[Samba] SYSVOL ACLs and GPOs
Alex Matthews
I have installed a virtual testing network consisting of one samba4 PDC
(latest git master) and one Windows XP Pro SP3 (fully updated)machine.
I have successfully provisioned an AD Domain and joined the XP machine
to it.
When I run the gpmc on the XP Pro machine and select:
Forest: <domain name> -> Domains -> <domain name> -> Group Policy
Objects -> Default Domain [Controller | Policy]
I get the following error:
"The permissions for this GPO in the SYSVOL folder are inconsistent with
those in Active Directory.
It is recommended that these permissions be consistent.
To change the SYSVOL permissions to those in Active Directory, click OK."
Hitting ok I get no error but as soon as I reselect THE SAME entry I get
the same error, it doesn't seem to be able to fix the ACL.
I have found one post about this on the list
(https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was
"fixed" a long time ago.
Seeing as I'm using the latest version I would assume this is a
different issue.
If I try to change any of the ACLs on either of the folders in
\\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however
the change doesn't stick.
Looking at the samba log files:
I get this when I start gpmc and click ok:
http://pastebin.com/7rBKyU1B
I get this when I start gpmc and don't click ok:
http://pastebin.com/B3DMSE1T
I get this when I alter the ACLs manually (after line 479 is when I
actually alter the ACLs):
http://pastebin.com/2mEvWX6K
My smb.conf is stock. No alterations.
The server OS is Ubuntu 12.04.
The filesystem is ext4 mounted with the following options:
"errors=remount-ro,acl,user_xattr,barrier=1".
I have all acl packages installed that I have seen referenced by samba
or in posts of a similar nature.
Thanks,
Alex
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Andrew Bartlett
branch?
git remote add abartlet git://git.samba.org/abartlet/samba.git
git fetch abartlet
git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
I'm trying to get these changes into master, but I'm not quite finished.
You should only put these on a test server, as I may change data formats
etc.
I would be very curious to know if this fixes the issue.
Otherwise or in addition, if you can show me the contents of your
idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is
going wrong here, and fix it.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Alex Matthews
git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2
git checkout abartlet/fix-acls2 -b abartlet-fix-acls2
I'm rebuilding now, will keep you posted!
Thanks,
Alex
Alex Matthews
same issue.
Do I need to reprovision?
Andrew Bartlett
ACLs on disk.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Alex Matthews
No luck I'm afraid, still the same issue!
Thanks,
Alex
Andrew Bartlett
idmap.ldb?
What does 'samba-tool ntacl sysvolcheck' show?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Alex Matthews
sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
[sudo] password for qoole:
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file
"/usr/local/samba/etc/smb.conf"
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
ldb_wrap open of idmap.ldb
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Module 'acl_xattr' loaded
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: VFS ACL on GPO directory
/usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 245, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1574, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1526, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1476, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
idmap.ldb contains:
# ldbsearch -H idmap.ldb
# record 1
dn: CN=S-1-1-0
cn: S-1-1-0
objectClass: sidMap
objectSid:: AQEAAAAAAAEAAAAA
type: ID_TYPE_BOTH
xidNumber: 3000013
distinguishedName: CN=S-1-1-0
# record 2
dn: CN=CONFIG
cn: CONFIG
lowerBound: 3000000
upperBound: 4000000
xidNumber: 3000018
distinguishedName: CN=CONFIG
# record 3
dn: CN=S-1-5-11
cn: S-1-5-11
objectClass: sidMap
objectSid:: AQEAAAAAAAULAAAA
type: ID_TYPE_BOTH
xidNumber: 3000003
distinguishedName: CN=S-1-5-11
# record 4
dn: CN=S-1-5-9
cn: S-1-5-9
objectClass: sidMap
objectSid:: AQEAAAAAAAUJAAAA
type: ID_TYPE_BOTH
xidNumber: 3000010
distinguishedName: CN=S-1-5-9
# record 5
dn: CN=S-1-5-7
cn: S-1-5-7
objectClass: sidMap
objectSid:: AQEAAAAAAAUHAAAA
type: ID_TYPE_UID
xidNumber: 65534
distinguishedName: CN=S-1-5-7
# record 6
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-572
cn: S-1-5-21-3528014533-2888711523-1744986056-572
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoPAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000005
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-572
# record 7
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-520
cn: S-1-5-21-3528014533-2888711523-1744986056-520
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoCAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000004
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-520
# record 8
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-515
cn: S-1-5-21-3528014533-2888711523-1744986056-515
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAwIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000017
