + logging in from XP +
>>> starting gpmc.msc + altering permissions manually?
>> Yeah, I was incredibly unclear: I need level 10 logs of just the
>> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
>> in a very nice, self-contained way.
> So, the issue is that this host doesn't return the ACL consistently.
> What I mean is this:
> When we store the NT ACL for the {12344...} folder, we store an xattr
> with:
> - the NT ACL we need to return to clients
> - the hash of the posix ACL we set on disk (as read back from the OS)
> When we do the sysvolcheck we fetch the xattr, read the hash and get the
> posix ACL off disk again. On your host, these don't match!
> Can you give me details about what your host is?
> Just to be really sure we are doing this right, because I can't
> reproduce this here, can you run:
> Do this on master and on my fix-acls2 branch, with separate targetdir
> for each, with this patch on top in both cases?
> If that passes, can you give me the provision command you normally use,
> and tell me if that fails?
> If your normal command passes, then can you work out if there is a time
> period involved before sysvolcheck fails? (that is, after X seconds it
> fails). For this last thing, I'm clutching at caching straws, but this
> is a real issue that we must get to the bottom of - beyond the AD DC,
> the ACL facility we use here is critical to file server users in Samba
> too.
> Thanks,
> Andrew Bartlett
My host is a VirtualBox VM Running Ubuntu 12.04 LTS Server.
Kernel = 3.2.0-32-generic
I have followed all posts I could find about ext4 filesystems+samba4
/ is mounted with the options: "acl,user_xattr,barrier=1" this is where all the samba stuff is located.
> On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
>> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
>>> On 25/10/2012 11:30, Andrew Bartlett wrote:
>>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
>>>>> samba-tool ntacl sysvolcheck shows:
>>>>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>>>>> ProvisioningError: VFS ACL on GPO directory
>>>>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9}
>>>>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
>>>>> does not match expected value
>>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>> from GPO object
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>> line 175, in _run
>>>>> return self.run(*args, **kwargs)
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>>> line 245, in run
>>>>> lp)
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>> line 1574, in checksysvolacl
>>>>> direct_db_access)
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>> line 1526, in check_gpos_acl
>>>>> domainsid, direct_db_access)
>>>>> File
>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>> line 1476, in check_dir_acl
>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>>>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>>>>> path, fsacl_sddl, acl))
>>>> Drat.
>>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
>>>> the issue we have had for a while. I had (incorrectly in your case)
>>>> assumed the issue was that IDMAP mappings imported from classic domains
>>>> were breaking it. That's why I worked on my patches, which improve the
>>>> situation by handling some details at a lower level.
>>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
>>>> then, if you don't mind, getting me the level 10 debug log would be very
>>>> helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
>>>> (personally) the result compressed with xz.
>>>> Andrew Bartlett
>>> Just to be clear, those last two logs were taken from a samba compiled
>>> with your fix-acls2 branch.
>>> It is also a completely blank provisioned domain I have not migrated
>>> anything.
>>> What do you want the logs of? Starting samba + logging in from XP +
>>> starting gpmc.msc + altering permissions manually?
>> Yeah, I was incredibly unclear: I need level 10 logs of just the
>> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
>> in a very nice, self-contained way.
> So, the issue is that this host doesn't return the ACL consistently.
> What I mean is this:
> When we store the NT ACL for the {12344...} folder, we store an xattr
> with:
> - the NT ACL we need to return to clients
> - the hash of the posix ACL we set on disk (as read back from the OS)
> When we do the sysvolcheck we fetch the xattr, read the hash and get the
> posix ACL off disk again. On your host, these don't match!
> Can you give me details about what your host is?
> Just to be really sure we are doing this right, because I can't
> reproduce this here, can you run:
> Do this on master and on my fix-acls2 branch, with separate targetdir
> for each, with this patch on top in both cases?
> If that passes, can you give me the provision command you normally use,
> and tell me if that fails?
> If your normal command passes, then can you work out if there is a time
> period involved before sysvolcheck fails? (that is, after X seconds it
> fails). For this last thing, I'm clutching at caching straws, but this
> is a real issue that we must get to the bottom of - beyond the AD DC,
> the ACL facility we use here is critical to file server users in Samba
> too.
however when I run:
build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck
I get the following error:
ERROR(runtime): uncaught exception - samdb_domain_sid failed
File "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/__i nit__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/nta cl.py", line 240, in run
domain_sid = security.dom_sid(samdb.domain_sid)
File "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/samdb.py", line 549, in get_domain_sid
return dsdb._samdb_get_domain_sid(self)
I assume this is due to the targetdir supplied in the provision step?
