Bug 10206 - "Access Denied" prevents GPOs from being applied.
Summary: "Access Denied" prevents GPOs from being applied.
Status: RESOLVED INVALID
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-15 12:30 UTC by Alex Matthews
Modified: 2013-10-15 15:18 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Matthews 2013-10-15 12:30:35 UTC 
Hi,

I have two ADDCs providing an AD Domain (internal.stmaryscollege.co.uk (short-name 'SMC')). Servers are called 'ad-01' and 'tainan'. ad-01 is 'Version 4.0.10' and tainan is 'Version 4.1.0' (the latest version in the package repos of the respective OSs (arch and gentoo))

I have created a simple script that synchronises the two sysvol shares (using rsync) that I run manually when I make a change to a GPO.

However, I have found that even after running `samba-tool ntacl sysvolreset` I still get 'Access Denied' or the more long winded: 'Configuration information could not be read from the domain controller, either because the machine is unavailable or access has been denied.' when accessing some 'gpt.ini' files.


This is the level 10 log for the shorter 'access denied' message:


[2013/10/10 16:31:15.371698, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../lib/util/util.c:512(dump_data)
  [0000] 00 00 00 EC 03 00 00 00   00 5C 00 69 00 6E 00 74 ...ì.... .\.i.n.t
  [0010] 00 65 00 72 00 6E 00 61   00 6C 00 2E 00 73 00 74 .e.r.n.a .l...s.t
  [0020] 00 6D 00 61 00 72 00 79   00 73 00 63 00 6F 00 6C .m.a.r.y .s.c.o.l
  [0030] 00 6C 00 65 00 67 00 65   00 2E 00 63 00 6F 00 2E .l.e.g.e ...c.o..
  [0040] 00 75 00 6B 00 5C 00 50   00 6F 00 6C 00 69 00 63 .u.k.\.P .o.l.i.c
  [0050] 00 69 00 65 00 73 00 5C   00 7B 00 46 00 33 00 44 .i.e.s.\ .{.F.3.D
  [0060] 00 46 00 30 00 42 00 43   00 33 00 2D 00 41 00 44 .F.0.B.C .3.-.A.D
  [0070] 00 30 00 46 00 2D 00 34   00 38 00 36 00 32 00 2D .0.F.-.4 .8.6.2.-
  [0080] 00 42 00 32 00 43 00 42   00 2D 00 37 00 41 00 33 .B.2.C.B .-.7.A.3
  [0090] 00 33 00 32 00 45 00 30   00 44 00 42 00 30 00 43 .3.2.E.0 .D.B.0.C
  [00A0] 00 45 00 7D 00 5C 00 67   00 70 00 74 00 2E 00 69 .E.}.\.g .p.t...i
  [00B0] 00 6E 00 69 00 00 00                              .n.i...
[2013/10/10 16:31:15.372061,  3, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/process.c:1398(switch_message)
  switch message SMBtrans2 (pid 2507) conn 0x7f20cd1affc0
[2013/10/10 16:31:15.372099,  4, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/uid.c:384(change_to_user)
  Skipping user change - already user
[2013/10/10 16:31:15.372141,  3, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/trans2.c:5337(call_trans2qfilepathinfo)
  call_trans2qfilepathinfo: TRANSACT2_QPATHINFO: level = 1004
[2013/10/10 16:31:15.372187,  5, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/filename.c:258(unix_convert)
  unix_convert called on file "internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini"
[2013/10/10 16:31:15.372237, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/statcache.c:244(stat_cache_lookup)
  stat_cache_lookup: lookup failed for name [INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/GPT.INI]
[2013/10/10 16:31:15.372278, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/statcache.c:244(stat_cache_lookup)
  stat_cache_lookup: lookup failed for name [INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}]
[2013/10/10 16:31:15.372315, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/statcache.c:244(stat_cache_lookup)
  stat_cache_lookup: lookup failed for name [INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES]
[2013/10/10 16:31:15.372351, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/statcache.c:244(stat_cache_lookup)
  stat_cache_lookup: lookup failed for name [INTERNAL.STMARYSCOLLEGE.CO.UK]
[2013/10/10 16:31:15.372390,  5, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/filename.c:421(unix_convert)
  unix_convert begin: name = internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini, dirpath = , start = internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini
[2013/10/10 16:31:15.372445, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)
  is_mangled internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini ?
[2013/10/10 16:31:15.372483, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
  is_mangled_component internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini (len 29) ?
[2013/10/10 16:31:15.372520, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
  is_mangled_component Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini (len 8) ?
[2013/10/10 16:31:15.372555, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
  is_mangled_component {F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini (len 38) ?
[2013/10/10 16:31:15.372591, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
  is_mangled_component gpt.ini (len 7) ?
[2013/10/10 16:31:15.372638,  5, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/statcache.c:143(stat_cache_add)
  stat_cache_add: Added entry (7f20cd6d0000:size 1d) INTERNAL.STMARYSCOLLEGE.CO.UK -> internal.stmaryscollege.co.uk
[2013/10/10 16:31:15.372685,  5, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/statcache.c:143(stat_cache_add)
  stat_cache_add: Added entry (7f20cd6d0080:size 26) INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES -> internal.stmaryscollege.co.uk/Policies
[2013/10/10 16:31:15.372732,  5, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/statcache.c:143(stat_cache_add)
  stat_cache_add: Added entry (7f20cd6d0110:size 4d) INTERNAL.STMARYSCOLLEGE.CO.UK/POLICIES/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE} -> internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}
[2013/10/10 16:31:15.372782, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/mangle_hash2.c:418(is_mangled)
  is_mangled gpt.ini ?
[2013/10/10 16:31:15.372817, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/mangle_hash2.c:357(is_mangled_component)
  is_mangled_component gpt.ini (len 7) ?
[2013/10/10 16:31:15.372870,  5, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/dir.c:1485(OpenDir)
  OpenDir: Can't open internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}. Permission denied
[2013/10/10 16:31:15.372922,  3, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/filename.c:1150(get_real_filename_full_scan)
  scan dir didn't open dir [internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}]
[2013/10/10 16:31:15.372959, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/filename.c:993(unix_convert)
  dirpath = [internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}] start = [gpt.ini]
[2013/10/10 16:31:15.372999, 10, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/filename.c:1385(filename_convert_internal)
  filename_convert_internal: unix_convert failed for name internal.stmaryscollege.co.uk/Policies/{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/gpt.ini with NT_STATUS_ACCESS_DENIED
[2013/10/10 16:31:15.373043,  3, pid=2507, effective(3000447, 515), real(3000447, 0)] ../source3/smbd/error.c:82(error_packet_set)
  NT error packet at ../source3/smbd/trans2.c(5373) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED 