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-515
# record 9
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-514
cn: S-1-5-21-3528014533-2888711523-1744986056-514
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000012
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-514
# record 10
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-513
cn: S-1-5-21-3528014533-2888711523-1744986056-513
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAQIAAA==
type: ID_TYPE_GID
xidNumber: 100
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-513
# record 11
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-512
cn: S-1-5-21-3528014533-2888711523-1744986056-512
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoAAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000008
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-512
# record 12
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-501
cn: S-1-5-21-3528014533-2888711523-1744986056-501
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJo9QEAAA==
type: ID_TYPE_BOTH
xidNumber: 3000011
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-501
# record 13
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-500
cn: S-1-5-21-3528014533-2888711523-1744986056-500
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJo9AEAAA==
type: ID_TYPE_UID
xidNumber: 0
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-500
# record 14
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-1103
cn: S-1-5-21-3528014533-2888711523-1744986056-1103
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoTwQAAA==
type: ID_TYPE_BOTH
xidNumber: 3000016
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-1103
# record 15
dn: CN=S-1-5-32-545
cn: S-1-5-32-545
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIQIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000009
distinguishedName: CN=S-1-5-32-545
# record 16
dn: CN=S-1-5-32-544
cn: S-1-5-32-544
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIAIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000000
distinguishedName: CN=S-1-5-32-544
# record 17
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-519
cn: S-1-5-21-3528014533-2888711523-1744986056-519
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoBwIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000006
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-519
# record 18
dn: CN=S-1-5-21-3528014533-2888711523-1744986056-518
cn: S-1-5-21-3528014533-2888711523-1744986056-518
objectClass: sidMap
objectSid:: AQUAAAAAAAUVAAAAxTpJ0mM9LqzIXwJoBgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000007
distinguishedName: CN=S-1-5-21-3528014533-2888711523-1744986056-518
# record 19
dn: CN=S-1-5-32-549
cn: S-1-5-32-549
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAJQIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000001
distinguishedName: CN=S-1-5-32-549
# record 20
dn: CN=S-1-5-18
cn: S-1-5-18
objectClass: sidMap
objectSid:: AQEAAAAAAAUSAAAA
type: ID_TYPE_BOTH
xidNumber: 3000002
distinguishedName: CN=S-1-5-18
# record 21
dn: CN=S-1-5-2
cn: S-1-5-2
objectClass: sidMap
objectSid:: AQEAAAAAAAUCAAAA
type: ID_TYPE_BOTH
xidNumber: 3000014
distinguishedName: CN=S-1-5-2
# record 22
dn: CN=S-1-5-32-546
cn: S-1-5-32-546
objectClass: sidMap
objectSid:: AQIAAAAAAAUgAAAAIgIAAA==
type: ID_TYPE_BOTH
xidNumber: 3000015
distinguishedName: CN=S-1-5-32-546
# returned 22 records
# 22 entries
# 0 referrals
Thanks,
Alex
Andrew Bartlett
> samba-tool ntacl sysvolcheck shows:
>
> sudo /usr/local/samba/bin/samba-tool ntacl sysvolcheck
So, assuming you have run 'samba-tool ntacl sysvolreset', this is indeed
the issue we have had for a while. I had (incorrectly in your case)
assumed the issue was that IDMAP mappings imported from classic domains
were breaking it. That's why I worked on my patches, which improve the
situation by handling some details at a lower level.
On my fix-acls2 branch, please run 'samba-tool ntacl sysvolreset' then
then, if you don't mind, getting me the level 10 debug log would be very
helpful. Set 'log level = 10' in your smb.conf, then re-run and send me
(personally) the result compressed with xz.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Andrew Bartlett
> with your fix-acls2 branch.
> It is also a completely blank provisioned domain I have not migrated
> anything.
>
> What do you want the logs of? Starting samba + logging in from XP +
> starting gpmc.msc + altering permissions manually?
Yeah, I was incredibly unclear: I need level 10 logs of just the
command 'samba-tool ntacl sysvolcheck' command, as that shows the issue
in a very nice, self-contained way.
Alex Matthews
with your fix-acls2 branch.
It is also a completely blank provisioned domain I have not migrated
anything.
What do you want the logs of? Starting samba + logging in from XP +
starting gpmc.msc + altering permissions manually?
Alex
Andrew Bartlett
What I mean is this:
When we store the NT ACL for the {12344...} folder, we store an xattr
with:
- the NT ACL we need to return to clients
- the hash of the posix ACL we set on disk (as read back from the OS)
When we do the sysvolcheck we fetch the xattr, read the hash and get the
posix ACL off disk again. On your host, these don't match!
Can you give me details about what your host is?