> On 25/10/2012 23:27, Andrew Bartlett wrote:
>> On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
>>> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
>>>> On 25/10/2012 11:30, Andrew Bartlett wrote:
>>>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
>>>>>> does not match expected value
>>>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>>> from GPO object
>>>>>> File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>> line 175, in _run
>>>>>> return self.run(*args, **kwargs)
>>>>>> File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>>>> line 245, in run
>>>>>> lp)
>>>>>> File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>> line 1574, in checksysvolacl
>>>>>> direct_db_access)
>>>>>> File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>> line 1526, in check_gpos_acl
>>>>>> domainsid, direct_db_access)
>>>>>> File
>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>> line 1476, in check_dir_acl
>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s >>>>>> does not
>>>>>> match expected value %s from GPO object' % >>>>>> (acl_type(direct_db_access),
>>>>>> path, fsacl_sddl, acl))
>>>>> Drat.
>>>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is >>>>> indeed
>>>>> the issue we have had for a while. I had (incorrectly in your case)
>>>>> assumed the issue was that IDMAP mappings imported from classic >>>>> domains
>>>>> were breaking it. That's why I worked on my patches, which >>>>> improve the
>>>>> situation by handling some details at a lower level.
>>>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' >>>>> then
>>>>> then, if you don't mind, getting me the level 10 debug log would >>>>> be very
>>>>> helpful. Set 'log level = 10' in your smb.conf, then re-run and >>>>> send me
>>>>> (personally) the result compressed with xz.
>>>>> Andrew Bartlett
>>>> Just to be clear, those last two logs were taken from a samba compiled
>>>> with your fix-acls2 branch.
>>>> It is also a completely blank provisioned domain I have not migrated
>>>> anything.
>>>> What do you want the logs of? Starting samba + logging in from XP +
>>>> starting gpmc.msc + altering permissions manually?
>>> Yeah, I was incredibly unclear: I need level 10 logs of just the
>>> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
>>> in a very nice, self-contained way.
>> So, the issue is that this host doesn't return the ACL consistently.
>> What I mean is this:
>> When we store the NT ACL for the {12344...} folder, we store an xattr
>> with:
>> - the NT ACL we need to return to clients
>> - the hash of the posix ACL we set on disk (as read back from the OS)
>> When we do the sysvolcheck we fetch the xattr, read the hash and get the
>> posix ACL off disk again. On your host, these don't match!
>> Can you give me details about what your host is?
>> Just to be really sure we are doing this right, because I can't
>> reproduce this here, can you run:
>> Do this on master and on my fix-acls2 branch, with separate targetdir
>> for each, with this patch on top in both cases?
>> If that passes, can you give me the provision command you normally use,
>> and tell me if that fails?
>> If your normal command passes, then can you work out if there is a time
>> period involved before sysvolcheck fails? (that is, after X seconds it
>> fails). For this last thing, I'm clutching at caching straws, but this
>> is a real issue that we must get to the bottom of - beyond the AD DC,
>> the ACL facility we use here is critical to file server users in Samba
>> too.
> however when I run:
> build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck
> I get the following error:
> ERROR(runtime): uncaught exception - samdb_domain_sid failed
> File > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/__i nit__.py", > line 175, in _run
> return self.run(*args, **kwargs)
> File > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/nta cl.py", > line 240, in run
> domain_sid = security.dom_sid(samdb.domain_sid)
> File > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/samdb.py", > line 549, in get_domain_sid
> return dsdb._samdb_get_domain_sid(self)
> I assume this is due to the targetdir supplied in the provision step?
> Thanks,
> Alex
Instead of using targetdir I just ran the provision as is as and on both trees sysvolcheck passes everytime.
I have run sysvolreset as well and sysvolcheck passes still.
