gmane.network.samba.internals

Winbind configuration recovery after SIGHUP

Nimrod Sapir — 2013-06-19T14:38:50

Hello

While working with Samba 4.0, I've noticed an issue regarding the idmap 
configuration re-read when Winbind receives a SIGHUP or when the 
smbcontrol reload-config command is used. I believe this is also relevant 
for Samba 3.6. What I've seen is that when Samba idmap configuration is 
changed, and SIGHUP is called, the idmap information becomes corrupted. 
For example, in my case, I changed the default domain configuration and 
called "killall -HUP winbindd". It seems that the old pointer used in 
idmap.c for the default domain were not reset, and therefore now pointed 
to the wrong configuration entries.

The solution I have is to call idmap_close() when handling SIGHUP or 
reload-config command. The result is that all domain information is 
removed. Later on, the passdb/default/named domains information is 
recreated, using the updated configuration, when required (as would have 
happened on the first time this domain is used during winbind startup 
flow).

 Attached is a patch I created (based on the v4-0-stable branch) - do you 
think this is a good enough solution for the problem?



Thanks!
Nimrod Sapir
IBM - XIV, Israel
NAS Development Team
Office: +972-3-689-7763
Cell:   +972-54-7726-320

Setup wintest suite for samba 4

Rubén Durán — 2013-06-19T11:24:24

Hello,

we are trying to setup the Wintest test suite in order to do some automated tests of 
our integration of samba 4.

We are using the Wiki page [1] as an starting point to configure and deploy the 
environment and, although we found some deprecated information we already fixed. I 
think it is a really good starting point.

Still, we have stump upon some problems to make this tests work correcly:

1) The VM IP address was not correctly identified by resolve_ip() method because 
'bin/nmblookup' returns a line the parser did not expect (or at least that is what I 
thought):

$ bin/nmblookup Windows7
added interface eth0:0 ip=192.168.123.3 bcast=192.168.123.255 
netmask=255.255.255.0
Got a positive name query response from 192.168.123.101 ( 192.168.123.101 )
192.168.123.101 Windows7<00>

So I made the parser use the IP between the parentheses. After that, the IP was 
correcly identified and the tests where able to continue. If you tell be this is the 
correct thing to do, I'll probably submit a small patch so that this gets fixed for 
everyone.


2) In the tests for Windows XP and Windows 7, everything works correctly until the 
following command is run:

C:\Users\user>Checking the windows join is OK
$ nc -v -z -w 1 192.168.123.101 139
Connection to 192.168.123.101 139 port [tcp/netbios-ssn] succeeded!
$ bin/smbclient4 -L Windows7.s4.howto.abartlet.net -
Uadministrator< at >s4.howto.abartlet.net%p< at >ssw0rd
Failed to connect to ncacn_np:Windows7.s4.howto.abartlet.net - 
NT_STATUS_OBJECT_NAME_NOT_FOUND
REWRITE: list servers not implemented

It keeps failing until the retries get to 0 and the test finish with a failure. We've tried 
to debug this but we are not really sure what to look for and the most annoying thing 
is that this seems to work at some random times.


3) As for W2K8R2A, the test fail with the following command once the VM has been 
configured:

$ sbin/samba_dnsupdate --fail-immediately
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may 
provide more information, Minor = Connection timed out.

Also, I'm not sure if this is related but there is no dns.keytab file in the samba prefix 
private dir but bind gets configured to use it.


We would really appreciate any hint you could give us and please, ask for more info in 
case what I'm providing here is not enough.

The version we are using to run this tests is: 4.1.0pre1-GIT-5c4772e
And we are running the tests with the following command: --skip 
dcpromo_rodc,join_rodc --dns-backend=BIND9_DLZ

Regards

[1] https://wiki.samba.org/index.php/WinTest

[Release Planning 4.0] v4-0-test will be frozen on Tuesday

Karolin Seeger — 2013-06-19T09:21:49

Hi list,

Samba 4.0.7 is scheduled for Tuesday, July 2.
That means, the release branches will be frozen on Tuesday, June 25.
Please make sure that your fixes get into the branch as soon as possible.

Thanks!

Cheers,
Karolin

[Release Planning 3.6] Samba 3.6.17 on August 14?

Karolin Seeger — 2013-06-19T09:12:40

Hi list,

if there are no objections, I would like to schedule Samba 3.6.17 for
Wednesday, August 14.

https://wiki.samba.org/index.php/Release_Planning_for_Samba_3.6
has been updated accordingly.

Cheers,
Karolin

[Announce] Samba 3.6.16 Available for Download

Karolin Seeger — 2013-06-19T08:45:33

==============================================================
"All water has a perfect memory and is
 forever trying to get back to where
 it was."

 Toni Morrison
==============================================================


Release Announcements
=====================

This is is the latest stable release of Samba 3.6.

Major enhancements in Samba 3.6.16 include:

o  Fix crash bug during Win8 sync (bug #9822).
o  Properly handle Oplock breaks in compound requests (bug #9722).


