Bug 13288 - sysvolcheck fails with "Domain Admins" mapped to rfc2307 gidNumber
sysvolcheck fails with "Domain Admins" mapped to rfc2307 gidNumber
Status: NEW
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB
4.7.4
x64 Linux
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-20 18:49 UTC by direx
Modified: 2018-02-20 18:50 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description direx 2018-02-20 18:49:52 UTC
Mapping the "Domain Admins" group to a gidNumber in a rfc2307-provisioned domain breaks the `samba-tool ntacl sysvolcheck` command.

Steps to reproduce:

1. Provision a new domain with "--use-rfc2307"

2. Map "Administrator" to uidNumber 10000 (ldbedit -H /var/lib/samba/private/sam.ldb)

3. Map "Domain Admis" to any gidNumber (such as 10000)

3. net cache flush

4. systemctl restart samba-ad-dc

5. "samba-tool ntacl sysvolcheck" fails:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: DB ACL on GPO directory /var/lib/samba/sysvol/lab.lan/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} O:LAG:DAD:P(A;OICI;0x001f01f
f;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x0
01f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
 File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
   return self.run(*args, **kwargs)
 File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
   lp)
 File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1723, in checksysvolacl
   direct_db_access)
 File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1674, in check_gpos_acl
   domainsid, direct_db_access)
 File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1621, in check_dir_acl
   raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))


-> sysvolreset remains functional and the "sysvol" is working as expected. This is the ACL after a sysvolreset:


# file: var/lib/samba/sysvol/
# owner: 10000
# group: 3000000
user::rwx
user:10000:rwx
user:3000000:rwx
user:3000001:r-x
user:3000002:rwx
user:3000003:r-x
group::rwx
group:3000000:rwx
group:3000001:r-x
group:3000002:rwx
group:3000003:r-x
mask::rwx
other::---
default:user::rwx
default:user:10000:rwx
default:user:3000000:rwx
default:user:3000001:r-x
default:user:3000002:rwx
default:user:3000003:r-x
default:group::---
default:group:3000000:rwx
default:group:3000001:r-x
default:group:3000002:rwx
default:group:3000003:r-x
default:mask::rwx
default:other::---

And FYI, this is the smb.conf (default):

[global]
       netbios name = DC1
       realm = LAB.LAN
       server role = active directory domain controller
       workgroup = LAB
       idmap_ldb:use rfc2307 = yes

[netlogon]
       path = /var/lib/samba/sysvol/lab.lan/scripts
       read only = No

[sysvol]
       path = /var/lib/samba/sysvol
       read only = No

This is with Samba 4.7.4 on Debian Buster.