Just to be really sure we are doing this right, because I can't
reproduce this here, can you run:
bin/samba-tool domain provision --targetdir=/tmp/provision-root2
--realm=realm.com --domain=dom
Do this on master and on my fix-acls2 branch, with separate targetdir
for each, with this patch on top in both cases?
If that passes, can you give me the provision command you normally use,
and tell me if that fails?
If your normal command passes, then can you work out if there is a time
period involved before sysvolcheck fails? (that is, after X seconds it
fails). For this last thing, I'm clutching at caching straws, but this
is a real issue that we must get to the bottom of - beyond the AD DC,
the ACL facility we use here is critical to file server users in Samba
too.
Thanks,
Alex Matthews
Kernel = 3.2.0-32-generic
I have followed all posts I could find about ext4 filesystems+samba4
/ is mounted with the options: "acl,user_xattr,barrier=1" this is where
all the samba stuff is located.
What else would you like to know?
I am downloading/building now.
Thanks,
Alex
Alex Matthews
/root/samba_test/samba-master
/root/samba_test/samba-aclfix
/root/samba_test/build-master
/root/samba_test/build-aclfix
I ran:
build-master/bin/samba-tool domain provision
--targetdir=/root/samba_test/provision_master --realm=realm.com --domain=dom
build-aclfix/bin/samba-tool domain provision
--targetdir=/root/samba_test/provision_aclfix --realm=realm.com --domain=dom
however when I run:
build-{master|aclfix}/bin/samba-tool ntacl sysvolcheck
File
"/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/netcmd/__init__.py",
return self.run(*args, **kwargs)
File
line 240, in run
domain_sid = security.dom_sid(samdb.domain_sid)
File
"/root/samba_test/build_aclfix/lib/python2.7/site-packages/samba/samdb.py",
line 549, in get_domain_sid
return dsdb._samdb_get_domain_sid(self)
I assume this is due to the targetdir supplied in the provision step?
Thanks,
Alex
Alex Matthews
trees sysvolcheck passes everytime.
I have run sysvolreset as well and sysvolcheck passes still.
Andrew Bartlett
build_master/bin/samba-tool ntacl sysvolcheck
-s /root/samba_test/provision_master/etc/smb.conf
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Olivier BILHAUT
Pleased to see that you figured this out.
We've got exactly the same problem from a blank provisioned domain (not
a migration), with a setup with 2 gpo. (Ubuntu 12.04 - S4 rc3).
Since our instance is in a semi-production environment, we'll wait for
your fix. But if needed, we could give you more level 10 logs.
Note that when the sysvolreset is launched and that sysvolcheck returns
no errors, then the windows clients can't "gpupdate" anymore on some gpo.
Note also that when syslvolreset isn't launched at S4 update, the
sysvolcheck command return the Alex's error but the client can update
their gpo.
Cheers and good luck.
-----------------------
*** Olivier B
*** Fondation de la Miséricorde
Andrew Bartlett
You said previously that sysvolcheck failed, and now it passes. I
suspect you will find your GPO issues have been solved too.
I'm not suggesting you are stuffing me about, I really want to know what
you can find as a difference, so we can narrow this down.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Andrew Bartlett
> Hi Andrew, Hi Alex,
>
> Pleased to see that you figured this out.
> We've got exactly the same problem from a blank provisioned domain (not
> a migration), with a setup with 2 gpo. (Ubuntu 12.04 - S4 rc3).
> Since our instance is in a semi-production environment, we'll wait for
> your fix. But if needed, we could give you more level 10 logs.
>
> Note that when the sysvolreset is launched and that sysvolcheck returns
> no errors, then the windows clients can't "gpupdate" anymore on some gpo.
> Note also that when syslvolreset isn't launched at S4 update, the
> sysvolcheck command return the Alex's error but the client can update
> their gpo.
sysvolreset with this patch applied should fix that. steve noticed that
permissions were missing from the posix ACL that was generated.
(this patch is in master)
Alex Matthews
also just provision as normal and run the tests? Just makes it difficult
to "un-provision".
I did a bit of testing last night and sysvolcheck returns no errors
until the point that run the gpmc.msc on the XP domain member and click
ok to "fix" the inconsistent ACLs. At that point it returns the same
error. Running sysvolreset does not fix it either.
This is true, atleast, for the master branch, I haven't tested the
aclfix branch yet.
Thanks,
Alex
Alex Matthews
>
>> I'm assuming because of the way I laid my directory tree out I could
>> also just provision as normal and run the tests? Just makes it difficult
>> to "un-provision".
>>
>> I did a bit of testing last night and sysvolcheck returns no errors
>> until the point that run the gpmc.msc on the XP domain member and click
>> ok to "fix" the inconsistent ACLs. At that point it returns the same
>> error. Running sysvolreset does not fix it either.
