fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00400);

		fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, 00400);

	}

	}

	if (fsp->fh->fd == -1) {

	if (fsp->fh->fd == -1) {

		TALLOC_FREE(frame);

		TALLOC_FREE(frame);

		umask(saved_umask);

		umask(saved_umask);

		return NT_STATUS_UNSUCCESSFUL;

		return NT_STATUS_UNSUCCESSFUL;

	ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);

	ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);

	if (ret == -1) {

	if (ret == -1) {

		/* If we have an fd, this stat should succeed. */

		/* If we have an fd, this stat should succeed. */

			smb_fname_str_dbg(smb_fname),

			smb_fname_str_dbg(smb_fname),

		TALLOC_FREE(frame);

		TALLOC_FREE(frame);

		umask(saved_umask);

		umask(saved_umask);

		return map_nt_error_from_unix(errno);

		return map_nt_error_from_unix(errno);

	status = SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd);

	status = SMB_VFS_FSET_NT_ACL( fsp, security_info_sent, sd);

	if (!NT_STATUS_IS_OK(status)) {

	if (!NT_STATUS_IS_OK(status)) {

	}

	}

	SMB_VFS_CLOSE(fsp);

	SMB_VFS_CLOSE(fsp);

source3/smbd/pysmbd.c | 2 +-

source3/smbd/pysmbd.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

1 file changed, 1 insertion(+), 1 deletion(-)

		DBG_WARNING("open: error=%d (%s)\n", errno, strerror(errno));

		DBG_WARNING("open: error=%d (%s)\n", errno, strerror(errno));

		TALLOC_FREE(frame);

		TALLOC_FREE(frame);

		umask(saved_umask);

		umask(saved_umask);

	}

	}

	ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);

	ret = SMB_VFS_FSTAT(fsp, &smb_fname->st);

python/samba/provision/__init__.py | 23 +++++++++++++++++++++++

python/samba/provision/__init__.py | 23 +++++++++++++++++++++++

1 file changed, 23 insertions(+)

1 file changed, 23 insertions(+)

__docformat__ = "restructuredText"

__docformat__ = "restructuredText"

from base64 import b64encode

from base64 import b64encode

import os

import os

import re

import re

import pwd

import pwd

from samba import (

from samba import (

    Ldb,

    Ldb,

    MAX_NETBIOS_NAME_LEN,

    MAX_NETBIOS_NAME_LEN,

    check_all_substituted,

    check_all_substituted,

    is_valid_netbios_char,

    is_valid_netbios_char,

    setup_file,

    setup_file,

DEFAULTSITE = "Default-First-Site-Name"

DEFAULTSITE = "Default-First-Site-Name"

LAST_PROVISION_USN_ATTRIBUTE = "lastProvisionUSN"

LAST_PROVISION_USN_ATTRIBUTE = "lastProvisionUSN"

class ProvisionPaths(object):

class ProvisionPaths(object):

POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"

POLICIES_ACL = "O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001301bf;;;PA)"

SYSVOL_SERVICE="sysvol"

SYSVOL_SERVICE="sysvol"

def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):

def set_dir_acl(path, acl, lp, domsid, use_ntvfs, passdb, service=SYSVOL_SERVICE):

    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)

    setntacl(lp, path, acl, domsid, use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, service=service)

    for root, dirs, files in os.walk(path, topdown=False):

    for root, dirs, files in os.walk(path, topdown=False):

`setntacl()`

`setntacl()`

python/samba/netcmd/ntacl.py       |  8 ++---

python/samba/netcmd/ntacl.py       |  8 ++---

python/samba/provision/__init__.py | 73 +++++++++++++++++++++++++-------------

python/samba/provision/__init__.py | 73 +++++++++++++++++++++++++-------------

python/samba/upgrade.py            |  9 ++---

python/samba/upgrade.py            |  9 ++---

3 files changed, 57 insertions(+), 33 deletions(-)

3 files changed, 57 insertions(+), 33 deletions(-)

        if use_ntvfs:

        if use_ntvfs:

            logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")

            logger.warning("Please note that POSIX permissions have NOT been changed, only the stored NT ACL")

class cmd_ntacl_sysvolcheck(Command):

class cmd_ntacl_sysvolcheck(Command):

    """Check sysvol ACLs match defaults (including correct ACLs on GPOs)."""

    """Check sysvol ACLs match defaults (including correct ACLs on GPOs)."""

            raise

            raise

    for root, dirs, files in os.walk(path, topdown=False):

    for root, dirs, files in os.walk(path, topdown=False):

        for name in files:

        for name in files:

        for name in dirs:

        for name in dirs:

    """Set ACL on the sysvol/<dnsname>/Policies folder and the policy

    """Set ACL on the sysvol/<dnsname>/Policies folder and the policy

    folders beneath.

    folders beneath.

    :param sysvol: Physical path for the sysvol folder

    :param sysvol: Physical path for the sysvol folder

    :param dnsdomain: The DNS name of the domain

    :param dnsdomain: The DNS name of the domain

    :param domainsid: The SID of the domain

    :param domainsid: The SID of the domain

    :param domaindn: The DN of the domain (ie. DC=...)

