Bug 9483 - incorrect gpo acl after sysvolreset (rc6)
Summary: incorrect gpo acl after sysvolreset (rc6)
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.0rc6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
: 13288 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-12-09 17:57 UTC by 375gnu
Modified: 2021-12-07 17:31 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description 375gnu 2012-12-09 17:57:43 UTC
I'm running rc6, but it's not a clean installation, it's samba3
upgraded to 4.0 in ages of beta2.

samba-tool ntacl sysvolcheck dies with message about incorrect acl on
gpo, but that acl is set by sysvolreset.

$ sudo samba-tool ntacl sysvolcheck
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception
- ProvisioningError: DB ACL on GPO directory
/var/lib/samba/sysvol/shch8.brnv.rw/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
O:LAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value
O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 245, in run
    lp)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1576, in checksysvolacl
    direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1527, in check_gpos_acl
    domainsid, direct_db_access)
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1477, in check_dir_acl
    raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl))
Comment 1 375gnu 2012-12-11 18:05:39 UTC
There is an output of getfacl:

# file: {6AC1786C-016F-11D2-945F-00C04FB984F9}/
# owner: 0
# group: 513
user::rwx
user:0:rwx
group::---
group:512:rwx
group:513:---
group:3000004:r-x
group:3000007:rwx
group:3000053:rwx
group:3000054:r-x
mask::rwx
other::---
default:user::rwx
default:user:0:rwx
default:group::---
default:group:512:rwx
default:group:513:---
default:group:3000004:r-x
default:group:3000007:rwx
default:group:3000053:rwx
default:group:3000054:r-x
default:mask::rwx
default:other::---

As you can see owner is set to root/Administrator while it should be 512.

I tried to set correct ACL by hand using chown+setfacl, but sysvolreset turned it back into incorrect one you see above.
Comment 2 Andrew Bartlett 2012-12-11 21:31:14 UTC
So, what is happening here is that when you have 'Domain Admins' mapped in idmap.ldb as IDMAP_GID, we have a problem when that group is required to own a file.  There is no UID value we can safely assign.

What we do is to instead assign the UID from 'Administrator', as a stop-gap measure.

From there, I tried to ensure that Windows would see the 'Domain Admins' owner (and not the posix owner), but this may not have worked out right.
Comment 3 Stefan Metzmacher 2013-01-27 13:06:42 UTC
Andrew, is this related to https://bugzilla.samba.org/show_bug.cgi?id=9340
and already fixed?
Comment 4 Stefan Metzmacher 2013-08-09 12:04:47 UTC
Andrew, any updates?
Comment 5 Björn Jacke 2021-12-07 17:13:29 UTC
closing this 10 yo bug now. It also works fine for me. My advice is actually not to use rfc2307 idmappings on AD DCs generally. rfc2307 helps you shoot into your knee here and can lead to problems like this.
Comment 6 Björn Jacke 2021-12-07 17:31:46 UTC
*** Bug 13288 has been marked as a duplicate of this bug. ***