> then the level 10 log of that sysvolcheck command?
>
> I'm particularly curious that a sysvolreset can't fix it.
>
> A network capture of what gpmc does may be instructive also.
>> This is true, atleast, for the master branch, I haven't tested the
>> aclfix branch yet.
>
> Given this info on the essential components involved (running gpmc.msc
> once seems key), I think I have the steps to reproduce this here, which
> I'll try tonight or tomorrow.
>
> Thanks,
>
> Andrew Bartlett
>
# bin/samba-tool ntacl sysvolcheck
ProvisioningError: VFS ACL on GPO directory
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;ED)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;;0x00120089;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)(A;OICIIO;0x001f01ff;;;SY)
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object
File
return self.run(*args, **kwargs)
File
lp)
File
direct_db_access)
File
domainsid, direct_db_access)
File
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
Do you want a wireshark packet log of GPMC or a samba level 10 log?
Andrew Bartlett
> also just provision as normal and run the tests? Just makes it difficult
> to "un-provision".
>
> I did a bit of testing last night and sysvolcheck returns no errors
> until the point that run the gpmc.msc on the XP domain member and click
> ok to "fix" the inconsistent ACLs. At that point it returns the same
> error. Running sysvolreset does not fix it either.
then the level 10 log of that sysvolcheck command?
I'm particularly curious that a sysvolreset can't fix it.
A network capture of what gpmc does may be instructive also.
> aclfix branch yet.
Given this info on the essential components involved (running gpmc.msc
once seems key), I think I have the steps to reproduce this here, which
I'll try tonight or tomorrow.
Thanks,
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Alex Matthews
same issue.
Do I need to reprovision?
Olivier BILHAUT
I Updated our S4 instance this morning with the updated git (master). We
still have a problem with one of our 3 GPO. But if I remove one of them,
the same error is displayed with any of the remaining GPO. I need to
remove them all to completely get rid of this message. I also noticed
that it begins always with a GPO applied to the computers, not the users.
Here's the level 10 log. Sorry if you feel my message imprecise, and
don't hesitate to ask me more information if needed. We'll be pleased to
contribute at our level.
set_conn_connectpath: service (null), connectpath = /
Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
vfs_find_backend_entry called for /[Default VFS]/
Successfully loaded vfs module [/[Default VFS]/] with the new modules system
Initialising custom vfs hooks from [acl_xattr]
vfs_find_backend_entry called for acl_xattr
Successfully loaded vfs module [acl_xattr] with the new modules system
Initialising custom vfs hooks from [dfs_samba4]
vfs_find_backend_entry called for dfs_samba4
Successfully loaded vfs module [dfs_samba4] with the new modules system
get_nt_acl_internal:
name=/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
posix_fget_nt_acl: called for file
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
posix_get_nt_acl: called for file
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 100 -> sid S-1-5-21-939380553-781147246-4131372059-513
uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 3000003 -> sid S-1-5-11
gid 3000010 -> sid S-1-5-21-939380553-781147246-4131372059-519
gid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 3000026 -> sid S-1-5-18
gid 3000028 -> sid S-1-5-9
canonicalise_acl: Access ace entries before arrange :
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
canon_ace index 1. Type = allow SID = S-1-5-9 gid 3000028 (3000028)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 2. Type = allow SID = S-1-5-18 gid 3000026 (3000026)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 3. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 4. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise
Admins) SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 5. Type = allow SID = S-1-5-11 gid 3000003 (3000003)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 6. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-513 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
canon_ace index 7. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER ace_flags = 0x0 perms rwx
canon_ace index 8. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-513 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
canon_ace index 2. Type = allow SID = S-1-5-9 gid 3000028 (3000028)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000026 (3000026)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 4. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 5. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise
Admins) SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 6. Type = allow SID = S-1-5-11 gid 3000003 (3000003)
SMB_ACL_GROUP ace_flags = 0x0 perms r--
canon_ace index 7. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER ace_flags = 0x0 perms rwx
canon_ace index 8. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
uid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 3000003 -> sid S-1-5-11
gid 3000010 -> sid S-1-5-21-939380553-781147246-4131372059-519
