Norberto Bensa
2012-Oct-10 04:04 UTC
[Samba] samba4, classicupgrade: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
Hello, I'm testing samba4. I've setup a small samba3+ldap pdc, and then I tried a classicupgrade, but I can't pass step 4 of the howto. ubuntu at samba4:~/samba4$ /usr/local/samba/sbin/samba -V Version 4.1.0pre1-GIT-899cdc4 ubuntu at samba4:~/samba4$ sudo /usr/local/samba/bin/samba-tool domain classicupgrade --realm=example.com --dbdir=/root/samba /root/samba/smb.conf Reading smb.conf Provisioning Exporting account policy Exporting groups Exporting users Skipping wellknown rid=500 (for username=Administrator) Skipping wellknown rid=501 (for username=nobody) Demoting BDC account trust for samba3, this DC must be elevated to an AD DC using 'samba-tool domain promote' Next rid = 1009 Exporting posix attributes Reading WINS database Cannot open wins database, Ignoring: [Errno 2] No such file or directory: '/root/samba/wins.dat' Looking up IPv4 addresses Looking up IPv6 addresses No IPv6 address will be assigned Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=example,DC=com Adding configuration container Setting up sam.ldb schema Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up well known security principals Setting up sam.ldb users and groups Setting up self join Setting acl on sysvol skipped Adding DNS accounts Creating CN=MicrosoftDNS,CN=System,DC=example,DC=com Creating DomainDnsZones and ForestDnsZones partitions Populating DomainDnsZones and ForestDnsZones partitions Setting up sam.ldb rootDSE marking as synchronized Fixing provision GUIDs A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Setting up fake yp server settings Once the above files are installed, your Samba4 server will be ready to use Admin password: ,mlY4&4K(WD&G(O7a_-.6M at E Server Role: active directory domain controller Hostname: samba4 NetBIOS Domain: EXAMPLE DNS Domain: example.com DOMAIN SID: S-1-5-21-831389399-4071795767-414191908 A phpLDAPadmin configuration file suitable for administering the Samba 4 LDAP server has been created in /usr/local/samba/private/phpldapadmin-config.php. Importing WINS database Importing Account policy Importing idmap database Cannot open idmap database, Ignoring: [Errno 2] No such file or directory Importing groups Group already exists sid=S-1-5-21-831389399-4071795767-414191908-513, groupname=Domain Users existing_groupname=Domain Users, Ignoring. Group already exists sid=S-1-5-21-831389399-4071795767-414191908-512, groupname=Domain Admins existing_groupname=Domain Admins, Ignoring. Group already exists sid=S-1-5-21-831389399-4071795767-414191908-514, groupname=Domain Guests existing_groupname=Domain Guests, Ignoring. Group already exists sid=S-1-5-32-544, groupname=Administrators existing_groupname=Administrators, Ignoring. Group already exists sid=S-1-5-32-545, groupname=Users existing_groupname=Users, Ignoring. Group already exists sid=S-1-5-32-546, groupname=Guests existing_groupname=Guests, Ignoring. Importing users Adding users to groups set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER. ERROR(runtime): uncaught exception - (-1073741734, 'NT_STATUS_INVALID_OWNER') File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 170, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 1321, in run useeadb=eadb, dns_backend=dns_backend, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/upgrade.py", line 913, in upgrade_from_samba3 result.names.domaindn, result.lp, use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1468, in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1405, in set_gpos_acl str(domainsid), use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1369, in set_dir_acl setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs) File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 108, in setntacl smbd.set_nt_acl(file, security.SECINFO_OWNER | security.SECINFO_GROUP | security.SECINFO_DACL | security.SECINFO_SACL, sd) ubuntu at samba4:~/samba4$ sudo testparm /root/samba/smb.conf [global] workgroup = EXAMPLE passdb