Changes since 3.6.15:
---------------------

o   Michael Adam <obnox< at >samba.org>
    * BUG 9881: Link dbwrap_tool and dbwrap_torture against libtevent.


o   Jeremy Allison <jra< at >samba.org>
    * BUG 9722: Properly handle Oplock breaks in compound requests.
    * BUG 9822: Fix crash bug during Win8 sync.


o   Anand Avati <avati< at >redhat.com>
    * BUG 9927: errno gets overwritten in call to check_parent_exists().


o   David Disseldorp <ddiss< at >samba.org>
    * BUG 8997: Change libreplace GPL source to LGPL.
    * BUG 9900: is_printer_published GUID retrieval.


o   Peng Haitao <penght< at >cn.fujitsu.com>
    * BUG 9941: Fix a bug of drvupgrade of smbcontrol.


o   Volker Lendecke <vl< at >samba.org>
    * BUG 9868: Don't know how to make LIBNDR_PREG_OBJ.


o   SATOH Fumiyasu <fumiyas< at >osstech.co.jp>
    * BUG 9688: Remove "experimental" label on "max protocol=SMB2" parameter.


o   Andreas Schneider <asn< at >samba.org>
    * BUG 9881: Check for system libtevent.


######################################################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba corresponding product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA).  The source code can be downloaded
from:

        http://download.samba.org/samba/ftp/

The release notes are available online at:

        http://www.samba.org/samba/ftp/history/samba-3.6.16.html

Binary packages will be made available on a volunteer basis from

        http://download.samba.org/samba/ftp/Binary_Packages/

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team

RID numbers increase too quickly?

Cove Schneider — 2013-06-19T02:09:00

Hi folks,

I noticed that the RID numbers seem to increase incrementally, then will suddenly jump by 124501. Unless I'm misunderstanding, shouldn't RID pool allocations just be 500 at a time?
 
e.g.  Adding accounts one after another on a single test instance here's how they're incrementing (from 4.0.6):
1596
1597
1598
1599
126100
126101
126102
...
126599

251100
...

251599

376100
...

The problem is that this complicates using sssd's AD integration, as that it doesn't expect the RIDs to increase in a single domain so quickly. 


Thanks!

cs

[PATCH] Fix bug #9166 - Starting smbd or nmbd with stdin from/dev/null results in "EOF on stdin"

Jeremy Allison — 2013-06-18T18:18:49

OEM confirms this fixes the issue for them.

Please review and push if you're ok with it.

Jeremy.

[PATCH] winbindd and nmbd don't set their umask to zero on startuplike smbd does

Jeremy Allison — 2013-06-18T18:11:55

Make nmbd and winbindd set their umasks to zero
on startup as smbd does. We already carefully
control what the permissions are on the files
we create, so this just makes them explicit.

Please review and push if you're ok.

Jeremy.

OS X 10.9 Maverick

Ralph Böhme — 2013-06-18T14:30:59

Hi everybody,

Apple is moving to SMB2 as the default filesharing protocol in it's next OS X incarnation 10.9 Maverick:
<http://www.afp548.com/2013/06/11/smb2-and-you-saying-goodbye-to-afp-in-os-x-mavericks/>

Network traces reveal interesting stuff:
* is searching remote SMB2 volumes supported (aka Spotlight) ? Hint: the AFP network command is called FPSpotlight*RPC*
* in which format is OS X specific stuff (FinderInfo, Ressource Fork) sent across the wire ?

Anybody else working on explicit support for OS X, 10.9 and below?

As a Netatalk developer and consultant I can tell you that I'm not THAT happy, but otoh this change offers interesting new challenges. :)

-Ralph

[PATCH] Workaround very slow nss_winbind, fix crash on the AD DC(particularly for backups)

Andrew Bartlett — 2013-06-18T02:49:37

This patch attempts to address an issue some have reported where our
nss_winbind is even slower than it's simple non-caching implementation
needs to be.

I think this comes from us not handling the BUILTIN domain properly, and
so we constantly attempt to contact the DC, and then fail an internal
validation step, throwing away that connection.  

I think this is also the cause of crashes folks have seen.

Can I get some confirmation that this helps, so I can merge this into
master (and then 4.0.x)?

Thanks,

Andrew Bartlett

[PATCH] Re-add umask(0) code removed by commit3a7c2777ee0de37d758fe81d67d6836a8354825e

Jeremy Allison — 2013-06-18T00:10:37

Fix bug introduced by commit 3a7c2777ee0de37d758fe81d67d6836a8354825e.

Re-add umask(0) needed when creating pipes. Directory access
control is sufficient to ensure pipe access is secure, and
without the umask(0) then properly authorized processes
(the nss libraries) cannot connect.

This took far longer than it should have to track down at
the Microsoft interop event :-).

Jeremy.

[PATCH] Fix xx_path() - return check from mkdir() is incorrect.

Jeremy Allison — 2013-06-17T23:30:24

Found working with at the MS-interop event.