gid 3000012 -> sid S-1-5-21-939380553-781147246-4131372059-512
gid 3000026 -> sid S-1-5-18
gid 3000028 -> sid S-1-5-9
canonicalise_acl: Default ace entries before arrange :
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
canon_ace index 1. Type = allow SID = S-1-5-9 gid 3000028 (3000028)
SMB_ACL_GROUP ace_flags = 0x0 perms r-x
canon_ace index 2. Type = allow SID = S-1-5-18 gid 3000026 (3000026)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 3. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 4. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise
Admins) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 5. Type = allow SID = S-1-5-11 gid 3000003 (3000003)
SMB_ACL_GROUP ace_flags = 0x0 perms r-x
canon_ace index 6. Type = allow SID = S-1-3-1 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
canon_ace index 7. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER ace_flags = 0x0 perms rwx
canon_ace index 8. Type = allow SID = S-1-3-0 uid 3000012 (3000012)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
print_canon_ace_list: canonicalise_acl: ace entries after arrange
canon_ace index 0. Type = allow SID = S-1-3-0 uid 3000012 (3000012)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
canon_ace index 1. Type = allow SID = S-1-3-1 gid 100 (users)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
canon_ace index 2. Type = allow SID = S-1-5-9 gid 3000028 (3000028)
SMB_ACL_GROUP ace_flags = 0x0 perms r-x
canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000026 (3000026)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 4. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 gid 3000012 (Domain Admins)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 5. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-519 gid 3000010 (Enterprise
Admins) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
canon_ace index 6. Type = allow SID = S-1-5-11 gid 3000003 (3000003)
SMB_ACL_GROUP ace_flags = 0x0 perms r-x
canon_ace index 7. Type = allow SID =
S-1-5-21-939380553-781147246-4131372059-512 uid 3000012 (3000012)
SMB_ACL_USER ace_flags = 0x0 perms rwx
canon_ace index 8. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x0 perms ---
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 100 to (NT) 120089
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 80000
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
map_canon_ace_perms: Mapped (UNIX) 140 to (NT) 1200a9
map_canon_ace_perms: Mapped (UNIX) 1c0 to (NT) 1f01ff
merge_default_aces: Merging ACE 11 onto ACE 0.
merge_default_aces: Merging ACE 13 onto ACE 6.
get_nt_acl_internal: blob hash does not match for file
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
- returning file system SD mapping.
get_nt_acl_internal: acl for blob hash for
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
is:
pdesc_next: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x9004 (36868)
0: SEC_DESC_OWNER_DEFAULTED
0: SEC_DESC_GROUP_DEFAULTED
1: SEC_DESC_DACL_PRESENT
0: SEC_DESC_DACL_DEFAULTED
0: SEC_DESC_SACL_PRESENT
0: SEC_DESC_SACL_DEFAULTED
0: SEC_DESC_DACL_TRUSTED
0: SEC_DESC_SERVER_SECURITY
0: SEC_DESC_DACL_AUTO_INHERIT_REQ
0: SEC_DESC_SACL_AUTO_INHERIT_REQ
0: SEC_DESC_DACL_AUTO_INHERITED
0: SEC_DESC_SACL_AUTO_INHERITED
1: SEC_DESC_DACL_PROTECTED
0: SEC_DESC_SACL_PROTECTED
0: SEC_DESC_RM_CONTROL_VALID
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid :
S-1-5-21-939380553-781147246-4131372059-512
group_sid : *
group_sid :
S-1-5-21-939380553-781147246-4131372059-513
sacl : NULL
dacl : *
dacl: struct security_acl
revision : SECURITY_ACL_REVISION_NT4 (2)
size : 0x015c (348)
num_aces : 0x0000000d (13)
aces: ARRAY(13)
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x03 (3)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x03 (3)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-9
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-18
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-519
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-11
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-0
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00080000 (524288)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-1
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-9
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-18
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-519
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-11
get_nt_acl_internal: returning acl for
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
is:
psd: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x8004 (32772)
0: SEC_DESC_OWNER_DEFAULTED
0: SEC_DESC_GROUP_DEFAULTED
1: SEC_DESC_DACL_PRESENT
0: SEC_DESC_DACL_DEFAULTED
0: SEC_DESC_SACL_PRESENT
0: SEC_DESC_SACL_DEFAULTED
0: SEC_DESC_DACL_TRUSTED
0: SEC_DESC_SERVER_SECURITY
0: SEC_DESC_DACL_AUTO_INHERIT_REQ
0: SEC_DESC_SACL_AUTO_INHERIT_REQ
0: SEC_DESC_DACL_AUTO_INHERITED
0: SEC_DESC_SACL_AUTO_INHERITED
0: SEC_DESC_DACL_PROTECTED
0: SEC_DESC_SACL_PROTECTED
0: SEC_DESC_RM_CONTROL_VALID
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid :
S-1-5-21-939380553-781147246-4131372059-512
group_sid : *
group_sid :
S-1-5-21-939380553-781147246-4131372059-513
sacl : NULL
dacl : *
dacl: struct security_acl
revision : SECURITY_ACL_REVISION_NT4 (2)
size : 0x015c (348)
num_aces : 0x0000000d (13)
aces: ARRAY(13)
