Norberto Bensa
2012-Oct-10 04:04 UTC
[Samba] samba4, classicupgrade: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
Hello,
I'm testing samba4. I've setup a small samba3+ldap pdc, and then I
tried a classicupgrade, but I can't pass step 4 of the howto.
ubuntu at samba4:~/samba4$ /usr/local/samba/sbin/samba -V
Version 4.1.0pre1-GIT-899cdc4
ubuntu at samba4:~/samba4$ sudo /usr/local/samba/bin/samba-tool domain
classicupgrade --realm=example.com --dbdir=/root/samba
/root/samba/smb.conf
Reading smb.conf
Provisioning
Exporting account policy
Exporting groups
Exporting users
Skipping wellknown rid=500 (for username=Administrator)
Skipping wellknown rid=501 (for username=nobody)
Demoting BDC account trust for samba3, this DC must be elevated to
an AD DC using 'samba-tool domain promote'
Next rid = 1009
Exporting posix attributes
Reading WINS database
Cannot open wins database, Ignoring: [Errno 2] No such file or
directory: '/root/samba/wins.dat'
Looking up IPv4 addresses
Looking up IPv6 addresses
No IPv6 address will be assigned
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=example,DC=com
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Setting acl on sysvol skipped
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at
/usr/local/samba/private/krb5.conf
Setting up fake yp server settings
Once the above files are installed, your Samba4 server will be ready to use
Admin password: ,mlY4&4K(WD&G(O7a_-.6M at E
Server Role: active directory domain controller
Hostname: samba4
NetBIOS Domain: EXAMPLE
DNS Domain: example.com
DOMAIN SID: S-1-5-21-831389399-4071795767-414191908
A phpLDAPadmin configuration file suitable for administering the Samba
4 LDAP server has been created in
/usr/local/samba/private/phpldapadmin-config.php.
Importing WINS database
Importing Account policy
Importing idmap database
Cannot open idmap database, Ignoring: [Errno 2] No such file or directory
Importing groups
Group already exists sid=S-1-5-21-831389399-4071795767-414191908-513,
groupname=Domain Users existing_groupname=Domain Users, Ignoring.
Group already exists sid=S-1-5-21-831389399-4071795767-414191908-512,
groupname=Domain Admins existing_groupname=Domain Admins, Ignoring.
Group already exists sid=S-1-5-21-831389399-4071795767-414191908-514,
groupname=Domain Guests existing_groupname=Domain Guests, Ignoring.
Group already exists sid=S-1-5-32-544, groupname=Administrators
existing_groupname=Administrators, Ignoring.
Group already exists sid=S-1-5-32-545, groupname=Users
existing_groupname=Users, Ignoring.
Group already exists sid=S-1-5-32-546, groupname=Guests
existing_groupname=Guests, Ignoring.
Importing users
Adding users to groups
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER.
ERROR(runtime): uncaught exception - (-1073741734,
'NT_STATUS_INVALID_OWNER')
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 170, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 1321, in run
useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py",
line 913, in upgrade_from_samba3
result.names.domaindn, result.lp, use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1468, in setsysvolacl
set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1405, in set_gpos_acl
str(domainsid), use_ntvfs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1369, in set_dir_acl
setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py",
line 108, in setntacl
smbd.set_nt_acl(file, security.SECINFO_OWNER |
security.SECINFO_GROUP | security.SECINFO_DACL |
security.SECINFO_SACL, sd)
ubuntu at samba4:~/samba4$ sudo testparm /root/samba/smb.conf
[global]
workgroup = EXAMPLE
passdb backend = ldapsam:ldap://localhost/
domain logons = Yes
os level = 33
preferred master = Yes
domain master = Yes
ldap admin dn = cn=admin,dc=example,dc=com
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap passwd sync = yes
ldap suffix = dc=example,dc=com
ldap ssl = no
ldap user suffix = ou=users
template homedir = /home/%u
ldapsam:trusted = yes
ldapsam:editposix = yes
idmap config * : backend = tdb
[profiles]
path = /home/samba/profiles/%U
valid users = %U
read only = No
[netlogon]
path = /home/samba/netlogon
guest ok = Yes
[homes]
path = /home/%U
valid users = %U
read only = No
DIT is very simple:
ubuntu at samba4:~/samba4$ ldapsearch -x -LLL dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
dn: ou=users,dc=example,dc=com
dn: ou=groups,dc=example,dc=com
dn: ou=computers,dc=example,dc=com
dn: sambaDomainName=EXAMPLE,dc=example,dc=com
dn: cn=domusers,ou=groups,dc=example,dc=com
dn: cn=domadmins,ou=groups,dc=example,dc=com
dn: uid=Administrator,ou=users,dc=example,dc=com
dn: uid=nobody,ou=users,dc=example,dc=com
dn: cn=domguests,ou=groups,dc=example,dc=com
dn: sambaSID=S-1-5-32-544,ou=groups,dc=example,dc=com
dn: sambaSID=S-1-5-32-545,ou=groups,dc=example,dc=com
dn: sambaSID=S-1-5-32-546,ou=groups,dc=example,dc=com
dn: uid=nbensa,ou=users,dc=example,dc=com
dn: uid=samba3$,ou=computers,dc=example,dc=com
dn: uid=marisa,ou=users,dc=example,dc=com
dn: uid=diego,ou=users,dc=example,dc=com
Increasing log level shows "set_nt_acl_no_snum: fset_nt_acl returned
NT_STATUS_INVALID_OWNER" seems to come from:
ubuntu at samba4:~/samba4$ sudo ls -ld /usr/local/samba/var/locks/sysvol/
drwxrwx---+ 3 root 2002 4096 oct 10 03:44 /usr/local/samba/var/locks/sysvol/
Note gid 2002. I have no gid=2002... but nbensa is *uid* 2002. Does
this ring any bell?
ubuntu at samba4:~/samba4$ getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
bind:x:103:106::/var/cache/bind:/bin/false
openldap:x:104:107:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
Administrator:*:2000:2001:Administrator:/home/Administrator:/bin/false
nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
nbensa:*:2002:2000:nbensa:/home/nbensa:/bin/bash
marisa:*:2004:2000:marisa:/home/marisa:/bin/bash
diego:*:2007:2000:diego:/home/diego:/bin/false
ubuntu at samba4:~/samba4$ getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:
floppy:x:25:
tape:x:26:
sudo:x:27:ubuntu
audio:x:29:
dip:x:30:
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:
sasl:x:45:
plugdev:x:46:
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
syslog:x:103:
ssh:x:104:
ubuntu:x:1000:
ssl-cert:x:105:
bind:x:106:
openldap:x:107:
winbindd_priv:x:108:
sambashare:x:109:
domusers:*:2000:
domadmins:*:2001:
domguests:*:65534:
Thanks for reading!
Norberto
Andrew Bartlett
2012-Oct-11 01:55 UTC
[Samba] samba4, classicupgrade: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
On Wed, 2012-10-10 at 01:04 -0300, Norberto Bensa wrote:> Hello, > > I'm testing samba4. I've setup a small samba3+ldap pdc, and then I > tried a classicupgrade, but I can't pass step 4 of the howto.As mentioned in the WHATSNEW, we have an issue when we upgrade a domain with a domain admins group specified. The problem is that the domain admins group needs to own files in sysvol, but on upgrade we honour the existin GID-only mapping for that group. A patch is in GIT master (to paper over the issue), which may be backported to the 4.0 release stream once folks confirm it works properly. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Norberto Bensa
2012-Oct-12 03:55 UTC
[Samba] samba4, classicupgrade: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
Hello Andrew, 2012/10/10 Andrew Bartlett <abartlet at samba.org>:> > A patch is in GIT master (to paper over the issue), which may be > backported to the 4.0 release stream once folks confirm it works > properly.And so I pulled from master, and now it correctly upgrades the test domain. Thank very much!! Regards, Norberto