samba - Feb 2021 - Warning messages when provisioning an ADDC

Thank you guys for looking at this.

On 05/02/2021 11:39, Rowland penny via samba wrote:
> However these numbers are appearing during a provision and surely at 
> this point all the ID numbers are in the '3000000' range, so where
are
> the '30000' numbers coming from ?
Sorry, I didn't tell the whole story. To fit the uids and gids into the
default mapping range of an unprivileged container I also had to set
lowerBound: 30000
upperBound: 65533
in idmap_init.ldif
I didn't want to enlarge the allowed mapping range for the Linux container
because I wont have that many uids and gids.


On 05/02/2021 11:06, Ralph Boehme via samba wrote:
> the module does a getgrgid() call on those ids and apparently nsswitch
doesn't know about those ids. Do you have winbind in nsswitch.conf?
> Fwiw, I have no idea if that is sensible on an AD DC... :)
>
> Having said that, when the mapping fails the full NT ACL will not be stored
correctly, so this likely means your AD DC setup is screwed. What does
samba-tool ntacl sysvolcheck/sysvolreset have to say on this?
"samba-tool ntacl sysvolcheck" did throw an exception:
ERROR(<class 'TypeError'>): uncaught exception - (61, 'No data
available')
  File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/__init__.py",
line 186, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python3.7/site-packages/samba/netcmd/ntacl.py",
line 446, in run
    lp)
  File
"/usr/local/samba/lib/python3.7/site-packages/samba/provision/__init__.py",
line 1885, in checksysvolacl
    fsacl = getntacl(lp, dir_path, session_info,
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
  File "/usr/local/samba/lib/python3.7/site-packages/samba/ntacls.py",
line 121, in getntacl
    xattr.XATTR_NTACL_NAME)

and "samba-tool ntacl sysvolreset" issued the same "Unknown
gid" warnings as the provisioning script.
 
However, after adding winbind to the passwd and group entries in
/etc/nsswitch.conf the sysvolreset completes without any messages but the
sysvolcheck is still not happy and throws the exception.

The error message seems to indicate that it's expecting to find a NTACL
where there is none. Any idea why ?

-----------
Thomas

Am 2/5/21 um 3:45 PM schrieb Thomas Geppert:
> The error message seems to indicate that it's expecting to find a NTACL
where there is none. Any idea why ?
it seems this command doesn't use the same logic as samba-tool ntacl get 
which has the option --use-s3fs and tells the command to go via the VFS 
instead of accessing the xattr directly.

I'd have to take a closer look if this can be worked around or if code 
changes are needed.

-slow

-- 
Ralph Boehme, Samba Team                https://samba.org/
Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210205/73a73d7e/OpenPGP_signature.sig>