Bug 12363 - "samba-tool ntacl sysvolreset" fails to run - NT_STATUS_BUFFER_TOO_SMALL
"samba-tool ntacl sysvolreset" fails to run - NT_STATUS_BUFFER_TOO_SMALL
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.5.4
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-05 07:33 UTC by Jonathan Hunter
Modified: 2017-04-15 00:45 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jonathan Hunter 2016-10-05 07:33:41 UTC
This has been broken for me for some time, and I haven't had any luck debugging this via the mailing list: http://www.spinics.net/lists/samba/msg137116.html

When running samba-tool ntacl sysvolreset, this fails with the following error (I'm on 4.5.0):

user@dc2:~ $ sudo /usr/local/samba/bin/samba-tool ntacl sysvolreset
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
ERROR(runtime): uncaught exception - (-1073741789, 'Buffer too small')
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run
    lp, use_ntvfs=use_ntvfs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1606, in setsysvolacl
    passdb=s4_passdb, service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
    smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)


I'm not really sure what might be causing this.. I have a '-d10' trace, and the last section before the exception is as follows:

get_nt_acl_internal: name=/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine
ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:107)
parse_acl_blob: ndr_pull_xattr_NTACL failed: Buffer Size Error
validate_nt_acl_blob: parse_acl_blob returned NT_STATUS_BUFFER_TOO_SMALL
get_nt_acl_internal: ACL validation for [/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine] failed
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL.
delete_lock_ref_count for file /usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine


I think I have followed the trail via the following items that call or
refer to each other in turn:
- python samba-tool ntacl sysvolreset
- source3/smbd/pysmbd.c: SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd);
- source3/include/vfs_macros.h:#define SMB_VFS_FSET_NT_ACL
smb_vfs_call_fset_nt_acl
- source3/smbd/vfs.c:NTSTATUS smb_vfs_call_fset_nt_acl [which calls
fset_nt_acl_fn]
- source3/modules/vfs_acl_xattr.c: .fset_nt_acl_fn = fset_nt_acl_common
- source3/modules/vfs_acl_common.c:static NTSTATUS fset_nt_acl_common
- source3/modules/vfs_acl_common.c: parse_acl_blob() [which seems to
be where the error occurs]

However it appears that I'm now trying to debug the VFS modules in
Samba, which isn't quite where I thought I would end up when I started
looking into this error :)

(For the above, I am presuming I'm using vfs_acl_xattr - I have nothing explicitly set in smb.conf, and I'm running on ext4 with setfacl/getfacl working fine)

If I can provide any further information, please let me know - I'm feeling the pain of my GPOs not functioning at the moment :-( 'samba-tool ntacl sysvolreset' runs for a while but after a few hundred files it hits this problem and just stops.
Comment 1 Jonathan Hunter 2016-12-18 02:09:58 UTC
FYI (and so I don't lose it, also!) I have been using this as a bit of a 'hack' workaround. It doesn't always work - it's hit and miss whether a client will go to the right DC - but it has worked a few times. Clearly it doesn't fix the root problem, but it gets me working if I need to get a new GPO rolled out.

$ sudo setfacl -R -m d:o:rx -m o:rx /usr/local/samba/var/locks/sysvol/mydomain.org.uk/
Comment 2 Jonathan Hunter 2017-04-15 00:45:51 UTC
It looks like the root cause for this specific issue does not come from within 'ntacl sysvolreset' itself, but rather some file on the filesystem that the filesharing part of Samba also doesn't like.

Following LPH's suggestion of how he fixes GPO issues (see his email 20 December 2016 at 10:20; Subject: Re: [Samba] GPO Security Filtering "Access Denied") I decided to follow the same route.

However, when copying the contents of sysvol to my local Windows machine, I was prevented from copying one directory (and only one directory). The error message is shown below; the same was shown as a pop-up dialog box in Windows Explorer but it's easier to cut and paste the error from a command prompt window:


C:\> robocopy /s \\dc1\sysvol c:\tmp\sysvol
[lots of successful file copies]
[...]
2017/04/15 00:29:47 ERROR 122 (0x0000007A) Scanning Source Directory \\dc1\sysvol\mydomain.org.uk\Policies\{D4D44444-5555-6666-7777-888888888888}\Machine\Preferences\
The data area passed to a system call is too small.


I removed this directory entirely (after first backing up the files contained within), and re-created it. I have now been able to successfully run "samba-tool ntacl sysvolreset" with no errors.


I do still have issues with Windows clients not consistently being able to run gpupdate without errors, but at least I can declare progress on this issue.

Does this give any clue as to where the underlying issue might lie behind this, and how it could be detected / fixed in the future?

I guess this specific issue could be considered resolved seeing as I have worked around the issue by deleting this problem file, although I think we should be able to come up with better error handling messages. At least this bug report should give some pointers to others who encounter this again in the future..