Am 2/5/21 um 3:45 PM schrieb Thomas Geppert:> The error message seems to indicate that it's expecting to find a NTACL where there is none. Any idea why ?it seems this command doesn't use the same logic as samba-tool ntacl get which has the option --use-s3fs and tells the command to go via the VFS instead of accessing the xattr directly. I'd have to take a closer look if this can be worked around or if code changes are needed. -slow -- Ralph Boehme, Samba Team https://samba.org/ Samba Developer, SerNet GmbH https://sernet.de/en/samba/ GPG-Fingerprint FAE2C6088A24252051C559E4AA1E9B7126399E46 -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20210205/73a73d7e/OpenPGP_signature.sig>
On 05/02/2021 14:50, Ralph Boehme via samba wrote:> Am 2/5/21 um 3:45 PM schrieb Thomas Geppert: >> The error message seems to indicate that it's expecting to find a >> NTACL where there is none. Any idea why ? > > it seems this command doesn't use the same logic as samba-tool ntacl > get which has the option --use-s3fs and tells the command to go via > the VFS instead of accessing the xattr directly. > > I'd have to take a closer look if this can be worked around or if code > changes are needed. > > -slow >This could get to be a wackamole, you fix one thing and another pops up, this is such a niche case that I would tend towards stating that we will not support running a Samba AD DC in an unprivileged container, not unless someone else does all the work. There are far more important things that need fixing/getting to work e.g. sysvol replication. Rowland
Am 2/5/21 um 3:51 PM schrieb Ralph Boehme:> it seems this command doesn't use the same logic as samba-tool ntacl get which has the option --use-s3fs and tells the command to go via the VFS instead of accessing the xattr directly.I'm lost again. The checksysvolacl function does do this by intention. There is the following comment in the code: # Ensure we can read this directly, and via the smbd VFS and then the code loops the getntacl function: for direct_db_access in [True, False]: ......... fsacl = getntacl(lp, dir_path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) Why the hack does it need to assure that it can read the ACL direct ? Is there still a part of the operational ADDC code that only uses the direct access method ? Cheers Thomas