Fix various ACL checks in Samba DC code
Description
Problem/Justification
Impact
SmartDraw Connector
Katalon Manual Tests (BETA)
Activity
Andrew Walker February 12, 2019 at 5:04 PM
Testing criteria:
1) Provision domain
2) run "samba-tool ntacl sysvolcheck"
Andrew Walker January 3, 2019 at 2:02 PM
I've fixed this in Samba 4.9, which is getting pulled into the next 11.2 release.
<pre>
root@S49DC[~]# getfacl /var/db/samba4/sysvol/samdom.fun/Policies
file: /var/db/samba4/sysvol/samdom.fun/Policies
owner: SAMDOM\administrator
group: BUILTIN\administrators
group:BUILTIN\administrators:rwxpDdaARWcCo-:fd-----:allow
group:BUILTIN\server operators:r-x---a-R-c---:fd-----:allow
group:NT AUTHORITY\system:rwxpDdaARWcCo-:fd-----:allow
group:NT AUTHORITY\authenticated users:r-x---a-R-c---:fd-----:allow
group:SAMDOM\group policy creator owners:rwxp-daARWc---:fd-----:allow
root@S49DC[~]#
root@S49DC[~]#
root@S49DC[~]# setfacl -x 0 /var/db/samba4/sysvol/samdom.fun/Policies
root@S49DC[~]#
root@S49DC[~]# getfacl /var/db/samba4/sysvol/samdom.fun/Policiesfile: /var/db/samba4/sysvol/samdom.fun/Policies
owner: SAMDOM\administrator
group: BUILTIN\administrators
group:BUILTIN\server operators:r-x---a-R-c---:fd-----:allow
group:NT AUTHORITY\system:rwxpDdaARWcCo-:fd-----:allow
group:NT AUTHORITY\authenticated users:r-x---a-R-c---:fd-----:allow
group:SAMDOM\group policy creator owners:rwxp-daARWc---:fd-----:allow
root@S49DC[~]#
root@S49DC[~]#
root@S49DC[~]# samba-tool ntacl sysvolreset
root@S49DC[~]#
root@S49DC[~]#
root@S49DC[~]# getfacl /var/db/samba4/sysvol/samdom.fun/Policiesfile: /var/db/samba4/sysvol/samdom.fun/Policies
owner: SAMDOM\administrator
group: BUILTIN\administrators
group:BUILTIN\administrators:rwxpDdaARWcCo-:fd-----:allow
group:BUILTIN\server operators:r-x---a-R-c---:fd-----:allow
group:NT AUTHORITY\system:rwxpDdaARWcCo-:fd-----:allow
group:NT AUTHORITY\authenticated users:r-x---a-R-c---:fd-----:allow
group:SAMDOM\group policy creator owners:rwxp-daARWc---:fd-----:allow
</pre>
I'll take this opportunity to do a once-over on the ZFS provisioning code in our 4.9 branch.
Details
Assignee
Andrew WalkerAndrew WalkerReporter
Andrew BellowsAndrew BellowsComponents
Fix versions
Priority
Low
Details
Details
Assignee
Andrew WalkerReporter
Andrew BellowsComponents
Fix versions
Priority
Low
More fields
Time tracking
More fields
Time tracking
More fields
Time trackingKatalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Katalon Platform
Linked Test Cases, Katalon Defect Results, Katalon Studio Test Results
Katalon Platform
Dealing with the dreaded "The permissions for this GPO in the SYSVOL folder are inconsistent with
those in Active Directory" issue with my FreeNAS box running an Active Directory Domain controller. When I try to run samba-tool ntacl sysvolreset it fails with the following message:
samba-tool ntacl sysvolreset
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER.
ERROR(runtime): uncaught exception - (-1073741811, 'An invalid parameter was passed to a service or function.')
File "/usr/local/lib/python2.7/site-packages/samba/netcmd/_init_.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 239, in run
lp, use_ntvfs=use_ntvfs)
File "/usr/local/lib/python2.7/site-packages/samba/provision/_init_.py", line 1595, in setsysvolacl
service=SYSVOL_SERVICE)
File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 162, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd, service=service)
If I try samba-tool ntacl sysvolcheck , I get the following message:
samba-tool ntacl sysvolcheck
ERROR( ): uncaught exception - (87, 'Attribute not found')
File "/usr/local/lib/python2.7/site-packages/samba/netcmd/_init_.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/local/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 270, in run
lp)
File "/usr/local/lib/python2.7/site-packages/samba/provision/_init_.py", line 1716, in checksysvolacl
fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
File "/usr/local/lib/python2.7/site-packages/samba/ntacls.py", line 81, in getntacl
xattr.XATTR_NTACL_NAME)