Univention Bugzilla – Bug 38217
More robust sysvolreset
Last modified: 2017-09-20 15:03:41 CEST
samba-tool ntacl sysvolreset is very error prone. It tries to set acls on symlinks (traceback), fails to set ACLs for non existent GPO files/directories (traceback), ... In every case the error is very cryptic, it always some kind of "ERROR(runtime): uncaught exception - (-1073741823, 'Undetermined error')" or an file not found error. We should make sure that at least the (expected) file is printed to stderr. Maybe we should also "try: except:" the "smbd.set_nt_acl(...)" calls completely so the process is not always interrupted and things that can be fixed get fixed.
Ok, we should check if we can improve this and submit an upstream patch.
Created attachment 7225 [details] try_except.patch First basic patch
It should be first fixed for UCS 4.1. Afterwards we should consider a UCS 4.0 backport.
I re-joined some DCs and the sysvolreset took a long time. strace showed that every file in the PolicyDefinitions was checked. # find /var/lib/samba/sysvol -type f | wc -l 7157 # find /var/lib/samba/sysvol/<domain>/Policies/PolicyDefinitions/ -type f | wc -l 6518 Ticket #2016012921000411
Created attachment 8292 [details] Patch for /usr/share/pyshared/samba/provision/__init__.py In this patch, ACLs are only set once for the Policies directory.
*** Bug 39123 has been marked as a duplicate of this bug. ***
recheck priority
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Created attachment 9206 [details] 38217-robust-sysvolreset-461.patch The attached patch (against 4.6.1) implements the new switch `--resume-on-error` for `samba-tool ntacl sysvolreset`. With this certain NTSTATUSErrors are ignored and logged as warnings. The first is a non existent symlink, the second a deleted policy folder, both throw the same error internally: root@ucs-master40:~# samba-tool ntacl sysvolreset --resume-on-error Unable to set ACL O:LAG:BAD:P(A;OICI;0x001f01ff;;;BA)(A;OICI;0x001200a9;;;SO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU) on /var/lib/samba/sysvol/blabbel Unable to set ACL O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on /var/lib/samba/sysvol/loyen.intranet/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9} This is a different approach to Arvids patch, as the error-handling is performed one level up. `setntacl()` is a library function and not suited to print/log errors. This does not include Julius patch and does not handle the remark in comment 04. It is `sysvolreset`s job to (re)set the ACLs on every file in the SYSVOL. The attached patch does not change the behavior on provisioning. Non-existent symlinks and other errors will abort the procedure. A discussion could be had if instead of an opt-in `--resume-on-error`, logging should be the default and a flag like `--fail-on-first-error` enables the current behavior. With samba 4.7.X, a new package `samba.ntstatus` will be shipped. With this the constant `NT_STATUS_OBJECT_NAME_NOT_FOUND = 0xc0000034` could be replaced.
Ok, I think "--resume-on-error" should be default (maybe even without any alternative), because I can think of no situation where aborting would help or continuing would be disastrous. I mean, the error messages are clearly visible, and the tool may return an exit status != 0 to indicate a problem, but it should at least to the job it was called for, as good as it can.
Ok, `--resume-on-error` removed as a command line flag, but internally the behaviour is changed as if it was passed. Committed as a samba patch in r17673/4, YAML 8e0b713a.
Ok, works much better now.
Actually, now it's better than sysvolcheck itself: ========================================================================== root@master10:~# mv /var/lib/samba/sysvol/ar41i1.qa/Policies/\{108A861F-3CB8-4DD1-A6D1-23642C0CF23F\} \ /var/tmp/ root@master10:~# samba-tool ntacl sysvolcheck (2, 'No such file or directory') get_nt_acl_conn: get_nt_acl returned NT_STATUS_OBJECT_NAME_NOT_FOUND. (-1073741772, 'The object name is not found.') root@master10:~# samba-tool ntacl sysvolreset set_nt_acl_conn: open: error=2 (No such file or directory) Unable to set ACL O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) on /var/lib/samba/sysvol/ar41i1.qa/Policies/{108A861F-3CB8-4DD1-A6D1-23642C0CF23F} ==========================================================================
<http://errata.software-univention.de/ucs/4.2/165.html>