Bug 44305 - samba-tool ntacl sysvolcheck traceback due to /var/lib/samba/netlogon
samba-tool ntacl sysvolcheck traceback due to /var/lib/samba/netlogon
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Lukas Oyen
Felix Botner
Depends on:
Blocks: 44876 47710
  Show dependency treegraph
Reported: 2017-04-06 14:06 CEST by Arvid Requate
Modified: 2018-09-03 13:56 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.086
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

0001-Bug-44305-remove-netlogon-from-samba-tool-ntacl-sysv.patch (1.18 KB, patch)
2017-09-13 12:31 CEST, Lukas Oyen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-04-06 14:06:33 CEST
On a UCS@school singlemaster samba-tool ntacl sysvolcheck aborts with a traceback while checking the NTACLs of /var/lib/samba/netlogon :

ERROR(<type 'exceptions.TypeError'>): uncaught exception - (61, 'No data available')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/ntacl.py", line 270, in run
  File "/usr/lib/python2.7/dist-packages/samba/provision/__init__.py", line 1732, in checksysvolacl
    fsacl = getntacl(lp, dir_path, direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
  File "/usr/lib/python2.7/dist-packages/samba/ntacls.py", line 82, in getntacl

We should patch samba-tool ntacl sysvolcheck to *only* check the sysvol
Comment 1 Arvid Requate univentionstaff 2017-08-02 16:40:32 CEST
Seems to be ucs-school specific
Comment 2 Lukas Oyen univentionstaff 2017-09-13 12:31:18 CEST
Created attachment 9192 [details]

This occurs, as ucs-school sets the UCR variable `samba/share/netlogon/path=/var/lib/samba/netlogon`. /var/lib/samba/netlogon does not have the xattr `security.NTACL` set, and the samba-tool function `provision.setsysvolacl()` (used in `samba-tool ntacl sysvolreset` and provisioning) does not set the NTACLs for the netlogon path, so sysvolcheck fails.

This does not happen in a default UCS setup, as the UCR variable `samba/share/netlogon/path` is unset, and the netlogon path defaults to '/var/lib/samba/sysvol/<realm>/scripts' which is underneath the sysvol path and therefore recursively handled by `provision.setsysvolacl()`.

The attached patch removes netlogon from sysvolcheck (committed as r17667)
YAML: 8f751b9
Comment 3 Felix Botner univentionstaff 2017-09-13 14:01:02 CEST
OK - sysvolcheck (ignores netlogon)
OK - samba.yaml
Comment 4 Erik Damrose univentionstaff 2017-09-20 15:03:56 CEST