Univention Bugzilla – Full Text Bug Listing |
Summary: | samba-tool ntacl sysvolcheck error due to Samba writing non-standard DSACL flags | ||
---|---|---|---|
Product: | UCS | Reporter: | Arvid Requate <requate> |
Component: | Samba4 | Assignee: | Samba maintainers <samba-maintainers> |
Status: | RESOLVED WONTFIX | QA Contact: | |
Severity: | minor | ||
Priority: | P5 | CC: | jalbani, markus.daehlmann, michelsmidt, salm, scheinig |
Version: | UCS 4.1 | ||
Target Milestone: | --- | ||
Hardware: | Other | ||
OS: | Linux | ||
URL: | https://hutten.knut.univention.de/mediawiki/index.php/Samba/Zugriffsberechtigungen/Dateien#Vererbung_von_NTACLs | ||
See Also: | https://forge.univention.org/bugzilla/show_bug.cgi?id=46643 | ||
What kind of report is it?: | Bug Report | What type of bug is this?: | 1: Cosmetic issue or missing function but workaround exists |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.034 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2017091221000239,2017082321000701, 2018030821000649, 2018061421001149, 2018090621000445 | Bug group (optional): | |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 44282 |
Description
Arvid Requate
2016-12-05 19:25:42 CET
Actually, freshly created GPOs have D:P in Samba/AD. Only after some change in the security filtering (add some group and remove Authenticated Users) it changes to D:PAR. Two options how to deal with this: a) Check how AD does it and provide a fix that can be upstreamed to the Samba-Team b) Patch samba-tool sysvolcheck to ignore DA/LA difference. > b) Patch samba-tool sysvolcheck to ignore DA/LA difference.
This should read:
b) Patch samba-tool sysvolcheck to ignore PAR/P/PAI difference.
Happened again in Ticket 2017082321000701 O:LAG:DAD:PAI(A;OICI;0x001f01ff;;;DA... O:LAG:DAD:PAR(A;OICI;0x001f01ff;;;DA... Same problem again in Ticket 2018090621000445 The customer receives a warning from the systemdiagnostic tool about: "Warnung: Überprüfe die Samba SYSVOL ACL Einträge auf Fehler" and the provided fix possibility with "samba-tool ntacl sysvolreset" is not working, of course. Sysvolcheck just shows O:LAG:BAD:P(A;OICI does not match value O:LAG:DAD:PAR(A;OICI This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you. |