Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SYSVOL ACLs, GPOs, other "Domain Admins" and root overrides for changing ownership and groups

2 views
Skip to first unread message

Andrew Bartlett

unread,
Nov 13, 2012, 6:07:43 PM11/13/12
to
I'm making some progress on the SYSVOL issue.

I've reinstalled my domain locally, and clicking on "Default Domain
Policy" in GPMC I get the "inconsistent SYSVOL ACLs" error. I also get
"access denied" when I try and fix them.

The changes I've made in my testing have been the reinstall, but also
that I'm now testing as a member of "Domain Admins", not
"Administrator".

Part of the reason is quite clear: The ACL calls from GPMC try to set
the ACL, chown and chgrp the file. This is permitted by the NT ACL, but
not by posix, and Samba strictly honours POSIX in almost all cases.

This happens because the file is owned by a group - so nobody actually
has 'owner' rights on it.

That covers set - but we also have errors on GET that might be simpler.
The GPMC client, over SMB2, asks for the DACL, but it isn't returned
(only user/group). I'll dig into this and send in traces if I can't find
why we get this wrong. This appears to be the first issue folks have
noticed.

Jeremy,

This puts us between a rock and a very hard place at this point in the
release cycle. I'm sorry to bring this up so late: I've been so
focused on building up the testsuite from the ground up, reinforcing the
posix ACL layer etc, that I've totally missed the need for major work on
owner and group handling here.

Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org

Jeremy Allison

unread,
Nov 13, 2012, 6:26:34 PM11/13/12
to
On Wed, Nov 14, 2012 at 10:07:43AM +1100, Andrew Bartlett wrote:
> I'm making some progress on the SYSVOL issue.
>
> I've reinstalled my domain locally, and clicking on "Default Domain
> Policy" in GPMC I get the "inconsistent SYSVOL ACLs" error. I also get
> "access denied" when I try and fix them.
>
> The changes I've made in my testing have been the reinstall, but also
> that I'm now testing as a member of "Domain Admins", not
> "Administrator".
>
> Part of the reason is quite clear: The ACL calls from GPMC try to set
> the ACL, chown and chgrp the file. This is permitted by the NT ACL, but
> not by posix, and Samba strictly honours POSIX in almost all cases.
>
> This happens because the file is owned by a group - so nobody actually
> has 'owner' rights on it.

There are cases where we override POSIX. Check out the lp_dos_filemode()
case in try_chown() and the acl_group_override() cases in source3/smbd/posix_acls.c.

It looks like we need to expand these to cover this particular case.

There's also the lp_profile_acls() flag which may be useful here. I
have no problem with different behavior on a share marked as SYSVOL.

Jeremy.

Andrew Bartlett

unread,
Nov 13, 2012, 6:32:09 PM11/13/12
to
We probably should just do it in general, if we are using the
vfs_acl_xattr stuff for real NT emulation.

In any case, can you look into what would be required to do this?

You might need to setup an AD domain and run GPMC, but that will
probably be worthwhile to get a good grasp and second set of developer
eyes on this anyway.

Thanks,
0 new messages