It looks like it's being denied access as the machine account (3000447 is the machine account's UID afaict). 

the getfacl on the gpt.ini and parent folder is as follows:

# getfacl \{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE\}/
# file: {F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/
# owner: 512
# group: SMC\134Domain\040Admins
user::rwx
user:root:rwx
group::rwx
group:SMC\134Domain\040Admins:rwx
group:SMC\134Domain\040Admins:r-x
group:SMC\134Enterprise\040Admins:rwx
group:3000016:rwx
group:3000018:r-x
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:SMC\134Domain\040Admins:rwx
default:group:SMC\134Domain\040Admins:r-x
default:group:SMC\134Enterprise\040Admins:rwx
default:group:3000016:rwx
default:group:3000018:r-x
default:mask::rwx
default:other::---



# getfacl \{F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE\}/GPT.INI
# file: {F3DF0BC3-AD0F-4862-B2CB-7A332E0DB0CE}/GPT.INI
# owner: 512
# group: SMC\134Domain\040Admins
user::rwx
user:root:rwx
group::rwx
group:SMC\134Domain\040Admins:rwx
group:SMC\134Domain\040Admins:r-x
group:SMC\134Enterprise\040Admins:rwx
group:3000016:rwx
group:3000018:r-x
mask::rwx
other::--- 


Does anyone have a suggestion as to what I should try next?

Thanks,

Alex
Comment 1 Björn Baumbach 2013-10-15 13:03:46 UTC 
Hi Alex,

please make sure that users have access to all parent directories of the sysvol share.

Björn
Comment 2 Alex Matthews 2013-10-15 13:08:20 UTC 
Is that not taken care of by sysvolreset?
Comment 3 Björn Baumbach 2013-10-15 13:17:41 UTC 
(In reply to comment #2)
> Is that not taken care of by sysvolreset?

I assume that the sysvolreset sets the permissions of the sysvol folder and its subfolders.
Comment 4 Alex Matthews 2013-10-15 13:52:09 UTC 
<sigh> That does indeed appear to have resolved the issue.

This is quite a sneaky issue because even as a non-privileged user I could access the files but it appears that it was because the machine account couldn't. I should have realised that it was a parent permission issue...

It might be worth making a note of this issue somewhere. Oh look, this bug report will do!
Comment 5 Björn Baumbach 2013-10-15 14:18:47 UTC 
I'm glad to hear that it's working now.
But please report such issues to the Samba mailing lists in the future :-)
Comment 6 Alex Matthews 2013-10-15 15:18:30 UTC 
It was posted there first, I misinterpreted Andrew about filing a bug report. He was talking just about the other issue I mentioned in my mailing list post.

Got fixed a heck of a lot quicker here than on the mailing list. I posted there a week ago and got no replies about this particular issue.