    :param domaindn: The DN of the domain (ie. DC=...)

    :param samdb: An LDB object on the SAM db

    :param samdb: An LDB object on the SAM db

    :param lp: an LP object

    :param lp: an LP object

    """

    """

    # Set ACL for GPO root folder

    # Set ACL for GPO root folder

    root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")

    root_policy_path = os.path.join(sysvol, dnsdomain, "Policies")

    res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),

    res = samdb.search(base="CN=Policies,CN=System,%s"%(domaindn),

                        attrs=["cn", "nTSecurityDescriptor"],

                        attrs=["cn", "nTSecurityDescriptor"],

        policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))

        policy_path = getpolicypath(sysvol, dnsdomain, str(policy["cn"]))

        set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,

        set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,

                    str(domainsid), use_ntvfs,

                    str(domainsid), use_ntvfs,

    """Set the ACL for the sysvol share and the subfolders

    """Set the ACL for the sysvol share and the subfolders

    :param samdb: An LDB object on the SAM db

    :param samdb: An LDB object on the SAM db

    :param netlogon: Physical path for the netlogon folder

    :param netlogon: Physical path for the netlogon folder

    :param sysvol: Physical path for the sysvol folder

    :param sysvol: Physical path for the sysvol folder

    :param uid: The UID of the "Administrator" user

    :param uid: The UID of the "Administrator" user

    :param domainsid: The SID of the domain

    :param domainsid: The SID of the domain

    :param dnsdomain: The DNS name of the domain

    :param dnsdomain: The DNS name of the domain

    :param domaindn: The DN of the domain (ie. DC=...)

    :param domaindn: The DN of the domain (ie. DC=...)

    """

    """

    s4_passdb = None

    s4_passdb = None

        canchown = True

        canchown = True

    # Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)

    # Set the SYSVOL_ACL on the sysvol folder and subfolder (first level)

    for root, dirs, files in os.walk(sysvol, topdown=False):

    for root, dirs, files in os.walk(sysvol, topdown=False):

        for name in files:

        for name in files:

            if use_ntvfs and canchown:

            if use_ntvfs and canchown:

                os.chown(os.path.join(root, name), -1, gid)

                os.chown(os.path.join(root, name), -1, gid)

        for name in dirs:

        for name in dirs:

            if use_ntvfs and canchown:

            if use_ntvfs and canchown:

                os.chown(os.path.join(root, name), -1, gid)

                os.chown(os.path.join(root, name), -1, gid)

    # Set acls on Policy folder and policies folders

    # Set acls on Policy folder and policies folders

def acl_type(direct_db_access):

def acl_type(direct_db_access):

    if direct_db_access:

    if direct_db_access:

        # Continue setting up sysvol for GPO. This appears to require being

        # Continue setting up sysvol for GPO. This appears to require being

        # outside a transaction.

        # outside a transaction.

        if not skip_sysvolacl:

        if not skip_sysvolacl:

        else:

        else:

            logger.info("Setting acl on sysvol skipped")

            logger.info("Setting acl on sysvol skipped")

        logger.info("Administrator password has been set to password of user '%s'", admin_user)

        logger.info("Administrator password has been set to password of user '%s'", admin_user)

    if result.server_role == "active directory domain controller":

    if result.server_role == "active directory domain controller":

    # FIXME: import_registry(registry.Registry(), samba3.get_registry())

    # FIXME: import_registry(registry.Registry(), samba3.get_registry())

    # FIXME: shares

    # FIXME: shares

sysvolreset

sysvolreset

python/samba/netcmd/ntacl.py | 7 ++++---

python/samba/netcmd/ntacl.py | 7 ++++---

1 file changed, 4 insertions(+), 3 deletions(-)

1 file changed, 4 insertions(+), 3 deletions(-)

    takes_options = [

    takes_options = [

        Option("--use-ntvfs", help="Set the ACLs for use with the ntvfs file server", action="store_true"),

        Option("--use-ntvfs", help="Set the ACLs for use with the ntvfs file server", action="store_true"),

        ]

        ]

            credopts=None, sambaopts=None, versionopts=None):

            credopts=None, sambaopts=None, versionopts=None):

        lp = sambaopts.get_loadparm()

        lp = sambaopts.get_loadparm()

        path = lp.private_path("secrets.ldb")

        path = lp.private_path("secrets.ldb")

        provision.setsysvolacl(samdb, logger, netlogon, sysvol, LA_uid, BA_gid,

        provision.setsysvolacl(samdb, logger, netlogon, sysvol, LA_uid, BA_gid,

                               domain_sid, lp.get("realm").lower(),

                               domain_sid, lp.get("realm").lower(),

                               samdb.domain_dn(), lp, use_ntvfs=use_ntvfs,

                               samdb.domain_dn(), lp, use_ntvfs=use_ntvfs,

class cmd_ntacl_sysvolcheck(Command):

class cmd_ntacl_sysvolcheck(Command):

    """Check sysvol ACLs match defaults (including correct ACLs on GPOs)."""

    """Check sysvol ACLs match defaults (including correct ACLs on GPOs)."""