Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: <domain name> -> Domains -> <domain name> -> Group Policy Objects -> Default Domain [Controller | Policy] I get the following error: "The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the SYSVOL permissions to those in Active Directory, click OK." Hitting ok I get no error but as soon as I reselect THE SAME entry I get the same error, it doesn't seem to be able to fix the ACL. I have found one post about this on the list (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was "fixed" a long time ago. Seeing as I'm using the latest version I would assume this is a different issue. If I try to change any of the ACLs on either of the folders in \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however the change doesn't stick. Looking at the samba log files: I get this when I start gpmc and click ok: http://pastebin.com/7rBKyU1B I get this when I start gpmc and don't click ok: http://pastebin.com/B3DMSE1T I get this when I alter the ACLs manually (after line 479 is when I actually alter the ACLs): http://pastebin.com/2mEvWX6K My smb.conf is stock. No alterations. The server OS is Ubuntu 12.04. The filesystem is ext4 mounted with the following options: "errors=remount-ro,acl,user_xattr,barrier=1". I have all acl packages installed that I have seen referenced by samba or in posts of a similar nature. Thanks, Alex
On Wed, 2012-10-24 at 10:49 +0100, Alex Matthews wrote:> Hi, > > I have installed a virtual testing network consisting of one samba4 PDC > (latest git master) and one Windows XP Pro SP3 (fully updated)machine. > > I have successfully provisioned an AD Domain and joined the XP machine > to it. > When I run the gpmc on the XP Pro machine and select: > Forest: <domain name> -> Domains -> <domain name> -> Group Policy > Objects -> Default Domain [Controller | Policy] > I get the following error: > > "The permissions for this GPO in the SYSVOL folder are inconsistent with > those in Active Directory. > It is recommended that these permissions be consistent. > To change the SYSVOL permissions to those in Active Directory, click OK." > > Hitting ok I get no error but as soon as I reselect THE SAME entry I get > the same error, it doesn't seem to be able to fix the ACL. > > I have found one post about this on the list > (https://bugzilla.samba.org/show_bug.cgi?id=5483)but apparently it was > "fixed" a long time ago. > Seeing as I'm using the latest version I would assume this is a > different issue. > > If I try to change any of the ACLs on either of the folders in > \\<pdc>\sysvol\<domain name>\Policies\ by hand I get no errors however > the change doesn't stick. > > > Looking at the samba log files: > > I get this when I start gpmc and click ok: > http://pastebin.com/7rBKyU1B > > I get this when I start gpmc and don't click ok: > http://pastebin.com/B3DMSE1T > > I get this when I alter the ACLs manually (after line 479 is when I > actually alter the ACLs): > http://pastebin.com/2mEvWX6K > > My smb.conf is stock. No alterations. > The server OS is Ubuntu 12.04. > The filesystem is ext4 mounted with the following options: > "errors=remount-ro,acl,user_xattr,barrier=1". > I have all acl packages installed that I have seen referenced by samba > or in posts of a similar nature.If you are in the mood for some testing, can you try my acl-fixes2 branch? git remote add abartlet git://git.samba.org/abartlet/samba.git git fetch abartlet git checkout abartlet/acl-fixes2 -b abartlet-acl-fixes2 I'm trying to get these changes into master, but I'm not quite finished. You should only put these on a test server, as I may change data formats etc. I would be very curious to know if this fixes the issue. Otherwise or in addition, if you can show me the contents of your idmap.ldb (ldbsearch -H idmap.ldb) it might help me guess as what is going wrong here, and fix it. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Hi Andrew, Hi Alex, Pleased to see that you figured this out. We've got exactly the same problem from a blank provisioned domain (not a migration), with a setup with 2 gpo. (Ubuntu 12.04 - S4 rc3). Since our instance is in a semi-production environment, we'll wait for your fix. But if needed, we could give you more level 10 logs. Note that when the sysvolreset is launched and that sysvolcheck returns no errors, then the windows clients can't "gpupdate" anymore on some gpo. Note also that when syslvolreset isn't launched at S4 update, the sysvolcheck command return the Alex's error but the client can update their gpo. Cheers and good luck. ----------------------- *** Olivier B *** Fondation de la Mis?ricorde
On 30/10/2012 00:08, Jeremy Allison wrote:> On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote: >>>> be a particular trigger - but it shouldn't be able to make a >>>> modification that doesn't go via vfs_acl_xattr. >>>> >>>> For Alex, before running the Group Policy tools on WinXP, he gets (at >>>> level 10 on samba-tool ntacl sysvolcheck): >>>> >>>> get_nt_acl_internal: blob hash matches for >>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9} >>>> >>>> then after, he gets: >>>> >>>> get_nt_acl_internal: blob hash does not match for >>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} - returning file system SD mapping. >>> Is this message from smbd, or from samba-tool ? >> That's what vfs_acl_common is printing, being run from samba-tool ntacl >> sysvolcheck. It links to the VFS layer. > So this looks like it's running the Group Policy tools on WinXP > that causes the problem ? > > Can we get a debug level 10 log of that activity going on > against smbd ? > > Jeremy.Ok I have some additional info. Using the GPMC I cannot create new GPOs. I get the message: "This security ID may not be assigned as the owner of this object" If I use samba-tool gpo create I get the following: # bin/samba-tool gpo create "SMC Students" ERROR(ldb): uncaught exception - LDAP error 50 LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <> File "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 952, in run self.samdb.add(m) If I supply administrator as username I get: # bin/samba-tool gpo create "SMC Students" -U administrator Password for [SMC\administrator]: ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", line 987, in run conn.set_acl(sharepath, fs_sd, sio) However this time it has successfully created the GPO. (GPMC still throws the same warnings about inconsistent ACLs). bin/samba-tool gpo create "SMC Students" -d 10: http://pastebin.com/tjutA68u bin/samba-tool gpo create "SMC Students" -U administrator -d 10: http://pastebin.com/8kkVEy7V I would hazard a guess and say the GPMC error (when creating a GPO) is the same error as the samba-tool error. Thanks, Alex