-- To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
On Fri, 2012-10-26 at 00:34 +0100, Alex Matthews wrote:
> On 25/10/2012 23:27, Andrew Bartlett wrote:
> > On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
> >> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
> >>> On 25/10/2012 11:30, Andrew Bartlett wrote:
> >>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
> >>>>> samba-tool ntacl sysvolcheck shows:
> >>>>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
> >>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> >>>>> ProvisioningError: VFS ACL on GPO directory
> >>>>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9}
> >>>>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
> >>>>> does not match expected value
> >>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> >>>>> from GPO object
> >>>>> File
> >>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >>>>> line 175, in _run
> >>>>> return self.run(*args, **kwargs)
> >>>>> File
> >>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> >>>>> line 245, in run
> >>>>> lp)
> >>>>> File
> >>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>> line 1574, in checksysvolacl
> >>>>> direct_db_access)
> >>>>> File
> >>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>> line 1526, in check_gpos_acl
> >>>>> domainsid, direct_db_access)
> >>>>> File
> >>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>> line 1476, in check_dir_acl
> >>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does not
> >>>>> match expected value %s from GPO object' % (acl_type(direct_db_access),
> >>>>> path, fsacl_sddl, acl))
> >>>> Drat.
> >>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
> >>>> the issue we have had for a while. I had (incorrectly in your case)
> >>>> assumed the issue was that IDMAP mappings imported from classic domains
> >>>> were breaking it. That's why I worked on my patches, which improve the
> >>>> situation by handling some details at a lower level.
> >>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
> >>>> then, if you don't mind, getting me the level 10 debug log would be very
> >>>> helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
> >>>> (personally) the result compressed with xz.
> >>>> Andrew Bartlett
> >>> Just to be clear, those last two logs were taken from a samba compiled
> >>> with your fix-acls2 branch.
> >>> It is also a completely blank provisioned domain I have not migrated
> >>> anything.
> >>> What do you want the logs of? Starting samba + logging in from XP +
> >>> starting gpmc.msc + altering permissions manually?
> >> Yeah, I was incredibly unclear: I need level 10 logs of just the
> >> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
> >> in a very nice, self-contained way.
> > So, the issue is that this host doesn't return the ACL consistently.
> > What I mean is this:
> > When we store the NT ACL for the {12344...} folder, we store an xattr
> > with:
> > - the NT ACL we need to return to clients
> > - the hash of the posix ACL we set on disk (as read back from the OS)
> > When we do the sysvolcheck we fetch the xattr, read the hash and get the
> > posix ACL off disk again. On your host, these don't match!
> > Can you give me details about what your host is?
> > Just to be really sure we are doing this right, because I can't
> > reproduce this here, can you run:
> > Do this on master and on my fix-acls2 branch, with separate targetdir
> > for each, with this patch on top in both cases?
> > If that passes, can you give me the provision command you normally use,
> > and tell me if that fails?
> > If your normal command passes, then can you work out if there is a time
> > period involved before sysvolcheck fails? (that is, after X seconds it
> > fails). For this last thing, I'm clutching at caching straws, but this
> > is a real issue that we must get to the bottom of - beyond the AD DC,
> > the ACL facility we use here is critical to file server users in Samba
> > too.
Pleased to see that you figured this out.
We've got exactly the same problem from a blank provisioned domain (not a migration), with a setup with 2 gpo. (Ubuntu 12.04 - S4 rc3).
Since our instance is in a semi-production environment, we'll wait for your fix. But if needed, we could give you more level 10 logs.
Note that when the sysvolreset is launched and that sysvolcheck returns no errors, then the windows clients can't "gpupdate" anymore on some gpo.
Note also that when syslvolreset isn't launched at S4 update, the sysvolcheck command return the Alex's error but the client can update their gpo.
Cheers and good luck.
-----------------------
*** Olivier B
*** Fondation de la Miséricorde
On Fri, 2012-10-26 at 00:49 +0100, Alex Matthews wrote:
> On 26/10/2012 00:34, Alex Matthews wrote:
> > On 25/10/2012 23:27, Andrew Bartlett wrote:
> >> On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
> >>> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
> >>>> On 25/10/2012 11:30, Andrew Bartlett wrote:
> >>>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
> >>>>>> does not match expected value
> >>>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
> >>>>>> line 175, in _run
> >>>>>> return self.run(*args, **kwargs)
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> >>>>>> line 245, in run
> >>>>>> lp)
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>> line 1574, in checksysvolacl
> >>>>>> direct_db_access)
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>> line 1526, in check_gpos_acl
> >>>>>> domainsid, direct_db_access)
> >>>>>> File
> >>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>> line 1476, in check_dir_acl
> >>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s > >>>>>> does not
> >>>>>> match expected value %s from GPO object' % > >>>>>> (acl_type(direct_db_access),
> >>>>>> path, fsacl_sddl, acl))
> >>>>> Drat.
