Bug 39633 - ProvisioningError with 'samba-tool ntacl sysvolcheck'
ProvisioningError with 'samba-tool ntacl sysvolcheck'
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 enhancement (vote)
: UCS 4.1-4
Assigned To: Arvid Requate
Stefan Gohmann
Depends on:
Blocks: 42624
  Show dependency treegraph
Reported: 2015-10-26 16:35 CET by Stefan Gohmann
Modified: 2016-11-08 13:26 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Provisional fix for Provisioningerror of samba-tool ntacl sysvolcheck (4.81 KB, patch)
2016-08-17 18:37 CEST, Julian Hupertz
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-10-26 16:35:28 CET
+++ This bug was initially created as a clone of Bug #38874 +++

(In reply to Stefan Gohmann from comment #2)
> I've a new installed Samba 4 domain and I got the following result on a DC
> Master:
> root@master441:~# samba-tool ntacl sysvolcheck
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception -
> ProvisioningError: DB ACL on GPO directory
> /var/lib/samba/sysvol/deadlock44.intranet/Policies/{31B2F340-016D-11D2-945F-
> 00C04FB984F9}
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match expected value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) from GPO object
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line
> 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 249,
> in run
>     lp)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1733, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1684, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line
> 1631, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not match
> expected value %s from GPO object' % (acl_type(direct_db_access), path,
> fsacl_sddl, acl))
> root@master441:~#
Comment 1 Julian Hupertz univentionstaff 2016-08-17 18:37:13 CEST
Created attachment 7890 [details]
Provisional fix for Provisioningerror of samba-tool ntacl sysvolcheck

During implementing a check for the system diagnostics module in ucs that should test if replication between GPO- and SYSVOL-ACLs is consistent, we realized that 'samba-tool ntacl sysvolcheck' showed the same behaviour as described here in the bug. Also calling 'samba-tool ntacl sysvolreset' before calling 'samba-tool ntacl sysvolcheck' did not resolve this problem.

First, the attached patch will catch the exception, print it to stdout and turn on with further policies. Secondly, when 'samba-tool ntacl sysvolreset' is called, the acls of the directories behind sysvol are not overwritten by the gpo-acls, but are modified explicitly with another acl of the group "Local Administrators". This behaviour was transferred to 'sysvolcheck'. 

Some information about environment from UCR.

repository/online/component/4.1-0-errata/version: 4.1
repository/online/component/4.1-1-errata/version: 4.1
repository/online/component/4.1-2-errata/version: 4.1
update/umc/nextversion: true
version/erratalevel: 206
version/patchlevel: 2
version/releasename: Vahr
version/version: 4.1
appcenter/apps/samba4/status: installed
appcenter/apps/samba4/version: 4.3

Also discussed on samba-mailing-list:

It seems that this behaviour was implemented consciously but at the moment it is not clear why.
Comment 2 Arvid Requate univentionstaff 2016-08-17 20:12:14 CEST
The sysvolreset behaviour was probably chosen consciously, but the corresponding part in sysvolcheck is simply missing AFAICS.
Comment 3 Arvid Requate univentionstaff 2016-08-17 20:15:42 CEST
Since UCS patches are a bit tricky in combination with Debian quilt, I'll do the package build if that's ok with you. I assume it is.
Comment 4 Philipp Hahn univentionstaff 2016-08-26 18:10:35 CEST
Asked for during UCS Technical training 2016-08 Task #4773
Comment 5 Arvid Requate univentionstaff 2016-10-13 20:33:29 CEST
Since this requires a Samba rebuild I propose to fix it along with Bug 42624.
Comment 6 Arvid Requate univentionstaff 2016-10-31 15:49:10 CET
Samba 4.5.1 has been built with Julians patch.
Mentioned in changelog-4.1-4.
Comment 7 Stefan Gohmann univentionstaff 2016-11-02 07:41:51 CET
Code review: Fail, can you re-check tab / spaces mix, for example:

+    if fsacl_sddl != acl_sddl:
+   raise ProvisioningError('%s ACL on GPO directory %s %s does not match expected value %s from GPO object' % (acl_type(direct_db_access), path, fsacl_sddl, acl_sddl))

Tests: OK (I've added a simple test case for this: r74001 + r 74002 00_checks/46_ntacl_sysvolcheck)

4.2 merge: OK

Changelog: OK
Comment 8 Arvid Requate univentionstaff 2016-11-03 11:44:32 CET
True, fixed and merged.
Comment 9 Stefan Gohmann univentionstaff 2016-11-03 13:16:12 CET
(In reply to Arvid Requate from comment #8)
> True, fixed and merged.

Comment 10 Stefan Gohmann univentionstaff 2016-11-08 13:26:35 CET
UCS 4.1-4 has been released:

If this error occurs again, please use "Clone This Bug".