Jonathan Hunter
2019-Jul-18 13:11 UTC
[Samba] Syncing sysvol -> samba-tool ntacl sysvolreset?
On Wed, 17 Jul 2019 at 17:58, Rowland penny via samba <samba at lists.samba.org> wrote:> > On 17/07/2019 17:43, Kris Lou via samba wrote: > > I had thought that the conventional wisdom was that ntacl sysvolreset > > should be mostly avoided once relative stability achieved and additional > > GPO's created. > > > > https://wiki.samba.org/index.php/Sysvolreset > > > > Has this changed recently? > > Well, to my knowledge, the problem hasn't been fixed yet, but then > again, it might have been as a side affect of other fixes. There doesn't > seem to have been many 'sysvolreset doesn't work' reports recently, > whether this is because it has been fixed or because people just aren't > using it, I do not know ;-)I'm an infrequent poster to this list (mostly because I tend to dip in and out, I often go weeks/months without checking my gmail) but I saw this and it caught my eye :) For me, at least, "ntacl sysvolreset" is definitely broken and has been for the last few years. It's on my list of things I really need to fix as soon as possible, but I just haven't had enough tuits - probably because as Rowland says, there hasn't been much discussion of any breakage and therefore I assume it works for other people. In my case, it's definitely not working :) I'm following these bugs in bugzilla: https://bugzilla.samba.org/show_bug.cgi?id=12363 https://bugzilla.samba.org/show_bug.cgi?id=12924 and right now I just tried sysvolreset (I'm running 4.10.6) and got: set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND ERROR(runtime): uncaught exception - (3221225524, 'The object name is not found.') File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/ntacl.py", line 283, in run lp, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python3.4/site-packages/samba/provision/__init__.py", line 1742, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs, passdb=s4_passdb) File "/usr/local/samba/lib/python3.4/site-packages/samba/provision/__init__.py", line 1636, in set_gpos_acl passdb=passdb) File "/usr/local/samba/lib/python3.4/site-packages/samba/provision/__init__.py", line 1599, in set_dir_acl setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service) File "/usr/local/samba/lib/python3.4/site-packages/samba/ntacls.py", line 232, in setntacl service=service, session_info=session_info) HTH! J -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Rowland penny
2019-Jul-18 13:26 UTC
[Samba] Syncing sysvol -> samba-tool ntacl sysvolreset?
On 18/07/2019 14:11, Jonathan Hunter via samba wrote:> On Wed, 17 Jul 2019 at 17:58, Rowland penny via samba > <samba at lists.samba.org> wrote: >> On 17/07/2019 17:43, Kris Lou via samba wrote: >>> I had thought that the conventional wisdom was that ntacl sysvolreset >>> should be mostly avoided once relative stability achieved and additional >>> GPO's created. >>> >>> https://wiki.samba.org/index.php/Sysvolreset >>> >>> Has this changed recently? >> Well, to my knowledge, the problem hasn't been fixed yet, but then >> again, it might have been as a side affect of other fixes. There doesn't >> seem to have been many 'sysvolreset doesn't work' reports recently, >> whether this is because it has been fixed or because people just aren't >> using it, I do not know ;-) > I'm an infrequent poster to this list (mostly because I tend to dip in > and out, I often go weeks/months without checking my gmail) but I saw > this and it caught my eye :) > > For me, at least, "ntacl sysvolreset" is definitely broken and has > been for the last few years. It's on my list of things I really need > to fix as soon as possible, but I just haven't had enough tuits - > probably because as Rowland says, there hasn't been much discussion of > any breakage and therefore I assume it works for other people. In my > case, it's definitely not working :) > > I'm following these bugs in bugzilla: > https://bugzilla.samba.org/show_bug.cgi?id=12363 > https://bugzilla.samba.org/show_bug.cgi?id=12924 > > and right now I just tried sysvolreset (I'm running 4.10.6) and got: > > set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND > ERROR(runtime): uncaught exception - (3221225524, 'The object name is > not found.') > File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/__init__.py", > line 185, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python3.4/site-packages/samba/netcmd/ntacl.py", > line 283, in run > lp, use_ntvfs=use_ntvfs) > File "/usr/local/samba/lib/python3.4/site-packages/samba/provision/__init__.py", > line 1742, in setsysvolacl > set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > use_ntvfs, passdb=s4_passdb) > File "/usr/local/samba/lib/python3.4/site-packages/samba/provision/__init__.py", > line 1636, in set_gpos_acl > passdb=passdb) > File "/usr/local/samba/lib/python3.4/site-packages/samba/provision/__init__.py", > line 1599, in set_dir_acl > setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, > skip_invalid_chown=True, passdb=passdb, service=service) > File "/usr/local/samba/lib/python3.4/site-packages/samba/ntacls.py", > line 232, in setntacl > service=service, session_info=session_info) > > HTH! > > J >I reported this as a bug back in 2017: https://bugzilla.samba.org/show_bug.cgi?id=12924 There has been only one response to it, from someone called 'Jonathan Hunter' ;-) The main problem with Sysvol on Samba is that it has NEVER used the same permissions that Windows does. I tried to fix this and turned up the problem that bug 12924 is all about. I cannot write 'C' code, so someone else will have to fix this. Rowland
Jonathan Hunter
2019-Jul-18 15:54 UTC
[Samba] Syncing sysvol -> samba-tool ntacl sysvolreset?
Hi, On Thu, 18 Jul 2019 at 14:27, Rowland penny via samba <samba at lists.samba.org> wrote:> > On 18/07/2019 14:11, Jonathan Hunter via samba wrote: > > For me, at least, "ntacl sysvolreset" is definitely broken and has > > been for the last few years. It's on my list of things I really need > > to fix as soon as possible, but I just haven't had enough tuits - > > probably because as Rowland says, there hasn't been much discussion of > > any breakage and therefore I assume it works for other people. In my > > case, it's definitely not working :) > > > > I'm following these bugs in bugzilla: > > https://bugzilla.samba.org/show_bug.cgi?id=12363 > > https://bugzilla.samba.org/show_bug.cgi?id=12924 > > > I reported this as a bug back in 2017: > https://bugzilla.samba.org/show_bug.cgi?id=12924 > > There has been only one response to it, from someone called 'Jonathan > Hunter' ;-)Indeed. Perhaps it really is just me, and it works perfectly for everyone else. I found my previous attempt at digging further into the issue, I figured that if I could get enough debugging information out of the sysvolreset command then I could figure out exactly what was failing. But, there are so many different layers (python, core, vfs etc.) that I just never managed to actually insert a debugging hook that helped (again, I ran out of tuits at the time) https://lists.samba.org/archive/samba/2019-April/222469.html The patch here looked tantalisingly perfect to help me figure out the problem area, but it didn't work for me when I tried: https://forge.univention.org/bugzilla/show_bug.cgi?id=38217> The main problem with Sysvol on Samba is that it has NEVER used the same > permissions that Windows does. I tried to fix this and turned up the > problem that bug 12924 is all about. I cannot write 'C' code, so someone > else will have to fix this.I'm comfortable-ish with C but not familiar with the full Samba codebase unfortunately, and my dipping in every few months hasn't helped me either :( My most detailed attempt at tracking down the issue was in September 2016 (wow! time really does fly..!) https://lists.samba.org/archive/samba/2016-September/203261.html but I didn't get to the bottom of it then, either. For now I'm basically bumbling along without working GPOs :( -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein