Bug 12363 - "samba-tool ntacl sysvolreset" fails to run - NT_STATUS_BUFFER_TOO_SMALL
"samba-tool ntacl sysvolreset" fails to run - NT_STATUS_BUFFER_TOO_SMALL
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2016-10-05 07:33 UTC by Jonathan Hunter
Modified: 2016-12-18 02:09 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jonathan Hunter 2016-10-05 07:33:41 UTC
This has been broken for me for some time, and I haven't had any luck debugging this via the mailing list: http://www.spinics.net/lists/samba/msg137116.html

When running samba-tool ntacl sysvolreset, this fails with the following error (I'm on 4.5.0):

user@dc2:~ $ sudo /usr/local/samba/bin/samba-tool ntacl sysvolreset
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
ERROR(runtime): uncaught exception - (-1073741789, 'Buffer too small')
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1606, in setsysvolacl
    passdb=s4_passdb, service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)

I'm not really sure what might be causing this.. I have a '-d10' trace, and the last section before the exception is as follows:

get_nt_acl_internal: name=/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine
ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:107)
parse_acl_blob: ndr_pull_xattr_NTACL failed: Buffer Size Error
validate_nt_acl_blob: parse_acl_blob returned NT_STATUS_BUFFER_TOO_SMALL
get_nt_acl_internal: ACL validation for [/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine] failed
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
delete_lock_ref_count for file /usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine

I think I have followed the trail via the following items that call or
refer to each other in turn:
- python samba-tool ntacl sysvolreset
- source3/smbd/pysmbd.c: SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd);
- source3/include/vfs_macros.h:#define SMB_VFS_FSET_NT_ACL
- source3/smbd/vfs.c:NTSTATUS smb_vfs_call_fset_nt_acl [which calls
- source3/modules/vfs_acl_xattr.c: .fset_nt_acl_fn = fset_nt_acl_common
- source3/modules/vfs_acl_common.c:static NTSTATUS fset_nt_acl_common
- source3/modules/vfs_acl_common.c: parse_acl_blob() [which seems to
be where the error occurs]

However it appears that I'm now trying to debug the VFS modules in
Samba, which isn't quite where I thought I would end up when I started
looking into this error :)

(For the above, I am presuming I'm using vfs_acl_xattr - I have nothing explicitly set in smb.conf, and I'm running on ext4 with setfacl/getfacl working fine)

If I can provide any further information, please let me know - I'm feeling the pain of my GPOs not functioning at the moment :-( 'samba-tool ntacl sysvolreset' runs for a while but after a few hundred files it hits this problem and just stops.
Comment 1 Jonathan Hunter 2016-12-18 02:09:58 UTC
FYI (and so I don't lose it, also!) I have been using this as a bit of a 'hack' workaround. It doesn't always work - it's hit and miss whether a client will go to the right DC - but it has worked a few times. Clearly it doesn't fix the root problem, but it gets me working if I need to get a new GPO rolled out.

$ sudo setfacl -R -m d:o:rx -m o:rx /usr/local/samba/var/locks/sysvol/mydomain.org.uk/