Bug 46643 - sysvolcheck inconsistencies after modifying / creating GPOs in UCS@school 4.3
sysvolcheck inconsistencies after modifying / creating GPOs in UCS@school 4.3
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Arvid Requate
Felix Botner
https://hutten.knut.univention.de/med...
:
Depends on: 49034
Blocks: 49293
  Show dependency treegraph
 
Reported: 2018-03-13 19:24 CET by Arvid Requate
Modified: 2019-04-23 17:35 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 3: A User would likely not purchase the product
User Pain: 0.343
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2018091021000446
Bug group (optional):
Max CVSS v3 score:


Attachments
mask_PAI_and_CIOIID_flags.patch (5.22 KB, patch)
2019-01-24 19:30 CET, Arvid Requate
Details | Diff
/usr/lib/python2.7/dist-packages/samba/provision/__init__.py (96.80 KB, text/x-python)
2019-01-24 19:33 CET, Arvid Requate
Details
mask_PAI_flags.patch (5.36 KB, patch)
2019-01-24 22:18 CET, Arvid Requate
Details | Diff
0001-Bug-46643-A-brute-force-hack.patch (7.69 KB, patch)
2019-03-18 20:59 CET, Arvid Requate
Details | Diff
add_sysvolcheck_option_mask_msad_differences.patch (11.88 KB, patch)
2019-03-19 22:39 CET, Arvid Requate
Details | Diff
add_sysvolcheck_option_mask_msad_differences.patch (11.71 KB, patch)
2019-03-19 23:08 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-03-13 19:24:09 CET
I don't know if this is UCS@school specific, I think it's generic:

I created two new GPOs on the DC Master and modified the default domain policy ({31B2F340-016D-11D2-945F-00C04FB984F9}) using GPMC. After that all three GPOs show some minor ACL inconsistencies:

==========================================================================
root@master70:~# samba-tool ntacl sysvolcheck
ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar430rc1s.school/Policies/{FDB89085-02A1-4A65-8045-00B77469ACB4} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/ar430rc1s.school/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol O:LAG:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar430rc1s.school/Policies/{2CA50B1E-5B60-49BD-B5AE-F9879690A997} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar430rc1s.school/Policies/{FDB89085-02A1-4A65-8045-00B77469ACB4} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/ar430rc1s.school/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER/Registry.pol O:LAG:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar430rc1s.school/Policies/{2CA50B1E-5B60-49BD-B5AE-F9879690A997} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
==========================================================================


That's

1. O:DAG:DAD:PAI  in filesystem vs  O:LAG:DAD:P  in Samba/AD LDAP for new GPOs

2. O:LAG:DAD:(...)  on disc vs  O:LAG:DAD:P(...)(A;OICIIO;0x001f01ff;;;CO)(...) in Samba/AD LDAP for the default domain policy

The situation is identical on Master and School Slave.
Comment 1 euroident 2018-06-19 10:52:12 CEST
Same problem in UCS 4.3-1. 

See https://help.univention.com/t/group-policy-provisioningerror/9045
Comment 2 Andreas Peichert univentionstaff 2018-12-07 14:07:18 CET
Reported again by a customer. After changing group policies, a ProvisioningError is generated and the security filtering was deleted by fault.

it seems that
expected: DAG:DAD:PAI
but send: LAG:DAD:PAI

A Workaround is sysvolcheck and sysvolreset
Comment 3 Arvid Requate univentionstaff 2019-01-24 19:30:40 CET
Created attachment 9818 [details]
mask_PAI_and_CIOIID_flags.patch

The attached patch is an attempt to make sysvolcheck ignore differences in the "P" and "AI" inheritance DACL flags, as suggested in Bug 43120 Comment 3.

During my tests I also found differences in the ACE flags too ("OI", "CI", "ID") and the attached patch also shows how one could mask them for comparison.

Then I also found that new GPOs created with the MS GPMC GUI against Samba 4.7.8 creates files that are owned by "DA", which is contrary to the workaround we have implemented via Bug 39633 (SVN patch: 97_Bug-39633-fix-LA-vs-DA-in-samba-tool-ntacl-syvolcheck.quilt).

All together this starts getting a bit absurd to forcefully tweak the sysvolcheck until it returns no errors any longer. The tool has always been broken. The dsacl2fsacl function it uses looks like unmaintained since 2009 (upstream commit 028c9b1c154) and it reads like the author also just experimentally tried to make ends meet.

If we continue this road, adding workaround upon workaround in sysvolcheck, we will end up in a situation, where we don't know if it's still broken in upstream samba or if it is broken due to our workarounds. I'd rather live with it beeing broken upstream.

