Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
linux.samba
Message from discussion SYSVOL ACLs and GPOs

View parsed - Show only message text

Received: by 10.66.86.98 with SMTP id o2mr2591556paz.29.1352362454899;
        Thu, 08 Nov 2012 00:14:14 -0800 (PST)
From: Alex Matthews <qoole.sa...@lillimoth.com>
Newsgroups: linux.samba
Subject: Re: [Samba] SYSVOL ACLs and GPOs
Date: Thu, 01 Nov 2012 16:00:01 +0100
Message-ID: <k14pr-2jz-7@gated-at.bofh.it>
References: <k14pr-2jz-9@gated-at.bofh.it> <k14pr-2jz-11@gated-at.bofh.it> <k14pr-2jz-13@gated-at.bofh.it> <k14pr-2jz-15@gated-at.bofh.it> <k14pr-2jz-17@gated-at.bofh.it> <k14pr-2jz-19@gated-at.bofh.it> <k14pr-2jz-21@gated-at.bofh.it> <k14pr-2jz-23@gated-at.bofh.it> <k14pr-2jz-25@gated-at.bofh.it> <k14pr-2jz-27@gated-at.bofh.it> <k14pr-2jz-29@gated-at.bofh.it>
X-Original-To: Jeremy Allison <j...@samba.org>
X-Dkim: Sendmail DKIM Filter v2.8.3 scara-new.siterage.net 9DC84200C2
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
List-ID: General questions regarding Samba <samba.lists.samba.org>
List-Archive: <http://lists.samba.org/pipermail/samba>
Sender: robo...@news.nic.it
Approved: robo...@news.nic.it
Lines: 76
Organization: linux.* mail to news gateway
X-Original-Cc: sa...@lists.samba.org, samba-techni...@samba.org,
	Andrew Bartlett <abart...@samba.org>
X-Original-Date: Thu, 01 Nov 2012 14:54:58 +0000
X-Original-Message-ID: <50928D42.6080901@lillimoth.com>
X-Original-References: <1351290293.21630.303.camel@jesse>
	<CAMKeGfxOqyzzzzZeF9HyaGV2eUqmWrJkcB5peNjehL9QKoO...@mail.gmail.com>
	<1351399908.21630.344.camel@jesse>
	<CAMKeGfxNQ1UNZfhSTTFop2SQeFt5xJg-1m-Fs5gWZv=BCU3...@mail.gmail.com>
	<1351461387.28828.2.camel@jesse>
	<CAMKeGfxmjdzF5bQYOkJxGSjMKhy-Agz_iT6BxRdn_pHzSgL...@mail.gmail.com>
	<CAMKeGfyHWebXFFDNFVsjtCci70STncOqg8NrxoY9i_7huzW...@mail.gmail.com>
	<1351506151.28828.43.camel@jesse> <20121029234252.GA23974@samba2>
	<1351555231.28828.67.camel@jesse> <20121030000853.GB23974@samba2>
X-Original-Sender: samba-boun...@lists.samba.org
Path: s9ni87072pbb.0!nntp.google.com!border1.nntp.dca.giganews.com!nntp.giganews.com!news.mccarragher.com!news.grnet.gr!newsfeed.CARNet.hr!newsfeed.x-privat.org!bofh.it!news.nic.it!robomod
Bytes: 5101
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"

On 30/10/2012 00:08, Jeremy Allison wrote:
> On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
>>>> be a particular trigger - but it shouldn't be able to make a
>>>> modification that doesn't go via vfs_acl_xattr.
>>>>
>>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
>>>> level 10 on samba-tool ntacl sysvolcheck):
>>>>
>>>> get_nt_acl_internal: blob hash matches for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>
>>>> then after, he gets:
>>>>
>>>> get_nt_acl_internal: blob hash does not match for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
>>> Is this message from smbd, or from samba-tool ?
>> That's what vfs_acl_common is printing, being run from samba-tool ntacl
>> sysvolcheck.  It links to the VFS layer.
> So this looks like it's running the Group Policy tools on WinXP
> that causes the problem ?
>
> Can we get a debug level 10 log of that activity going on
> against smbd ?
>
> Jeremy.
Ok I have some additional info.

Using the GPMC I cannot create new GPOs. I get the message: "This 
security ID may not be assigned as the owner of this object"

If I use samba-tool gpo create I get the following:

# bin/samba-tool gpo create "SMC Students"
ERROR(ldb): uncaught exception - LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS -  <dsdb_access: Access check failed on 
CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
   File 
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", 
line 952, in run
     self.samdb.add(m)

If I supply administrator as username I get:

# bin/samba-tool gpo create "SMC Students" -U administrator
Password for [SMC\administrator]:
ERROR(runtime): uncaught exception - (-1073741734, 
'NT_STATUS_INVALID_OWNER')
   File 
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", 
line 987, in run
     conn.set_acl(sharepath, fs_sd, sio)

However this time it has successfully created the GPO. (GPMC still 
throws the same warnings about inconsistent ACLs).

bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u
bin/samba-tool gpo create "SMC Students" -U administrator -d 10: 
http://pastebin.com/8kkVEy7V

I would hazard a guess and say the GPMC error (when creating a GPO) is 
the same error as the samba-tool error.

Thanks,

Alex
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google