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x03 (3)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x03 (3)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-9
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-18
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-512
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-519
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x00 (0)
0: SEC_ACE_FLAG_OBJECT_INHERIT
0: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
0: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00120089 (1179785)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-11
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-0
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x00080000 (524288)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-3-1
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-9
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-18
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0024 (36)
access_mask : 0x001f01ff (2032127)
object : union
security_ace_object_ctr(case 0)
trustee :
S-1-5-21-939380553-781147246-4131372059-519
aces: struct security_ace
type :
SEC_ACE_TYPE_ACCESS_ALLOWED (0)
flags : 0x0b (11)
1: SEC_ACE_FLAG_OBJECT_INHERIT
1: SEC_ACE_FLAG_CONTAINER_INHERIT
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
1: SEC_ACE_FLAG_INHERIT_ONLY
0: SEC_ACE_FLAG_INHERITED_ACE
0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
0: SEC_ACE_FLAG_FAILED_ACCESS
size : 0x0014 (20)
access_mask : 0x001200a9 (1179817)
object : union
security_ace_object_ctr(case 0)
trustee : S-1-5-11
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
ProvisioningError: VFS ACL on GPO directory
/usr/local/samba/var/locks/sysvol/fhm.local/Policies/{55125C07-DD60-4797-B0BC-74F6CC63CFC6}
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;DA)(A;;0x00120089;;;ED)(A;;0x00120089;;;SY)(A;;0x00120089;;;DA)(A;;0x00120089;;;EA)(A;;0x00120089;;;AU)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001200a9;;;ED)(A;OICIIO;0x001f01ff;;;SY)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001200a9;;;AU)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
from GPO object
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
line 245, in run
lp)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1575, in checksysvolacl
direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1526, in check_gpos_acl
domainsid, direct_db_access)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1476, in check_dir_acl
raise ProvisioningError('%s ACL on GPO directory %s %s does not
match expected value %s from GPO object' % (acl_type(direct_db_access),
path, fsacl_sddl, acl))
-----------------------
*** Olivier BILHAUT
*** Service Informatique
*** Fondation de la Miséricorde
*** Email : o.bi...@fondation-misericorde.fr
*** Tel : 02.31.38.50.50
*** Fax : 02.31.38.50.00
--
Alex Matthews
> On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
>>>> be a particular trigger - but it shouldn't be able to make a
>>>> modification that doesn't go via vfs_acl_xattr.
>>>>
>>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
>>>> level 10 on samba-tool ntacl sysvolcheck):
>>>>
>>>> get_nt_acl_internal: blob hash matches for
>>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
>>>>
>>>> then after, he gets:
>>>> get_nt_acl_internal: blob hash does not match for
>>> Is this message from smbd, or from samba-tool ?
>> That's what vfs_acl_common is printing, being run from samba-tool ntacl
>> sysvolcheck. It links to the VFS layer.
> So this looks like it's running the Group Policy tools on WinXP
> that causes the problem ?
>
> Can we get a debug level 10 log of that activity going on
> against smbd ?
>
> Jeremy.
Ok I have some additional info.
Using the GPMC I cannot create new GPOs. I get the message: "This
security ID may not be assigned as the owner of this object"
If I use samba-tool gpo create I get the following:
# bin/samba-tool gpo create "SMC Students"
ERROR(ldb): uncaught exception - LDAP error 50
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
File
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
return self.run(*args, **kwargs)
File
line 952, in run
self.samdb.add(m)
If I supply administrator as username I get:
# bin/samba-tool gpo create "SMC Students" -U administrator
Password for [SMC\administrator]:
ERROR(runtime): uncaught exception - (-1073741734,
'NT_STATUS_INVALID_OWNER')
File
"/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
return self.run(*args, **kwargs)
File
line 987, in run
conn.set_acl(sharepath, fs_sd, sio)
However this time it has successfully created the GPO. (GPMC still
throws the same warnings about inconsistent ACLs).
bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u
bin/samba-tool gpo create "SMC Students" -U administrator -d 10:
http://pastebin.com/8kkVEy7V
I would hazard a guess and say the GPMC error (when creating a GPO) is
the same error as the samba-tool error.
Thanks,
Alex
Andrew Bartlett
you remind me the history of this domain, is it the upgrade I was trying
to suggest you do, or a fresh provision?
If you can tell me what provision command-line you run, if it was
provisioned with an older version, which branch and git revision that
was and what branch and git revision as you running now?
I've tried to replicate this in 'make test' but failed (the tests pass).
The patch for that is attached for review.
