Created attachment 9525 [details] SysVol share content that causes the exception (zipped incl. xattrs) # samba-tool ntacl sysvolcheck ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data available') File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.6/site-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/local/samba/lib64/python2.6/site-packages/samba/provision/__init__.py", line 1686, in checksysvolacl fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File "/usr/local/samba/lib64/python2.6/site-packages/samba/ntacls.py", line 73, in getntacl xattr.XATTR_NTACL_NAME) If I run sysvolreset to fix the errors, then the check runs fine. SysVol share is on XFS.
Seeing a similar error, on sernet 4.1.7 and 4.1.9, on ext4: root@dc3:~# samba-tool ntacl sysvolcheck rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[netlogon]" Processing section "[sysvol]" ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data available') File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, in run lp) File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1686, in checksysvolacl fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 73, in getntacl xattr.XATTR_NTACL_NAME) root@dc3:~# Also here: samba-tool ntacl sysvolreset works, and after that also samba-tool ntacl sysvolcheck reports success.
Update: Samba 4.5.0rc2 still shows an exception when running the sysvolcheck: [root@DC1 samba-4.5.0rc2]# samba-tool ntacl sysvolcheck ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /usr/local/samba/var/locks/sysvol/samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run lp) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1723, in checksysvolacl direct_db_access) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl domainsid, direct_db_access) File "/usr/local/samba/lib64/python2.7/site-packages/samba/provision/__init__.py", line 1621, in check_dir_acl raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
(In reply to Marc Muehlfeld from comment #2) I'm seeing the same problem with Samba 4.5.3. Marc, are you using `idmap_ldb:use rfc2307 = yes` in your smb.conf? If so, disable it temporary, run `samba-tool ntacl sysvolreset`, re-enable it, and try `samba-tool ntacl sysvolcheck` again. I can solve the `sysvolcheck` error by this steps. Is this a bug of `idmap_ldb:use rfc2307 = yes`?
(In reply to SATOH Fumiyasu from comment #3) I also have the problem on 4.5.5-SerNet-Ubuntu-13.trusty The procedure with idmap_ldb:use rfc2307 did not help. Neither does samba-tool ntacl sysvolreset
The part of the configuration that causes the error for me is vfs objects = full_audit full_audit:prefix = %u|%I|%S full_audit:success = mkdir rename unlink rmdir pwrite full_audit:failure = none full_audit:facility = local7 full_audit:priority = NOTICE
(In reply to tim.dittler from comment #5) We use the following logic for an addc: if (lp_server_role() == ROLE_ACTIVE_DIRECTORY_DC) { const char **vfs_objects = lp_vfs_objects(-1); if (!vfs_objects || !vfs_objects[0]) { if (lp_parm_const_string(-1, "xattr_tdb", "file", NULL)) { lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr xattr_tdb"); } else if (lp_parm_const_string(-1, "posix", "eadb", NULL)) { lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr posix_eadb"); } else { lp_do_parameter(-1, "vfs objects", "dfs_samba4 acl_xattr"); } } ... } That means if you explicitly set 'vfs objects' you need to add the default ones explicitly too. I guess vfs objects = full_audit dfs_samba4 acl_xattr is what you need.
(In reply to Stefan Metzmacher from comment #6) Thank you very much for pointing this out.
I can reproduce a similar issue with Samba 4.11.4. smb.conf: ``` [global] server role = ACTIVE DIRECTORY DOMAIN CONTROLLER ... vfs objects = full_audit dfs_samba4 acl_xattr full_audit:success = open get_nt_acl ... ``` Reproducer command-line and log: (I can get a similar result with `samba-tool ntacl sysvolcheck`) ``` # /opt/samba/bin/samba-tool ntacl sysvolreset =============================================================== INTERNAL ERROR: Signal 11 in pid 9280 (4.11.4) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting =============================================================== PANIC (pid 9280): internal error BACKTRACE: 58 stack frames: #0 /opt/samba/lib64/samba4.11/libsamba-util.so.0(log_stack_trace+0x34) [0x7f4cc5f08cf4] #1 /opt/samba/lib64/samba4.11/libsmbconf.so.0(smb_panic_s3+0x1c) [0x7f4cbbdfd7cc] #2 /opt/samba/lib64/samba4.11/libsamba-util.so.0(smb_panic+0x31) [0x7f4cc5f08df1] #3 /opt/samba/lib64/samba4.11/libsamba-util.so.0(+0x1d051) [0x7f4cc5f09051] #4 /lib64/libpthread.so.0(+0x12d80) [0x7f4cc8938d80] #5 /opt/samba/libexec/samba/vfs/full_audit.so(+0x6f5d) [0x7f4c9db4ef5d] #6 /opt/samba/libexec/samba/vfs/full_audit.so(+0xa987) [0x7f4c9db52987] ... #57 /usr/bin/python3(_start+0x2e) [0x560f1be37dde] Can not dump core: corepath not set up ``` Inspection by GDB: ``` # gdb --args python3 /opt/samba/bin/samba-tool ntacl sysvolreset ... (gdb) run ... Program received signal SIGSEGV, Segmentation fault. 0x00007fffcc884f5d in audit_prefix (conn=0x5555560790a0, ctx=0x55555647edd0) at ../../source3/modules/vfs_full_audit.c:488 488 ../../source3/modules/vfs_full_audit.c: No such file or directory. ``` Quote audit_prefix() from source3/modules/vfs_full_audit.c: ``` static char *audit_prefix(TALLOC_CTX *ctx, connection_struct *conn) { ... result = talloc_sub_full(ctx, // <- Line 488 is HERE!!!! lp_servicename(talloc_tos(), SNUM(conn)), conn->session_info->unix_info->unix_name, conn->connectpath, conn->session_info->unix_token->gid, conn->session_info->unix_info->sanitized_username, conn->session_info->info->domain_name, prefix); ... } ``` Inspection by GDB (cont.): ``` (gdb) bt full 1 #0 0x00007fffcc884f5d in audit_prefix (conn=0x5555560790a0, ctx=0x55555647edd0) at ../../source3/modules/vfs_full_audit.c:488 prefix = 0x555556a93fe0 "%u|%I" result = <optimized out> prefix = <optimized out> result = <optimized out> (More stack frames follow...) (gdb) print conn->connectpath $1 = 0x555556497970 "/" (gdb) print conn->session_info $2 = (struct auth_session_info *) 0x5555564c1620 (gdb) print conn->session_info->unix_info $3 = (struct auth_user_info_unix *) 0x0 (gdb) print conn->session_info->unix_token $4 = (struct security_unix_token *) 0x0 ``` audit_prefux() dereferences NULL pointer because conn->session_info->unix_info and conn->session_info->unix_token are NULL!
(In reply to SATOH Fumiyasu from comment #8) conn->session_info may be NULL too.
(In reply to SATOH Fumiyasu from comment #9) I accidentally fixed this with the patches ee5bf29662e and below by ensuring we always pass a valid session_info from the Python bindings. Those are in master only and will start shipping with 4.12. Backports are not feasible, so you'll have to wait for 4.12.