> >>>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is > >>>>> indeed
> >>>>> the issue we have had for a while. I had (incorrectly in your case)
> >>>>> assumed the issue was that IDMAP mappings imported from classic > >>>>> domains
> >>>>> were breaking it. That's why I worked on my patches, which > >>>>> improve the
> >>>>> situation by handling some details at a lower level.
> >>>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' > >>>>> then
> >>>>> then, if you don't mind, getting me the level 10 debug log would > >>>>> be very
> >>>>> helpful. Set 'log level = 10' in your smb.conf, then re-run and > >>>>> send me
> >>>>> (personally) the result compressed with xz.
> >>>>> Andrew Bartlett
> >>>> Just to be clear, those last two logs were taken from a samba compiled
> >>>> with your fix-acls2 branch.
> >>>> It is also a completely blank provisioned domain I have not migrated
> >>>> anything.
> >>>> What do you want the logs of? Starting samba + logging in from XP +
> >>>> starting gpmc.msc + altering permissions manually?
> >>> Yeah, I was incredibly unclear: I need level 10 logs of just the
> >>> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
> >>> in a very nice, self-contained way.
> >> So, the issue is that this host doesn't return the ACL consistently.
> >> What I mean is this:
> >> When we store the NT ACL for the {12344...} folder, we store an xattr
> >> with:
> >> - the NT ACL we need to return to clients
> >> - the hash of the posix ACL we set on disk (as read back from the OS)
> >> When we do the sysvolcheck we fetch the xattr, read the hash and get the
> >> posix ACL off disk again. On your host, these don't match!
> >> Can you give me details about what your host is?
> >> Just to be really sure we are doing this right, because I can't
> >> reproduce this here, can you run:
> >> Do this on master and on my fix-acls2 branch, with separate targetdir
> >> for each, with this patch on top in both cases?
> >> If that passes, can you give me the provision command you normally use,
> >> and tell me if that fails?
> >> If your normal command passes, then can you work out if there is a time
> >> period involved before sysvolcheck fails? (that is, after X seconds it
> >> fails). For this last thing, I'm clutching at caching straws, but this
> >> is a real issue that we must get to the bottom of - beyond the AD DC,
> >> the ACL facility we use here is critical to file server users in Samba
> >> too.
> > however when I run:
> > build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck
> > I get the following error:
> > ERROR(runtime): uncaught exception - samdb_domain_sid failed
> > File > > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/__i nit__.py", > > line 175, in _run
> > return self.run(*args, **kwargs)
> > File > > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/nta cl.py", > > line 240, in run
> > domain_sid = security.dom_sid(samdb.domain_sid)
> > File > > "/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/samdb.py", > > line 549, in get_domain_sid
> > return dsdb._samdb_get_domain_sid(self)
> > I assume this is due to the targetdir supplied in the provision step?
> > Thanks,
> > Alex
> Instead of using targetdir I just ran the provision as is as and on both > trees sysvolcheck passes everytime.
> I have run sysvolreset as well and sysvolcheck passes still.
So, what changed?
You said previously that sysvolcheck failed, and now it passes. I
suspect you will find your GPO issues have been solved too.
I'm not suggesting you are stuffing me about, I really want to know what
you can find as a difference, so we can narrow this down.
On Fri, 2012-10-26 at 09:36 +0200, Olivier BILHAUT wrote:
> Hi Andrew, Hi Alex,
> Pleased to see that you figured this out.
> We've got exactly the same problem from a blank provisioned domain (not > a migration), with a setup with 2 gpo. (Ubuntu 12.04 - S4 rc3).
> Since our instance is in a semi-production environment, we'll wait for > your fix. But if needed, we could give you more level 10 logs.
> Note that when the sysvolreset is launched and that sysvolcheck returns > no errors, then the windows clients can't "gpupdate" anymore on some gpo.