Andrew Bartlett
> > On Thu, 2012-11-01 at 14:54 +0000, Alex Matthews wrote:
> > > On 30/10/2012 00:08, Jeremy Allison wrote:
> > > > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> > It is certainly very helpful to have this happen with samba-tool. Can
> > you remind me the history of this domain, is it the upgrade I was trying
> > to suggest you do, or a fresh provision?
> >
> > If you can tell me what provision command-line you run, if it was
> > provisioned with an older version, which branch and git revision that
> > was and what branch and git revision as you running now?
> >
> > I've tried to replicate this in 'make test' but failed (the tests pass).
> > The patch for that is attached for review.
I'll fix those up and push it.
> > diff --git a/source4/scripting/python/samba/tests/samba_tool/gpo.py b/source4/scripting/python/samba/tests/samba_tool/gpo.py
> > new file mode 100644
> > index 0000000..0cd39dc
> > --- /dev/null
> > +++ b/source4/scripting/python/samba/tests/samba_tool/gpo.py
> > @@ -0,0 +1,59 @@
> > +# Unix SMB/CIFS implementation.
> > +# Copyright (C) Andrew Bartlett 2012
> > +#
> > +# based on time.py:
> > +# Copyright (C) Sean Dague <sda...@linux.vnet.ibm.com> 2011
> > +#
> > +# This program is free software; you can redistribute it and/or modify
> > +# it under the terms of the GNU General Public License as published by
> > +# the Free Software Foundation; either version 3 of the License, or
> > +# (at your option) any later version.
> > +#
> > +# This program is distributed in the hope that it will be useful,
> > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > +# GNU General Public License for more details.
> > +#
> > +# You should have received a copy of the GNU General Public License
> > +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> > +#
> > +
> > +import os
> > +from samba.tests.samba_tool.base import SambaToolCmdTest
> > +
> > +class GpoCmdTestCase(SambaToolCmdTest):
> > + """Tests for samba-tool time subcommands"""
> > +
> > + gpo_name = "testgpo"
> > +
> > + def test_gpo_list(self):
> > + """Run gpo list against the server and make sure it looks accurate"""
> > + (result, out, err) = self.runsubcmd("gpo", "listall", "-H", "ldap://%s" % os.environ["SERVER"])
> > + self.assertCmdSuccess(result, "Ensuring gpo listall ran successfully")
> > +
> > + def test_fetchfail(self):
> > + """Run against a non-existent GPO, and make sure it fails (this hard-coded UUID is very unlikely to exist"""
> > + (result, out, err) = self.runsubcmd("gpo", "fetch", "c25cac17-a02a-4151-835d-fae17446ee43", "-H", "ldap://%s" %
> > +os.environ["SERVER"])
> > + self.assertEquals(result, -1, "check for result code")
> > +
> > + def test_fetch(self):
> > + """Run against a real GPO, and make sure it passes"""
> > + (result, out, err) = self.runsubcmd("gpo", "fetch", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "--tmpdir", os.environ['SELFTEST_PREFIX'])
> > + self.assertCmdSuccess(result, "Ensuring gpo fetched successfully")
> > +
> > + def setUp(self):
> > + """set up a tempoary GPO to work with"""
> ^^^ temporary :-)
>
>
> > + super(GpoCmdTestCase, self).setUp()
> > + (result, out, err) = self.runsubcmd("gpo", "create", self.gpo_name, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
> > + self.gpo_guid = "{%s}" % out.split("{")[1].split("}")[0]
> > +
> > + self.assertCmdSuccess(result, "Ensuring gpo created successfully")
> > +
> > + def tearDown(self):
> > + """remote the tempoary GPO to work with"""
> ^^^ remove, temporary :-)
>
> > + (result, out, err) = self.runsubcmd("gpo", "del", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "-U%s%%%s" % (os.environ["USERNAME"], os.environ["PASSWORD"]))
> > + self.assertCmdSuccess(result, "Ensuring gpo deleted successfully")
> > + super(GpoCmdTestCase, self).tearDown()
> > +
> > +
> > diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> > index ca5bdd3..61540d0 100755
> > --- a/source4/selftest/tests.py
> > +++ b/source4/selftest/tests.py
> > @@ -405,6 +405,8 @@ planpythontestsuite("dc:local", "samba.tests.dcerpc.bare")
> > planpythontestsuite("dc:local", "samba.tests.dcerpc.unix")
> > planpythontestsuite("dc:local", "samba.tests.dcerpc.srvsvc")
> > planpythontestsuite("dc:local", "samba.tests.samba_tool.timecmd")
> > +planpythontestsuite("dc:local", "samba.tests.samba_tool.gpo")
> > +planpythontestsuite("plugin_s4_dc:local", "samba.tests.samba_tool.gpo")
> Do we really need to run these tests against both environments? These
> tests ought to be testing that the samba-tool gpo subcommand works
> well, not our server side GPO support.
