Univention Bugzilla – Bug 39633
ProvisioningError with 'samba-tool ntacl sysvolcheck'
Last modified: 2016-11-08 13:26:35 CET
+++ This bug was initially created as a clone of Bug #38874 +++ (In reply to Stefan Gohmann from comment #2) > I've a new installed Samba 4 domain and I got the following result on a DC > Master: > > root@master441:~# samba-tool ntacl sysvolcheck > ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - > ProvisioningError: DB ACL on GPO directory > /var/lib/samba/sysvol/deadlock44.intranet/Policies/{31B2F340-016D-11D2-945F- > 00C04FB984F9} > O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO; > 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI; > 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO; > 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI; > 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object > File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249, > in run > lp) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1733, in checksysvolacl > direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1684, in check_gpos_acl > domainsid, direct_db_access) > File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line > 1631, in check_dir_acl > raise ProvisioningError('%s ACL on GPO directory %s %s does not match > expected value %s from GPO object' % (acl_type(direct_db_access), path, > fsacl_sddl, acl)) > root@master441:~#
Created attachment 7890 [details] Provisional fix for Provisioningerror of samba-tool ntacl sysvolcheck During implementing a check for the system diagnostics module in ucs that should test if replication between GPO- and SYSVOL-ACLs is consistent, we realized that 'samba-tool ntacl sysvolcheck' showed the same behaviour as described here in the bug. Also calling 'samba-tool ntacl sysvolreset' before calling 'samba-tool ntacl sysvolcheck' did not resolve this problem. First, the attached patch will catch the exception, print it to stdout and turn on with further policies. Secondly, when 'samba-tool ntacl sysvolreset' is called, the acls of the directories behind sysvol are not overwritten by the gpo-acls, but are modified explicitly with another acl of the group "Local Administrators". This behaviour was transferred to 'sysvolcheck'. Some information about environment from UCR. repository/online/component/4.1-0-errata/version: 4.1 repository/online/component/4.1-1-errata/version: 4.1 repository/online/component/4.1-2-errata/version: 4.1 update/umc/nextversion: true version/erratalevel: 206 version/patchlevel: 2 version/releasename: Vahr version/version: 4.1 appcenter/apps/samba4/status: installed appcenter/apps/samba4/version: 4.3 Also discussed on samba-mailing-list: https://lists.samba.org/archive/samba/2015-September/194297.html It seems that this behaviour was implemented consciously but at the moment it is not clear why.
The sysvolreset behaviour was probably chosen consciously, but the corresponding part in sysvolcheck is simply missing AFAICS.
Since UCS patches are a bit tricky in combination with Debian quilt, I'll do the package build if that's ok with you. I assume it is.
Asked for during UCS Technical training 2016-08 Task #4773
Since this requires a Samba rebuild I propose to fix it along with Bug 42624.
Samba 4.5.1 has been built with Julians patch. Mentioned in changelog-4.1-4.
Code review: Fail, can you re-check tab / spaces mix, for example: + if fsacl_sddl != acl_sddl: + raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl)) Tests: OK (I've added a simple test case for this: r74001 + r 74002 00_checks/46_ntacl_sysvolcheck) 4.2 merge: OK Changelog: OK
True, fixed and merged.
(In reply to Arvid Requate from comment #8) > True, fixed and merged. OK
UCS 4.1-4 has been released: https://docs.software-univention.de/release-notes-4.1-4-en.html https://docs.software-univention.de/release-notes-4.1-4-de.html If this error occurs again, please use "Clone This Bug".