> Note also that when syslvolreset isn't launched at S4 update, the > sysvolcheck command return the Alex's error but the client can update > their gpo.
This I think is the umask issue I addressed with this patch. A
sysvolreset with this patch applied should fix that. steve noticed that
permissions were missing from the posix ACL that was generated.
> On Fri, 2012-10-26 at 00:34 +0100, Alex Matthews wrote:
>> On 25/10/2012 23:27, Andrew Bartlett wrote:
>>> On Thu, 2012-10-25 at 21:48 +1100, Andrew Bartlett wrote:
>>>> On Thu, 2012-10-25 at 11:41 +0100, Alex Matthews wrote:
>>>>> On 25/10/2012 11:30, Andrew Bartlett wrote:
>>>>>> On Thu, 2012-10-25 at 10:32 +0100, Alex Matthews wrote:
>>>>>>> samba-tool ntacl sysvolcheck shows:
>>>>>>> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
>>>>>>> ProvisioningError: VFS ACL on GPO directory
>>>>>>> /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9}
>>>>>>> O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
>>>>>>> does not match expected value
>>>>>>> O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
>>>>>>> from GPO object
>>>>>>> File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>> line 175, in _run
>>>>>>> return self.run(*args, **kwargs)
>>>>>>> File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>>>>> line 245, in run
>>>>>>> lp)
>>>>>>> File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>> line 1574, in checksysvolacl
>>>>>>> direct_db_access)
>>>>>>> File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>> line 1526, in check_gpos_acl
>>>>>>> domainsid, direct_db_access)
>>>>>>> File
>>>>>>> "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>> line 1476, in check_dir_acl
>>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does not
>>>>>>> match expected value %s from GPO object' % (acl_type(direct_db_access),
>>>>>>> path, fsacl_sddl, acl))
>>>>>> Drat.
>>>>>> So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
>>>>>> the issue we have had for a while. I had (incorrectly in your case)
>>>>>> assumed the issue was that IDMAP mappings imported from classic domains
>>>>>> were breaking it. That's why I worked on my patches, which improve the
>>>>>> situation by handling some details at a lower level.
>>>>>> On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
>>>>>> then, if you don't mind, getting me the level 10 debug log would be very
>>>>>> helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
>>>>>> (personally) the result compressed with xz.
>>>>>> Andrew Bartlett
>>>>> Just to be clear, those last two logs were taken from a samba compiled
>>>>> with your fix-acls2 branch.
>>>>> It is also a completely blank provisioned domain I have not migrated
>>>>> anything.
>>>>> What do you want the logs of? Starting samba + logging in from XP +
>>>>> starting gpmc.msc + altering permissions manually?
>>>> Yeah, I was incredibly unclear: I need level 10 logs of just the
>>>> command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
>>>> in a very nice, self-contained way.
>>> So, the issue is that this host doesn't return the ACL consistently.
>>> What I mean is this:
>>> When we store the NT ACL for the {12344...} folder, we store an xattr
>>> with:
>>> - the NT ACL we need to return to clients
>>> - the hash of the posix ACL we set on disk (as read back from the OS)
>>> When we do the sysvolcheck we fetch the xattr, read the hash and get the
>>> posix ACL off disk again. On your host, these don't match!
>>> Can you give me details about what your host is?
>>> Just to be really sure we are doing this right, because I can't
>>> reproduce this here, can you run:
>>> Do this on master and on my fix-acls2 branch, with separate targetdir
>>> for each, with this patch on top in both cases?
>>> If that passes, can you give me the provision command you normally use,
>>> and tell me if that fails?
>>> If your normal command passes, then can you work out if there is a time
>>> period involved before sysvolcheck fails? (that is, after X seconds it
>>> fails). For this last thing, I'm clutching at caching straws, but this
>>> is a real issue that we must get to the bottom of - beyond the AD DC,
>>> the ACL facility we use here is critical to file server users in Samba
>>> too.
I'm assuming because of the way I laid my directory tree out I could also just provision as normal and run the tests? Just makes it difficult to "un-provision".
I did a bit of testing last night and sysvolcheck returns no errors until the point that run the gpmc.msc on the XP domain member and click ok to "fix" the inconsistent ACLs. At that point it returns the same error. Running sysvolreset does not fix it either.
