Bug 44282 - ProvisioningError with 'samba-tool ntacl sysvolcheck'
ProvisioningError with 'samba-tool ntacl sysvolcheck'
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.3
Other Linux
: P5 enhancement (vote)
: UCS 4.3-3-errata
Assigned To: Arvid Requate
Felix Botner
https://hutten.knut.univention.de/med...
:
Depends on: 43120
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-04 13:24 CEST by Arvid Requate
Modified: 2019-02-06 12:35 CET (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.069
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017072521000451, 2017091221000239, 2018030821000649, 2018061421001149, 2019020421000316
Bug group (optional):
Max CVSS v3 score:


Attachments
bug44282_partial.patch (777 bytes, patch)
2017-09-18 20:10 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-04-04 13:24:00 CEST
samba-tool ntacl sysvolcheck complains for a new GPO created from Windows 7 on a UCS 4.2 Samba/AD DC Master:

root@master10:~# samba-tool ntacl sysvolcheck
ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{8DC0D329-3167-4F5E-ABF5-D470E9A8308F} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object

ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{8DC0D329-3167-4F5E-ABF5-D470E9A8308F} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object



It's kind of the reverse of Bug #39633. I don't know why the Client (or smbd?) writes RID 512 ("DA") into the filesystem NTACLs instead of RID 500 ("LA").

Note that "by design" a standard Active Directory (e.g. W2K8R2) has owner RID 512 for GPOs in LDAP but 500 in the filesystem. That's apparently "normal" and the samba-tool ntacl code converts this automatically from "DA" (RID 512) in Samba/AD to "LA" (RID 500) which it then expencts to find in the filesystem.

A sysvolreset fixes this. Apparently the clients down care.

+++ This bug was initially created as a clone of Bug #39633 +++
Comment 1 Arvid Requate univentionstaff 2017-04-04 13:24:21 CEST
Apparently the clients don't care.
Comment 2 Arvid Requate univentionstaff 2017-09-12 11:30:30 CEST
Two options how to deal with this:

a) Check how AD does it and provide a fix that can be upstreamed to the Samba-Team

b) Patch samba-tool sysvolcheck to ignore DA/LA difference.
Comment 3 Arvid Requate univentionstaff 2017-09-18 20:10:48 CEST
Created attachment 9220 [details]
bug44282_partial.patch

Ok, actually, the patch for Bug #39633 changed the error message in a misleading way. The attached patch fixes that. With the fixed error message it becomes apparent, that Bug 43120 is the actual cause of this error.

ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{E776730D-7F69-4797-B982-3633F984323E} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object

ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{E776730D-7F69-4797-B982-3633F984323E} O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
Comment 4 Arvid Requate univentionstaff 2019-01-24 22:14:08 CET
Ok, after some more tests I see four different cases:

Case 1) Default GPOs provisioned by Samba:

NTACL in the filesystem:

O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

Translated nTSecurityDescriptor (DSACL):

O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

This is the thing that Bug #39633 (SVN patch 7_Bug-39633-fix-LA-vs-DA-in-samba-tool-ntacl-syvolcheck.quilt) fixed. That's a clear inconsistency between the samba.provision.check_dir_acl Python function code and the samba.ntacls.setntacl function code. The latter explicitely maps "DA" to "LA" when writing the NTACLs, e.g. during sysvolreset.


Case 2) New GPOs created via the MS GPMC GUI:

NTACL in the filesystem:

O:DAG:DAD:PAI(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

Translated nTSecurityDescriptor (DSACL):

O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

In this case Julian's patch for Bug #39633 didn't help, and introduced a false positive. It should better check if LA is in the filesystem and treat that as "DA". I may fix this with Bug #46643. We should also check if this is a Bug in upstream samba by checking the NTACLs of new GPOs on a native Windows AD DC.


Case 3) Default nTSecurityDescriptor of GPOs provisioned by Samba doen't match those if a native AD DC. That is shown in the initial Description of Bug #43120. We should check this again properly and report our findings to upstream. They mainly differ in the inheritance flags (the "P", "AI, "AR" DACL flags and the  ACE flags "IO" and "ID" too).


Case 4) (May partly be a collateral result of Case 3): samba-tool ntacl sysvolcheck discovers inconsistencies of the inheritance flags (DACL flags) between translated nTSecurityDescriptor and the NTACL in the filesystem. That's discussed in Bug 46643 with a partial idea for a patch for sysvolcheck.
Comment 5 Arvid Requate univentionstaff 2019-01-25 11:36:06 CET
Ok, I improved Julians patch to cover Case 2 in addition to Case 1.

svn r18413 | Improve the old patch for Bug #39633
cbb276f704 | Advisory for 4.3-3
svn r18414 | Improve patch
svn r18415 | Fixup context of subsequent patch
bab1bb0b79 | Advisory update for 4.3-3

svn r18416 | Merge from errata4.3-3: Improve the old patch for Bug #39633
svn r18417 | Merge from errata4.3-3: Again

That's all we'll do at this bug, to reduce this complex bunch of issues.
Comment 6 Felix Botner univentionstaff 2019-02-04 15:23:36 CET
Looks good for ACL's created with windows

OLD
O:DAG:DAD:PAI(A;O...
O:LAG:DAD:P  (A;O...