backend = ldapsam:ldap://localhost/ domain logons = Yes os level = 33 preferred master = Yes domain master = Yes ldap admin dn = cn=admin,dc=example,dc=com ldap delete dn = Yes ldap group suffix = ou=groups ldap machine suffix = ou=computers ldap passwd sync = yes ldap suffix = dc=example,dc=com ldap ssl = no ldap user suffix = ou=users template homedir = /home/%u ldapsam:trusted = yes ldapsam:editposix = yes idmap config * : backend = tdb [profiles] path = /home/samba/profiles/%U valid users = %U read only = No [netlogon] path = /home/samba/netlogon guest ok = Yes [homes] path = /home/%U valid users = %U read only = No DIT is very simple: ubuntu at samba4:~/samba4$ ldapsearch -x -LLL dn dn: dc=example,dc=com dn: cn=admin,dc=example,dc=com dn: ou=users,dc=example,dc=com dn: ou=groups,dc=example,dc=com dn: ou=computers,dc=example,dc=com dn: sambaDomainName=EXAMPLE,dc=example,dc=com dn: cn=domusers,ou=groups,dc=example,dc=com dn: cn=domadmins,ou=groups,dc=example,dc=com dn: uid=Administrator,ou=users,dc=example,dc=com dn: uid=nobody,ou=users,dc=example,dc=com dn: cn=domguests,ou=groups,dc=example,dc=com dn: sambaSID=S-1-5-32-544,ou=groups,dc=example,dc=com dn: sambaSID=S-1-5-32-545,ou=groups,dc=example,dc=com dn: sambaSID=S-1-5-32-546,ou=groups,dc=example,dc=com dn: uid=nbensa,ou=users,dc=example,dc=com dn: uid=samba3$,ou=computers,dc=example,dc=com dn: uid=marisa,ou=users,dc=example,dc=com dn: uid=diego,ou=users,dc=example,dc=com Increasing log level shows "set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER" seems to come from: ubuntu at samba4:~/samba4$ sudo ls -ld /usr/local/samba/var/locks/sysvol/ drwxrwx---+ 3 root 2002 4096 oct 10 03:44 /usr/local/samba/var/locks/sysvol/ Note gid 2002. I have no gid=2002... but nbensa is *uid* 2002. Does this ring any bell? ubuntu at samba4:~/samba4$ getent passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin ubuntu:x:1000:1000::/home/ubuntu:/bin/bash bind:x:103:106::/var/cache/bind:/bin/false openldap:x:104:107:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false Administrator:*:2000:2001:Administrator:/home/Administrator:/bin/false nobody:*:65534:65534:nobody:/nonexistent:/bin/sh nbensa:*:2002:2000:nbensa:/home/nbensa:/bin/bash marisa:*:2004:2000:marisa:/home/marisa:/bin/bash diego:*:2007:2000:diego:/home/diego:/bin/false ubuntu at samba4:~/samba4$ getent group root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24: floppy:x:25: tape:x:26: sudo:x:27:ubuntu audio:x:29: dip:x:30: www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46: staff:x:50: games:x:60: users:x:100: nogroup:x:65534: libuuid:x:101: crontab:x:102: syslog:x:103: ssh:x:104: ubuntu:x:1000: ssl-cert:x:105: bind:x:106: openldap:x:107: winbindd_priv:x:108: sambashare:x:109: domusers:*:2000: domadmins:*:2001: domguests:*:65534: Thanks for reading! Norberto
Andrew Bartlett
2012-Oct-11 01:55 UTC
[Samba] samba4, classicupgrade: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
On Wed, 2012-10-10 at 01:04 -0300, Norberto Bensa wrote:> Hello, > > I'm testing samba4. I've setup a small samba3+ldap pdc, and then I > tried a classicupgrade, but I can't pass step 4 of the howto.As mentioned in the WHATSNEW, we have an issue when we upgrade a domain with a domain admins group specified. The problem is that the domain admins group needs to own files in sysvol, but on upgrade we honour the existin GID-only mapping for that group. A patch is in GIT master (to paper over the issue), which may be backported to the 4.0 release stream once folks confirm it works properly. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org
Norberto Bensa
2012-Oct-12 03:55 UTC
[Samba] samba4, classicupgrade: set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_OWNER
Hello Andrew, 2012/10/10 Andrew Bartlett <abartlet at samba.org>:> > A patch is in GIT master (to paper over the issue), which may be > backported to the 4.0 release stream once folks confirm it works > properly.And so I pulled from master, and now it correctly upgrades the test domain. Thank very much!! Regards, Norberto