This is true, atleast, for the master branch, I haven't tested the aclfix branch yet.
> On Fri, 2012-10-26 at 10:44 +0100, Alex Matthews wrote:
>> I'm assuming because of the way I laid my directory tree out I could
>> also just provision as normal and run the tests? Just makes it difficult
>> to "un-provision".
>> I did a bit of testing last night and sysvolcheck returns no errors
>> until the point that run the gpmc.msc on the XP domain member and click
>> ok to "fix" the inconsistent ACLs. At that point it returns the same
>> error. Running sysvolreset does not fix it either.
> OK. This is more interesting. Can you show me first the output, and
> then the level 10 log of that sysvolcheck command?
> I'm particularly curious that a sysvolreset can't fix it.
> A network capture of what gpmc does may be instructive also.
>> This is true, atleast, for the master branch, I haven't tested the
>> aclfix branch yet.
> OK.
> Given this info on the essential components involved (running gpmc.msc
> once seems key), I think I have the steps to reproduce this here, which
> I'll try tonight or tomorrow.
> Thanks,
> Andrew Bartlett
# bin/samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: VFS ACL on GPO directory /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340 -016D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;; ED)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;;0x001200 89;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;; ED)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)(A;OICIIO;0x001f01ff ;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object
File "/root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/__i nit__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/root/samba_test/build_master/lib/python2.7/site-packages/samba/netcmd/nta cl.py", line 245, in run
lp)
File "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/ __init__.py", line 1574, in checksysvolacl
direct_db_access)
File "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/ __init__.py", line 1526, in check_gpos_acl
domainsid, direct_db_access)
File "/root/samba_test/build_master/lib/python2.7/site-packages/samba/provision/ __init__.py", line 1476, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
On Fri, 2012-10-26 at 10:44 +0100, Alex Matthews wrote:
> I'm assuming because of the way I laid my directory tree out I could > also just provision as normal and run the tests? Just makes it difficult > to "un-provision".
> I did a bit of testing last night and sysvolcheck returns no errors > until the point that run the gpmc.msc on the XP domain member and click > ok to "fix" the inconsistent ACLs. At that point it returns the same > error. Running sysvolreset does not fix it either.
OK. This is more interesting. Can you show me first the output, and
then the level 10 log of that sysvolcheck command?
I'm particularly curious that a sysvolreset can't fix it.
A network capture of what gpmc does may be instructive also.
> This is true, atleast, for the master branch, I haven't tested the > aclfix branch yet.
OK.
Given this info on the essential components involved (running gpmc.msc
once seems key), I think I have the steps to reproduce this here, which
I'll try tonight or tomorrow.
> On 24/10/2012 12:09, Andrew Bartlett wrote:
>> On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:
>>> Hi,
>>> I have installed a virtual testing network consisting of one samba4 PDC
>>> (latest git master) and one Windows XP Pro SP3 (fully updated)machine.
>>> I have successfully provisioned an AD Domain and joined the XP machine
>>> to it.
>>> When I run the gpmc on the XP Pro machine and select:
>>> Forest: <domain name> -> Domains -> <domain name> -> Group Policy
>>> Objects -> Default Domain [Controller | Policy]
>>> I get the following error:
>>> "The permissions for this GPO in the SYSVOL folder are inconsistent >>> with
>>> those in Active Directory.
>>> It is recommended that these permissions be consistent.
>>> To change the SYSVOL permissions to those in Active Directory, click >>> OK."
>>> Hitting ok I get no error but as soon as I reselect THE SAME entry I >>> get
>>> the same error, it doesn't seem to be able to fix the ACL.
>>> I have found one post about this on the list
>>> (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
>>> "fixed" a long time ago.
>>> Seeing as I'm using the latest version I would assume this is a
>>> different issue.
>>> If I try to change any of the ACLs on either of the folders in
>>> \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
>>> the change doesn't stick.
>>> I get this when I alter the ACLs manually (after line 479 is when I
>>> actually alter the ACLs):
>>> http://pastebin.com/2mEvWX6K
>>> My smb.conf is stock. No alterations.
>>> The server OS is Ubuntu 12.04.
>>> The filesystem is ext4 mounted with the following options:
>>> "errors=remount-ro,acl,user_xattr,barrier=1".