NEW

O:DAG:DAD:PAI(A;O...
O:DAG:DAD:P  (A;O...

But for samba-tool GPO's the diff changes from

O:DAG:DAD:P
O:LAG:DAD:P

to 

O:DAG:DAD: (A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED)

O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)

is this OK?
Comment 7 Arvid Requate univentionstaff 2019-02-04 17:48:29 CET
Yes, that's exactly the situation I ran into. The sysvolcheck code first checks the directories and then the files in them. If it detects a difference in the ACLs, it throws an exception (nicely formatted) and aborts the check. Now I fixed the trivial problem that was reported during the directory check, which was:

root@backup11:~# samba-tool ntacl sysvolcheck
ProvisioningError: DB NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{3C7E4B9B-E6AE-4B37-88AB-55C8C982E254} O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO directory /var/lib/samba/sysvol/ar41i1.qa/Policies/{3C7E4B9B-E6AE-4B37-88AB-55C8C982E254} O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object

This error doesn't happen any longer and the directory check passes. As a result, we now - for the first time - see that there are ACL differences on the file level:

root@backup11:~# univention-upgrade
[...]
root@backup11:~# samba-tool ntacl sysvolcheck
ProvisioningError: DB NTACL of GPO file /var/lib/samba/sysvol/ar41i1.qa/Policies/{3C7E4B9B-E6AE-4B37-88AB-55C8C982E254}/GPT.INI O:DAG:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
ProvisioningError: VFS NTACL of GPO file /var/lib/samba/sysvol/ar41i1.qa/Policies/{3C7E4B9B-E6AE-4B37-88AB-55C8C982E254}/GPT.INI O:DAG:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match value O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object

Notice that the error messages changed from:

ProvisioningError: DB NTACL of GPO directory [...]

to

ProvisioningError: DB NTACL of GPO file [...]

The final result is not ideal, but better than before, because we now obtain more relevant information (and not "false positives"). As your example shows, the number of ACEs differs between the explected and the actual NTACL. In my opinion that's nothing we should gloss over by patching sysvolcheck. At least we should first understand what's going on here. But that's more than we should do in this sprint.
Comment 8 Felix Botner univentionstaff 2019-02-05 11:50:37 CET
(In reply to Arvid Requate from comment #7)
> Yes, that's exactly the situation I ran into. The sysvolcheck code first
> checks the directories and then the files in them. If it detects a
> difference in the ACLs, it throws an exception (nicely formatted) and aborts
> the check. Now I fixed the trivial problem that was reported during the
> directory check, which was:
> 
> root@backup11:~# samba-tool ntacl sysvolcheck
> ProvisioningError: DB NTACL of GPO directory
> /var/lib/samba/sysvol/ar41i1.qa/Policies/{3C7E4B9B-E6AE-4B37-88AB-
> 55C8C982E254}
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
> ProvisioningError: VFS NTACL of GPO directory
> /var/lib/samba/sysvol/ar41i1.qa/Policies/{3C7E4B9B-E6AE-4B37-88AB-
> 55C8C982E254}
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) does not match value
> O:LAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
> 
> This error doesn't happen any longer and the directory check passes. As a
> result, we now - for the first time - see that there are ACL differences on
> the file level:
> 
> root@backup11:~# univention-upgrade
> [...]
> root@backup11:~# samba-tool ntacl sysvolcheck
> ProvisioningError: DB NTACL of GPO file
> /var/lib/samba/sysvol/ar41i1.qa/Policies/{3C7E4B9B-E6AE-4B37-88AB-
> 55C8C982E254}/GPT.INI
> O:DAG:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;
> 0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match
> value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
> ProvisioningError: VFS NTACL of GPO file
> /var/lib/samba/sysvol/ar41i1.qa/Policies/{3C7E4B9B-E6AE-4B37-88AB-
> 55C8C982E254}/GPT.INI
> O:DAG:DAD:(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;EA)(A;;0x001f01ff;;;LA)(A;;
> 0x001f01ff;;;SY)(A;;0x001200a9;;;AU)(A;;0x001200a9;;;ED) does not match
> value
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;
> 0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;
> 0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) expected from GPO object
> 
> Notice that the error messages changed from:
> 
> ProvisioningError: DB NTACL of GPO directory [...]
> 
> to
> 
> ProvisioningError: DB NTACL of GPO file [...]
> 
> The final result is not ideal, but better than before, because we now obtain
> more relevant information (and not "false positives"). As your example
> shows, the number of ACEs differs between the explected and the actual
> NTACL. In my opinion that's nothing we should gloss over by patching
> sysvolcheck. At least we should first understand what's going on here. But
> that's more than we should do in this sprint.

Oh, sorry yes, that diff was for a totally different file (the next error actually)

OK - samba-tool
OK - yaml
OK - patches
OK - merged to 4.4
Comment 9 Arvid Requate univentionstaff 2019-02-06 12:35:47 CET
<http://errata.software-univention.de/ucs/4.3/418.html>