Created attachment 8308 [details] PCAP format capture of the failed dcpromo wintest shows that joining Samba as an RODC fails, due to ACL issues. setting acl:search=false fixes this.
Created attachment 8309 [details] Keytab for pcap of failure
Created attachment 8310 [details] TRUNCATED pcap of success case (truncated a start of DsReplicaSync) This trace is truncated at the start of the successful DRS replication due to size (otherwise > 20MB).
Created attachment 8311 [details] Keytab for pcap of success
I don't think this should be a blocker for a 4.0.0 release because of: - https://bugzilla.samba.org/show_bug.cgi?id=9089 - it only happens with windows servers (which most likey wouldn't work because they can't replicate the SYSVOL share)
(In reply to comment #4) > I don't think this should be a blocker for a 4.0.0 release because of: > - https://bugzilla.samba.org/show_bug.cgi?id=9089 > - it only happens with windows servers (which most likey wouldn't work > because they can't replicate the SYSVOL share) - Because the default functional level on provision is < 2008 and doesn't support RODCs - It's easy to document that "acl:search=no" is a workarround
What worries me more is not that RODC case specifically, but that we didn't expect this to break, and it breaks pretty early in the join process, so I fear something more fundamental may still be broken.
Specifically, when connected as the new RODC, it cannot read this entry: [abartlet@obed git]$ sudo ../prefix/bin/ldbsearch -H ../prefix/private/sam.ldb -s base -b cn=partitions,cn=configuration,dc=s4,dc=howto,dc=abartlet,dc=net # record 1 dn: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net objectClass: top objectClass: crossRefContainer cn: Partitions instanceType: 4 whenCreated: 20121210015718.0Z uSNCreated: 1937 showInAdvancedViewOnly: TRUE name: Partitions objectGUID: b624aa42-a6dd-4f3c-a383-c960a4cedb5d systemFlags: -2147483648 objectCategory: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=s4,DC=how to,DC=abartlet,DC=net msDS-Behavior-Version: 3 fSMORoleOwner: CN=NTDS Settings,CN=OBED,CN=Servers,CN=Default-First-Site-Name, CN=Sites,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net whenChanged: 20121210015722.0Z uSNChanged: 3593 distinguishedName: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,D C=net Over LDAP, the trace shows in wintest-fail-3.pcap that msDS-Behavior-Version is not returned to the client.
Created attachment 8316 [details] Keytab for pcap of failure
Created attachment 8317 [details] PCAP format capture of the failed dcpromo The key packet is #1722. This is where the traces diverge.
Reproduced with local tools: [abartlet@obed git]$ sudo ../prefix/bin/ldbsearch -H ldap://192.168.122.3 -s base -b CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net --machine-pass # record 1 dn: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net # returned 1 records # 1 entries # 0 referrals This account (the DC!) surely should be able read the entry! Packet capture shows the (empty) returned entry. This shows this is a more serious issue than 'just' RODC support.
Compare Samba vs Windows: [abartlet@obed git]$ sudo ../prefix/bin/ldbsearch -H ../prefix/private/sam.ldb -s base -b cn=partitions,cn=configuration,dc=s4,dc=howto,dc=abartlet,dc=net ntsecuritydescriptor # record 1 dn: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net nTSecurityDescriptor: O:EAG:EAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIID; RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA) # returned 1 records # 1 entries # 0 referrals [abartlet@obed git]$ sudo ../prefix/bin/ldbsearch -H ../prefix/private/sam.ldb -s base -b cn=partitions,cn=configuration,dc=s4,dc=howto,dc=abartlet,dc=net ntsecuritydescriptor --show-binary # record 1 dn: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net nTSecurityDescriptor: NDR: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x8407 (33799) 1: SEC_DESC_OWNER_DEFAULTED 1: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED 0: SEC_DESC_SACL_PRESENT 0: SEC_DESC_SACL_DEFAULTED 0: SEC_DESC_DACL_TRUSTED 0: SEC_DESC_SERVER_SECURITY 0: SEC_DESC_DACL_AUTO_INHERIT_REQ 0: SEC_DESC_SACL_AUTO_INHERIT_REQ 1: SEC_DESC_DACL_AUTO_INHERITED 0: SEC_DESC_SACL_AUTO_INHERITED 0: SEC_DESC_DACL_PROTECTED 0: SEC_DESC_SACL_PROTECTED 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid : * owner_sid : S-1-5-21-1224390137-1145867798-1928467562-519 group_sid : * group_sid : S-1-5-21-1224390137-1145867798-1928467562-519 sacl : NULL dacl : * dacl: struct security_acl revision : SECURITY_ACL_REVISION_ADS (4) size : 0x0064 (100) num_aces : 0x00000003 (3) aces: ARRAY(3) aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0014 (20) access_mask : 0x000f01ff (983551) object : union security_ace_object_ctr(case 0) trustee : S-1-5-18 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x12 (18) 0: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 1: SEC_ACE_FLAG_INHERITED_ACE 0x02: SEC_ACE_FLAG_VALID_INHERIT (2) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0024 (36) access_mask : 0x000f01ff (983551) object : union security_ace_object_ctr(case 0) trustee : S-1-5-21-1224390137-1145867798-1928467562-519 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x12 (18) 0: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 1: SEC_ACE_FLAG_INHERITED_ACE 0x02: SEC_ACE_FLAG_VALID_INHERIT (2) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0024 (36) access_mask : 0x000f01bd (983485) object : union security_ace_object_ctr(case 0) trustee : S-1-5-21-1224390137-1145867798-1928467562-512 # returned 1 records # 1 entries # 0 referrals [abartlet@jesse samba]$ bin/ldbsearch -H ldap://192.168.122.24 -Uadministrator%penguin12# -s base -b cn=partitions,CN=Configuration,DC=2008R2,DC=HOWTO,DC=ABARTLET,DC=NET ntsecuritydescriptor # record 1 dn: cn=partitions,CN=Configuration,DC=2008R2,DC=HOWTO,DC=ABARTLET,DC=NET nTSecurityDescriptor: O:EAG:EAD:AI(A;;LCLORC;;;AU)(OA;;RP;e48d0154-bcf8-11d1-8 702-00c04fb96050;;AU)(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)(OA;;RP ;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)(OA;;RP;032160bf-9824-11d1-aec0-000 0f80367c1;;AU)(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)(OA;;RP;5706ae af-b940-4fb2-bcfc-5268683ad9fe;;AU)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCC DCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;ED)(OA;CIIO;WP;3df793df-9858-4417-a701-735a1 ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)(A;CIID;RPWPCRCCDCLCLORCWOWDS DDTSW;;;EA)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)S:AI(AU;CISA;WPCRCCDCWOWDSDDT; ;;WD) # returned 1 records # 1 entries # 0 referrals [abartlet@jesse samba]$ bin/ldbsearch -H ldap://192.168.122.24 -Uadministrator%penguin12# -s base -b cn=partitions,CN=Configuration,DC=2008R2,DC=HOWTO,DC=ABARTLET,DC=NET ntsecuritydescriptor --show-binary # record 1 dn: cn=partitions,CN=Configuration,DC=2008R2,DC=HOWTO,DC=ABARTLET,DC=NET nTSecurityDescriptor: NDR: struct security_descriptor revision : SECURITY_DESCRIPTOR_REVISION_1 (1) type : 0x8c14 (35860) 0: SEC_DESC_OWNER_DEFAULTED 0: SEC_DESC_GROUP_DEFAULTED 1: SEC_DESC_DACL_PRESENT 0: SEC_DESC_DACL_DEFAULTED 1: SEC_DESC_SACL_PRESENT 0: SEC_DESC_SACL_DEFAULTED 0: SEC_DESC_DACL_TRUSTED 0: SEC_DESC_SERVER_SECURITY 0: SEC_DESC_DACL_AUTO_INHERIT_REQ 0: SEC_DESC_SACL_AUTO_INHERIT_REQ 1: SEC_DESC_DACL_AUTO_INHERITED 1: SEC_DESC_SACL_AUTO_INHERITED 0: SEC_DESC_DACL_PROTECTED 0: SEC_DESC_SACL_PROTECTED 0: SEC_DESC_RM_CONTROL_VALID 1: SEC_DESC_SELF_RELATIVE owner_sid : * owner_sid : S-1-5-21-3666733363-4032383065-1918016110-519 group_sid : * group_sid : S-1-5-21-3666733363-4032383065-1918016110-519 sacl : * sacl: struct security_acl revision : SECURITY_ACL_REVISION_ADS (4) size : 0x001c (28) num_aces : 0x00000001 (1) aces: ARRAY(1) aces: struct security_ace type : SEC_ACE_TYPE_SYSTEM_AUDIT (2) flags : 0x42 (66) 0: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x02: SEC_ACE_FLAG_VALID_INHERIT (2) 1: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0014 (20) access_mask : 0x000d0163 (852323) object : union security_ace_object_ctr(case 2) trustee : S-1-1-0 dacl : * dacl: struct security_acl revision : SECURITY_ACL_REVISION_ADS (4) size : 0x01dc (476) num_aces : 0x0000000d (13) aces: ARRAY(13) aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0014 (20) access_mask : 0x00020084 (131204) object : union security_ace_object_ctr(case 0) trustee : S-1-5-11 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0028 (40) access_mask : 0x00000010 (16) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000001 (1) 1: SEC_ACE_OBJECT_TYPE_PRESENT 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : e48d0154-bcf8-11d1-8702-00c04fb96050 inherited_type : union security_ace_object_inherited_type(case 0) trustee : S-1-5-11 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0028 (40) access_mask : 0x00000010 (16) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000001 (1) 1: SEC_ACE_OBJECT_TYPE_PRESENT 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : d31a8757-2447-4545-8081-3bb610cacbf2 inherited_type : union security_ace_object_inherited_type(case 0) trustee : S-1-5-11 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0028 (40) access_mask : 0x00000010 (16) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000001 (1) 1: SEC_ACE_OBJECT_TYPE_PRESENT 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : 66171887-8f3c-11d0-afda-00c04fd930c9 inherited_type : union security_ace_object_inherited_type(case 0) trustee : S-1-5-11 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0028 (40) access_mask : 0x00000010 (16) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000001 (1) 1: SEC_ACE_OBJECT_TYPE_PRESENT 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : 032160bf-9824-11d1-aec0-0000f80367c1 inherited_type : union security_ace_object_inherited_type(case 0) trustee : S-1-5-11 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0028 (40) access_mask : 0x00000010 (16) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000001 (1) 1: SEC_ACE_OBJECT_TYPE_PRESENT 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : 789ee1eb-8c8e-4e4c-8cec-79b31b7617b5 inherited_type : union security_ace_object_inherited_type(case 0) trustee : S-1-5-11 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0028 (40) access_mask : 0x00000010 (16) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000001 (1) 1: SEC_ACE_OBJECT_TYPE_PRESENT 0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : 5706aeaf-b940-4fb2-bcfc-5268683ad9fe inherited_type : union security_ace_object_inherited_type(case 0) trustee : S-1-5-11 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0024 (36) access_mask : 0x000e01bd (917949) object : union security_ace_object_ctr(case 0) trustee : S-1-5-21-3666733363-4032383065-1918016110-519 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0014 (20) access_mask : 0x000f01ff (983551) object : union security_ace_object_ctr(case 0) trustee : S-1-5-18 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x00 (0) 0: SEC_ACE_FLAG_OBJECT_INHERIT 0: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0014 (20) access_mask : 0x00000001 (1) object : union security_ace_object_ctr(case 0) trustee : S-1-5-9 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5) flags : 0x0a (10) 0: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 1: SEC_ACE_FLAG_INHERIT_ONLY 0: SEC_ACE_FLAG_INHERITED_ACE 0x0a: SEC_ACE_FLAG_VALID_INHERIT (10) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x003c (60) access_mask : 0x00000020 (32) object : union security_ace_object_ctr(case 5) object: struct security_ace_object flags : 0x00000003 (3) 1: SEC_ACE_OBJECT_TYPE_PRESENT 1: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT type : union security_ace_object_type(case 1) type : 3df793df-9858-4417-a701-735a1ecebf74 inherited_type : union security_ace_object_inherited_type(case 2) inherited_type : bf967a8d-0de6-11d0-a285-00aa003049e2 trustee : S-1-5-32-544 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x12 (18) 0: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 1: SEC_ACE_FLAG_INHERITED_ACE 0x02: SEC_ACE_FLAG_VALID_INHERIT (2) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0024 (36) access_mask : 0x000f01ff (983551) object : union security_ace_object_ctr(case 0) trustee : S-1-5-21-3666733363-4032383065-1918016110-519 aces: struct security_ace type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) flags : 0x12 (18) 0: SEC_ACE_FLAG_OBJECT_INHERIT 1: SEC_ACE_FLAG_CONTAINER_INHERIT 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT 0: SEC_ACE_FLAG_INHERIT_ONLY 1: SEC_ACE_FLAG_INHERITED_ACE 0x02: SEC_ACE_FLAG_VALID_INHERIT (2) 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS 0: SEC_ACE_FLAG_FAILED_ACCESS size : 0x0024 (36) access_mask : 0x000f01bd (983485) object : union security_ace_object_ctr(case 0) trustee : S-1-5-21-3666733363-4032383065-1918016110-512 # returned 1 records # 1 entries # 0 referrals Clearly we have the wrong ACL, which is the root cause of the issues here.
Created attachment 8336 [details] Patches for master
Created attachment 8337 [details] Patches for v4-0-test
Comment on attachment 8337 [details] Patches for v4-0-test ACK
==> Karolin for 4.0
Pushed to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks a lot!
We need to add some magic to the samba_upgradeprovision script, so that it can fix the nTSecurityDescriptor values from older provisions. We should be able to fix this for 4.0.1. I workaround is the "acl:search = no" option in the [global] section of the smb.conf, in case someone hits problems with upgrades from older releases.
Created attachment 8498 [details] Additional patches for v4-0-test
Pushed additional changes to autobuild-v4-0-test.
Pushed to v4-0-test. Closing out bug report. Thanks!