>>> I have all acl packages installed that I have seen referenced by samba
>>> or in posts of a similar nature.
>> If you are in the mood for some testing, can you try my acl-fixes2
>> branch?
>> I'm trying to get these changes into master, but I'm not quite finished.
>> You should only put these on a test server, as I may change data formats
>> etc.
>> I would be very curious to know if this fixes the issue.
>> Otherwise or in addition, if you can show me the contents of your
>> idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
>> going wrong here, and fix it.
I Updated our S4 instance this morning with the updated git (master). We still have a problem with one of our 3 GPO. But if I remove one of them, the same error is displayed with any of the remaining GPO. I need to remove them all to completely get rid of this message. I also noticed that it begins always with a GPO applied to the computers, not the users.
Here's the level 10 log. Sorry if you feel my message imprecise, and don't hesitate to ask me more information if needed. We'll be pleased to contribute at our level.
set_conn_connectpath: service (null), connectpath = / Initialising default vfs hooks Initialising custom vfs hooks from [/[Default VFS]/] vfs_find_backend_entry called for /[Default VFS]/ Successfully loaded vfs module [/[Default VFS]/] with the new modules system Initialising custom vfs hooks from [acl_xattr] vfs_find_backend_entry called for acl_xattr Successfully loaded vfs module [acl_xattr] with the new modules system Initialising custom vfs hooks from [dfs_samba4] vfs_find_backend_entry called for dfs_samba4 Successfully loaded vfs module [dfs_samba4] with the new modules system get_nt_acl_internal: name=/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-47 97-B0BC-74F6CC63CFC6} posix_fget_nt_acl: called for file /usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0 BC-74F6CC63CFC6} posix_get_nt_acl: called for file /usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0 BC-74F6CC63CFC6} uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512 gid 100 -> sid S-1-5-21-939380553-781147246-4131372059-513 uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512 gid 3000003 -> sid S-1-5-11 gid 3000010 -> sid S-1-5-21-939380553-781147246-4131372059-519 gid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512 gid 3000026 -> sid S-1-5-18 gid 3000028 -> sid S-1-5-9 canonicalise_acl: Access ace entries before arrange : canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms --- canon_ace index 1. Type = allow SID = S-1-5-9 gid 3000028 (3000028) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 2. Type = allow SID = S-1-5-18 gid 3000026 (3000026) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 3. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 4. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise Admins) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 5. Type = allow SID = S-1-5-11 gid 3000003 (3000003) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 6. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-513 gid 100 (users) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms --- canon_ace index 7. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012) SMB_ACL_USER ace_flags = 0x0 perms rwx canon_ace index 8. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx print_canon_ace_list: canonicalise_acl: ace entries after arrange canon_ace index 0. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx canon_ace index 1. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-513 gid 100 (users) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms --- canon_ace index 2. Type = allow SID = S-1-5-9 gid 3000028 (3000028) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000026 (3000026) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 4. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 5. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise Admins) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 6. Type = allow SID = S-1-5-11 gid 3000003 (3000003) SMB_ACL_GROUP ace_flags = 0x0 perms r-- canon_ace index 7. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012) SMB_ACL_USER ace_flags = 0x0 perms rwx canon_ace index 8. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms --- uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512 gid 3000003 -> sid S-1-5-11 gid 3000010 -> sid S-1-5-21-939380553-781147246-4131372059-519 gid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512 gid 3000026 -> sid S-1-5-18 gid 3000028 -> sid S-1-5-9 canonicalise_acl: Default ace entries before arrange : canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms --- canon_ace index 1. Type = allow SID = S-1-5-9 gid 3000028 (3000028) SMB_ACL_GROUP ace_flags = 0x0 perms r-x canon_ace index 2. Type = allow SID = S-1-5-18 gid 3000026 (3000026) SMB_ACL_GROUP ace_flags = 0x0 perms rwx canon_ace index 3. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins) SMB_ACL_GROUP ace_flags = 0x0 perms rwx canon_ace index 4. