Bug 14937 - samba-tool ntacl sysvolcheck and sysvolreset crash when Policies directory is missing
Summary: samba-tool ntacl sysvolcheck and sysvolreset crash when Policies directory is...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python (show other bugs)
Version: 4.15.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-23 15:49 UTC by keesvanvloten
Modified: 2022-09-07 06:03 UTC (History)
1 user (show)

See Also:

Attachments
patch for better exceptions/messages (4.01 KB, patch)
2022-08-10 23:35 UTC, Douglas Bagnall 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description keesvanvloten 2021-12-23 15:49:01 UTC 
Due to an error elsewhere (one of my scripts) the directory /var/lib/samba/sysvol/samdom.com/Policies was removed. Then (without being aware of that issue) I ran samba-tool ntacl sysvolcheck (and also tried sysvolreset). Both crash hard:


root@server:/var/lib/samba/sysvol# samba-tool ntacl sysvolreset
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
Could not find opname rename, logging all
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 412, in run
    provision.setsysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1754, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl
    setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info,
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228, in setntacl
    smbd.set_nt_acl(

root@sserver:/var/lib/samba/sysvol# samba-tool ntacl sysvolcheck
ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or directory')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run
    provision.checksysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1876, in checksysvolacl
    check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1811, in check_gpos_acl
    fsacl = getntacl(lp, root_policy_path, session_info,
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112, in getntacl
    attribute = samba.xattr_native.wrap_getxattr(file,


Since the errors are not very clear on what it is missing, I used strace to find the culprit, an except of the output:


getxattr("/var/lib/samba/sysvol/samdom.com", "security.NTACL", NULL, 0) = 320
getxattr("/var/lib/samba/sysvol/samdom.com", "security.NTACL", "\4\0\4\0\0\0\2\0\4\0\2\0\1\0002\301T\16\323Xi\312\203H\326\227\201\300n\0310\237"..., 320) = 320
getxattr("/var/lib/samba/sysvol/samdom.com/scripts", "security.NTACL", NULL, 0) = 320
getxattr("/var/lib/samba/sysvol/samdom.com/scripts", "security.NTACL", "\4\0\4\0\0\0\2\0\4\0\2\0\1\0002\301T\16\323Xi\312\203H\326\227\201\300n\0310\237"..., 320) = 320
getxattr("/var/lib/samba/sysvol/samdom.com/Policies", "security.NTACL", NULL, 0) = -1 ENOENT (No such file or directory)
write(2, "ERROR(<class 'TypeError'>): unca"..., 82ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or directory')
) = 82
stat("/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", {st_mode=S_IFREG|0644, st_size=9885, ...}) = 0
openat(AT_FDCWD, "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", O_RDONLY|O_CLOEXEC) = 14
fstat(14, {st_mode=S_IFREG|0644, st_size=9885, ...}) = 0
ioctl(14, TCGETS, 0x7fff9ce59290)       = -1 ENOTTY (Inappropriate ioctl for device)
lseek(14, 0, SEEK_CUR)                  = 0
read(14, "# Unix SMB/CIFS implementation.\n"..., 4096) = 4096
read(14, "ROR: %s\\n\" % (message))\n        "..., 8192) = 5789
read(14, "", 8192)                      = 0
close(14)                               = 0

Would it be feasible to catch the error and produce an error message in situation?

- Kees
Comment 1 Douglas Bagnall 2022-08-10 23:35:13 UTC 
Created attachment 17467 [details]
patch for better exceptions/messages

Kees,
are you able to test this patch?
Comment 2 keesvanvloten 2022-08-11 11:17:28 UTC 
I will give it a try, just give me a few days :-)
Will the patch apply to 4.16.2 installed from Louis' repo?
Comment 3 Douglas Bagnall 2022-08-11 21:38:50 UTC 
(In reply to keesvanvloten from comment #2)
> Will the patch apply to 4.16.2 installed from Louis' repo?

Yes, or at least it applies to the 4.16 upstream branch.
Comment 4 keesvanvloten 2022-08-31 19:23:01 UTC 
Hi Douglas,

Now that I am checking I noticed you are not only patching samba-tool / python but also C code. 
I am not compiling Samba myself so there is no easy way for me to test that part of the patch. I did apply the Python patch.



Test scenario:
1. samba --version
Output:
--------------
Version 4.16.2-Debian
--------------

2. mv /var/lib/samba/sysvol/samdom.com/Policies /var/lib/samba

3. Run "samba-tool ntacl sysvolreset" WITHOUT the patch
Output:
--------------
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 412, in run
    provision.setsysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1754, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl
    setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info,
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228, in setntacl
    smbd.set_nt_acl(
--------------
Unfortunately this is different then it was in the initial bug report at 2021-12-23.

4. Apply patch to "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py"

5. Run "samba-tool ntacl sysvolreset" WITH the patch
Output:
--------------
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.')
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 413, in run
    provision.setsysvolacl(samdb, netlogon, sysvol,
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1754, in setsysvolacl
    set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb)
  File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1630, in set_gpos_acl
    setntacl(lp, root_policy_path, POLICIES_ACL, str(domainsid), session_info,
  File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228, in setntacl
    smbd.set_nt_acl(
--------------

This returns exactly the same output as without the patch.
I tried to move the whole "/var/lib/samba/sysvol/samdom.com" out of the way and even then I get the same output.

It looks like the newer samba version (4.16.2) behaves differently, but it still does not produce sensible output to see that it is missing the Policies directory.

But then again, perhaps the results WITH patch would be different if I would have applied the C code patch to "source4/ntvfs/posix/python/pyxattr_native.c" and recompiled Samba. So perhaps the test was not representative...

Anyway the tests that I ran, neither reproduced the original message, nor did it return a sensible error, nor did it fix the issue (with patched python only) :-(
Comment 5 Douglas Bagnall 2022-08-31 20:48:06 UTC 
(In reply to keesvanvloten from comment #4)
Yes, it will need both parts.

I'll look at adding an automated test.
Comment 6 Douglas Bagnall 2022-08-31 23:49:33 UTC 
(In reply to Douglas Bagnall from comment #5)
> I'll look at adding an automated test.

as of course I should have from the start.

That patch is insufficient, so don't worry about compiling it. There'll be a better one in master soon.

The result will be a message like this:

ERROR(<class 'FileNotFoundError'>): Could not access file - [Errno 2] No such file or directory: '[ ... ]/sysvol/addom.samba.example.com/Policies'
use -d3 for more details

which, while not beautiful, does indicate where the problem lies.
Comment 8 Samba QA Contact 2022-09-07 06:03:04 UTC 
This bug was referenced in samba master:

dfc92d2922fb773a3e5246d91631417a9de4adaf
a5eeed52efa3656fc44ec44874f72790e82c9d91
1b4938c3b1afc8600d693ef92b6944b18e449415
dc9f29e5c35982e7ce2cb5135ce906e9960579af
5a4b050ff7b790f892c4f0edb9ecd9745184e0f4