So Felix and my suggestion is, to remove it from the UMC diagnostic checks until we have found a way together with upstream to finally make it reliable. Until then, people should just use sysvolreset and not trust the output of sysvolcheck.
Comment 4 Arvid Requate univentionstaff 2019-01-24 19:33:16 CET
Created attachment 9819 [details]
/usr/lib/python2.7/dist-packages/samba/provision/__init__.py

The full patched file, for reference, just in case we still want to use something like this sometime in the future.
Comment 5 Arvid Requate univentionstaff 2019-01-24 22:18:52 CET
Created attachment 9820 [details]
mask_PAI_flags.patch

This patch is much better then my last attempt. It fixes the LA/DA owner difference and masks the "P" and "AI" DACL flags for comparison. But it still doesn't help with the differences in the inheritance ACE Flags (like OICIIOID etc.).

Still, I would prefer to apply this, because already fixing the LA/DA issue helps  avoiding a big source of confusion.
Comment 6 Arvid Requate univentionstaff 2019-01-25 11:39:03 CET
Ok, I now fixed the LA/DA issue via Bug #44282.

As explained in Comment 3, I don't think it makes sense to further adjust the sysvolcheck code to "hide" the differences in the inheritance flags. That's something we should address at the source. Something is strange with the NTACLs that Samba writed for new GPOs created via the MS GPMC GUI.
Comment 7 Arvid Requate univentionstaff 2019-03-18 20:59:28 CET
Created attachment 9933 [details]
0001-Bug-46643-A-brute-force-hack.patch

I hacked my way threw this basically with a machete and this is what worked. I filter out duplicate DA/LA ACEs as well as ACEs for "Creator Owner" which should probably get replaced by the actual owner upon file creation. That's important for inheritence, but probably negligible for actual ACE evaluation. I'll have to read up on that. Anyway, this is kind of what *could* be done and shows how to work with the dacl structure of the security descriptors.
Comment 8 Arvid Requate univentionstaff 2019-03-19 22:39:15 CET
Created attachment 9935 [details]
add_sysvolcheck_option_mask_msad_differences.patch

I've refined the patch to only mask specific differences.

The attched patch adds a new option --mask-msad-differences to samba-tool ntacl sysvolcheck, which may be used in the UMC system diagnostic module to ignore minor standard differences between

1) the default expectations of sysvolcheck
2) the default Samba GPOs
3) new GPOs added via MS GPMC 

This patch applies to the 4.10 RC2 package currently included in UCS 4.4-0
(may need minor adjustment for Bug 49034).
Comment 9 Arvid Requate univentionstaff 2019-03-19 23:08:23 CET
Created attachment 9936 [details]
add_sysvolcheck_option_mask_msad_differences.patch

Another refinement (ignore CO ACE only for files, like GPT.INI).
Comment 10 Arvid Requate univentionstaff 2019-03-22 14:20:24 CET
SVN: r18523 | New option for ntacl sysvolcheck

09e0080f19 | samba.yaml
b42f825a15 | Use new option --mask-msad-differences for ntacl sysvolcheck
7b9b0abcd9 | univention-management-console-module-diagnostic.yaml
Comment 11 Felix Botner univentionstaff 2019-03-26 13:05:41 CET
http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/view/Product%20Tests/job/samba-single-server/lastCompletedBuild/testReport/00_checks/81_diagnostic_checks/test/

this test creates some GPO via a windows client, the 81_diagnostic_checks check now fails with

ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/sambatest.local/Policies/{B88B025F-89A8-44E2-8C65-239008C207B0} does not match value expected from GPO object
FSACL: O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/sambatest.local/Policies/{D04FC1A5-276A-4E1F-B20A-D7754FB3976F} does not match value expected from GPO object
FSACL: O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/sambatest.local/Policies/{B88B025F-89A8-44E2-8C65-239008C207B0} does not match value expected from GPO object
FSACL: O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/sambatest.local/Policies/{D04FC1A5-276A-4E1F-B20A-D7754FB3976F} does not match value expected from GPO object
FSACL: O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
DSACL: O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
Comment 12 Arvid Requate univentionstaff 2019-03-26 17:48:22 CET
Strange, works for me with

samba-tool ntacl sysvolcheck --mask-msad-differences

and with

/usr/bin/univention-run-diagnostic-checks -t 42_samba_tool_sysvolcheck

also in the Jenkins samba-single-server scenario. I've started that job again.
Comment 13 Felix Botner univentionstaff 2019-04-03 16:41:32 CEST
OK - some default differences are masked with --mask-msad-differences
OK - a manual change on the filesystem ACL's results in a report, with
     or withour --mask-msad-differences
OK - works also after sysvolreset

OK - univention-management-console-module-diagnostic.yaml
OK - samba.yaml