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise Admins) SMB_ACL_GROUP ace_flags = 0x0 perms rwx canon_ace index 5. Type = allow SID = S-1-5-11 gid 3000003 (3000003) SMB_ACL_GROUP ace_flags = 0x0 perms r-x canon_ace index 6. Type = allow SID = S-1-3-1 gid 100 (users) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms --- canon_ace index 7. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012) SMB_ACL_USER ace_flags = 0x0 perms rwx canon_ace index 8. Type = allow SID = S-1-3-0 uid 3000012 (3000012) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx print_canon_ace_list: canonicalise_acl: ace entries after arrange canon_ace index 0. Type = allow SID = S-1-3-0 uid 3000012 (3000012) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx canon_ace index 1. Type = allow SID = S-1-3-1 gid 100 (users) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms --- canon_ace index 2. Type = allow SID = S-1-5-9 gid 3000028 (3000028) SMB_ACL_GROUP ace_flags = 0x0 perms r-x canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000026 (3000026) SMB_ACL_GROUP ace_flags = 0x0 perms rwx canon_ace index 4. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins) SMB_ACL_GROUP ace_flags = 0x0 perms rwx canon_ace index 5. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise Admins) SMB_ACL_GROUP ace_flags = 0x0 perms rwx canon_ace index 6. Type = allow SID = S-1-5-11 gid 3000003 (3000003) SMB_ACL_GROUP ace_flags = 0x0 perms r-x canon_ace index 7. Type = allow SID = S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012) SMB_ACL_USER ace_flags = 0x0 perms rwx canon_ace index 8. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms --- map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089 map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089 map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089 map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089 map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089 map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 80000 map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9 map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9 map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff merge_default_aces: Merging ACE 11 onto ACE 0. merge_default_aces: Merging ACE 13 onto ACE 6. get_nt_acl_internal: blob hash does not match for file /usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0 BC-74F6CC63CFC6} - returning file system SD mapping. get_nt_acl_internal: acl for blob hash for /usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0 BC-74F6CC63CFC6} is: pdesc_next: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x9004 (36868) 0: SEC_DESC_OWNER_DEFAULTED 0: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED 0: SEC_DESC_SACL_PRESENT 0: SEC_DESC_SACL_DEFAULTED 0: SEC_DESC_DACL_TRUSTED 0: SEC_DESC_SERVER_SECURITY 0: SEC_DESC_DACL_AUTO_INHERIT_REQ 0: SEC_DESC_SACL_AUTO_INHERIT_REQ 0: SEC_DESC_DACL_AUTO_INHERITED 0: SEC_DESC_SACL_AUTO_INHERITED 1: SEC_DESC_DACL_PROTECTED 0: SEC_DESC_SACL_PROTECTED 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid : * owner_sid : S-1-5-21-939380553-781147246-4131372059-512 group_sid : * group_sid : S-1-5-21-939380553-781147246-4131372059-513 sacl : NULL dacl : * dacl: struct security_acl revision : SECURITY_ACL_REVISION_NT4 (2) size : 0x015c (348) num_aces : 0x0000000d (13) aces: ARRAY(13) aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x03 (3) 1: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0:
...
> On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
>>>> be a particular trigger - but it shouldn't be able to make a
>>>> modification that doesn't go via vfs_acl_xattr.
>>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
>>>> level 10 on samba-tool ntacl sysvolcheck):
>>>> get_nt_acl_internal: blob hash matches for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C -016F-11D2-945F-00C04FB984F9}
>>>> then after, he gets:
>>>> get_nt_acl_internal: blob hash does not match for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340 -016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
>>> Is this message from smbd, or from samba-tool ?
>> That's what vfs_acl_common is printing, being run from samba-tool ntacl
>> sysvolcheck. It links to the VFS layer.
> So this looks like it's running the Group Policy tools on WinXP
> that causes the problem ?
> Can we get a debug level 10 log of that activity going on
> against smbd ?
> Jeremy.
Ok I have some additional info.
Using the GPMC I cannot create new GPOs. I get the message: "This security ID may not be assigned as the owner of this object"
If I use samba-tool gpo create I get the following:
# bin/samba-tool gpo create "SMC Students"
ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
File "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run
self.samdb.add(m)
If I supply administrator as username I get:
# bin/samba-tool gpo create "SMC Students" -U administrator
Password for [SMC\administrator]:
ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER')
File "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 987, in run
conn.set_acl(sharepath, fs_sd, sio)
However this time it has successfully created the GPO. (GPMC still throws the same warnings about inconsistent ACLs).
