Bug 9483 - incorrect gpo acl after sysvolreset (rc6)
Summary: incorrect gpo acl after sysvolreset (rc6)
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.0rc6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-09 17:57 UTC by 375gnu
Modified: 2014-07-23 08:39 UTC (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description 375gnu 2012-12-09 17:57:43 UTC 
I'm running rc6, but it's not a clean installation, it's samba3
upgraded to 4.0 in ages of beta2.

samba-tool ntacl sysvolcheck dies with message about incorrect acl on
gpo, but that acl is set by sysvolreset.

$ sudo samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/shch8.brnv.rw/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 245, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1576, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1527, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1477, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
Comment 1 375gnu 2012-12-11 18:05:39 UTC 
There is an output of getfacl:

# file: {6AC1786C-016F-11D2-945F-00C04FB984F9}/
# owner: 0
# group: 513
user::rwx
user:0:rwx
group::---
group:512:rwx
group:513:---
group:3000004:r-x
group:3000007:rwx
group:3000053:rwx
group:3000054:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:group::---
default:group:512:rwx
default:group:513:---
default:group:3000004:r-x
default:group:3000007:rwx
default:group:3000053:rwx
default:group:3000054:r-x
default:mask::rwx
default:other::---

As you can see owner is set to root/Administrator while it should be 512.

I tried to set correct ACL by hand using chown+setfacl, but sysvolreset turned it back into incorrect one you see above.
Comment 2 Andrew Bartlett 2012-12-11 21:31:14 UTC 
So, what is happening here is that when you have 'Domain Admins' mapped in idmap.ldb as IDMAP_GID, we have a problem when that group is required to own a file.  There is no UID value we can safely assign.

What we do is to instead assign the UID from 'Administrator', as a stop-gap measure.

From there, I tried to ensure that Windows would see the 'Domain Admins' owner (and not the posix owner), but this may not have worked out right.
Comment 3 Stefan Metzmacher 2013-01-27 13:06:42 UTC 
Andrew, is this related to https://bugzilla.samba.org/show_bug.cgi?id=9340
and already fixed?
Comment 4 Stefan Metzmacher 2013-08-09 12:04:47 UTC 
Andrew, any updates?