>
> As far as I know the gpo subcommands don't have any different
> behaviour for these two environments.
It's the only test we have at the moment for our server-side support
(being able to add the GPO, with a valid acl and owner etc).
Indeed, that was why I added it, because it was suggested this tool
showed up the issues we have been having (it didn't).
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Jelmer Vernooij
> > On 30/10/2012 00:08, Jeremy Allison wrote:
> > > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> It is certainly very helpful to have this happen with samba-tool. Can
> you remind me the history of this domain, is it the upgrade I was trying
> to suggest you do, or a fresh provision?
>
> If you can tell me what provision command-line you run, if it was
> provisioned with an older version, which branch and git revision that
> was and what branch and git revision as you running now?
>
> I've tried to replicate this in 'make test' but failed (the tests pass).
> The patch for that is attached for review.
> planpythontestsuite("dc:local", "samba.tests.samba_tool.user")
> planpythontestsuite("dc:local", "samba.tests.samba_tool.group")
Cheers,
Jelmer
Alex Matthews
> It is certainly very helpful to have this happen with samba-tool. Can
> you remind me the history of this domain, is it the upgrade I was trying
> to suggest you do, or a fresh provision?
>
> If you can tell me what provision command-line you run, if it was
> provisioned with an older version, which branch and git revision that
> was and what branch and git revision as you running now?
>
> I've tried to replicate this in 'make test' but failed (the tests pass).
> The patch for that is attached for review.
>
> Thanks,
>
> Andrew Bartlett
>
very beginning (I've heard it's a very good place to start).
I have set up two domains:
home.lillimoth.com - a test domain set up on virtual machines at home.
This domain has been provisioned from scratch.
internal.stmaryscollege.co.uk - a production domain at my work place.
This domain was migrated from a samba 3 domain.
My issue is that when I run gpmc (the group policy management console)
on a windows machine (XP or 7) and selected a gpo to edit I get the message:
"The permissions for this GPO in the SYSVOL folder are inconsistent with
those in Active Directory.
It is recommended that these permissions be consistent.
To change the SYSVOL permissions to those in Active Directory, click
This occurs on both domains.
Clicking 'ok' to the popup should correct the ACLs on the files/folders
it believes are incorrect.
Please note that before clicking 'ok' sysvolcheck passes with no errors
however after clicking it would fail with the following error:
"ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: VFS ACL on GPO directory
O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;;0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY)
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
This suggests that the gpmc did change the ACLs however when reselecting
the same GPO it pops up with the same message again!
Both servers have the correct mount options (user_xattr,acl) and acls
work when set manually.
I did some research into what the ACLs should be on the sysvol share and
came up with these: http://pastebin.com/sSURWrDf which were taken from a
WS2003 machine.
I have not yet attempted to set these on my S4 server but will try that
tonight.
The issue seems to revolve around:
Incorrect initial ACLs on the sysvol share and its subfolders.
The inability of the GPMC to correct the issue. Suggesting that
there is some issue setting ACLs on the sysvol share from a windows client.
There we a couple of issues with samba-tool creating GPOs but I will run
through those in an email later this evening when I have had chance to
test them on my test domain.
Alex Matthews
samba-tool ntacl set and got the following message:
/usr/local/samba/var/locks# ../../bin/samba-tool ntacl set
"D:AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)"
sysvol -d 2
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[sysvol]"
Badly formatted SDDL
'AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)'
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to
parse SDDL
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
return self.run(*args, **kwargs)
File
line 90, in run
setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file,
use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line 89, in setntacl
sd = security.descriptor.from_sddl(sddl, sid)
FA is listed on the Microsoft ACE String page as FILE_ALL_ACCESS
(http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928(v=vs.85).aspx
<http://msdn.microsoft.com/en-gb/library/windows/desktop/aa374928%28v=vs.85%29.aspx>)
Is it correct that the sddl parser cannot parse FA?
Andrew Bartlett
You said earlier in the thread that you were going to look into this.
I'll continue to try and find angles on this, but did you get anywhere
with sorting out Alex's issues?
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Olivier BILHAUT
We're really pleased to announce that in this release (S4 rc5), the
sysvolreset command works fine and returns no errors.
The clients download their GPO fine, and the sysvolcheck return no error
as well !
So our problems with SYSVOL ACL are closed for the moment.
Thanks for your efforts.
-----------------------
*** OB
*** Service Informatique
*** Fondation de la Miséricorde
--