Jeremy.

login failures from XP 64 bit client

Herb Lewis — 2013-06-17T22:06:55

Running samba 3.6.6 (also tested with 3.6.15 though with a slight variation
of response there) that is joined to a Windows 2008 domain I get login 
failure
when I try to map a share from a XP 64 bit client. It also fails the 
same from
other clients that are also running version 5.2 of Windows OS. Works for
5.1 and 6.0 versions. Following link shows what version number applies to
different Windows operating systems.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms724832%28v=vs.85%29.aspx

With 3.6.15 I was getting a slightly different response when I tried to map
the share by IP address versus by server name.

Any ideas where to look for the problem?

[PATCH 1/3] vfs_catia: use translate direction enum instead of int

David Disseldorp — 2013-06-17T17:43:32

Signed-off-by: David Disseldorp <ddiss< at >samba.org>
---
 source3/modules/vfs_catia.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source3/modules/vfs_catia.c b/source3/modules/vfs_catia.c
index 73b45b3..1a37dd2 100644
--- a/source3/modules/vfs_catia.c
+++ b/source3/modules/vfs_catia.c
< at >< at > -222,7 +222,7 < at >< at > static bool init_mappings(connection_struct *conn,
 static NTSTATUS catia_string_replace_allocate(connection_struct *conn,
       const char *name_in,
       char **mapped_name,
-      int direction)
+enum vfs_translate_direction direction)
 {
 static smb_ucs2_t *tmpbuf = NULL;
 smb_ucs2_t *ptr;

samba 3.6.3 exporting aufs

Christian Huldt — 2013-06-16T13:14:28

I thought I could provide a smooth transition from traditional hard 
drives to ssd by layering the ssd on top of the existing file structure 
with aufs [1].

Unfortunately folders with content not completely copied up to the ssd 
can not be renamed through samba. Renaming (mv) on the server works 
flawlessly, and afterwards that folder is copied up to the ssd and 
renaming works from windows, but before that, windows7 returns "invalid 
device" and smbclient says "access denied". To do an rename from windows 
requires copying the folder to the client, deleting it from the server 
and copying it back, then it works, as the folder is now on the ssd.

Could anyone please help me to gain some insight into this? I know that 
samba strives to copy windows behaviour, but AFAIK there is nothing like 
aufs for windows...

[1] http://aufs.sf.net

Samba and logoff event

Alex Winzer — 2013-06-14T22:42:10

Hello,

first of all thank your for your great work on Samba. I'm using it for 
years and I'm kind of satisfied. Second I don't know if this is the 
right list to ask. So I#d be thankful for any advice were to put it right.

I'm using samba as a primary domian controller mostly for Windows XP 
clients with roaming profiles. I have two offices and so I'm using samba 
as a file server only from that second office. This I wanted to change.

I already did some research on the internet, how to syncronize these 
profiles. There seems not to be an event fired by samba if a user does a 
logoff from PDC. That's why some people offer a solution by using a cron 
job to keep the profiles the same. Others use a construction of 
smbstatus and grep or netstat and grep to simulate this.

So here my questions:
1. Does samba have such kind of event?
2. If it has, how can I handle it / find some information about?
3. If it doesn't, would it be possible to insert such kind of event into 
future versions of samba?

Thanks in advance

Alex

P.S. Sorry for my bad English, but I'm not a native speaker. At least I 
hope you understand what I want to say and ask.

CTDB 2.0: how to get rid of these messages?

Ulrich Sibiller — 2013-06-14T14:48:44

Hi,

we have a 6 node GPFS cluster running on RHEL5 and 6 (4 RHEL5, 2xRHEL6) using ctdb-2.0-1.x86_64 and 
sernet's samba3-3.6.13-45.el6.x86_64 packages. This running fine most of the time. However, I have 
lots of lines like the following in the syslogs of all nodes. Example from node 5:

Jun 14 15:01:24 gpfs02s05 ctdbd: Could not add client IP xx.yy.zz.236. This is not a public address.

This address is the private address of the node's bond0 interface.

I am suspecting that ctdb complains because the nodes and the private adresses are located in the 
same subnet (the online documentation states "This should be a private non-routable subnet which is 
only used for internal cluster traffic."). Is that correct? I cannot
change that because there's is no way to establish a private subnet here. Can I do something - 
except changing the source - to get rid of the message?

Uli

PS: Some more info on the setup:

The nodes file:
------------------------------------------------------
[root< at >gpfs02s05 samba]# cat /etc/ctdb/nodes
xx.yy.zz.236
xx.yy.zz.237
xx.yy.zz.231
xx.yy.zz.230
xx.yy.zz.229
xx.yy.zz.226
------------------------------------------------------


the public_addresses file:
------------------------------------------------------
[root< at >gpfs02s05 samba]# cat /etc/ctdb/public_addresses
xx.yy.zz.216/24 bond0
xx.yy.zz.217/24 bond0
xx.yy.zz.219/24 bond0
xx.yy.zz.220/24 bond0
xx.yy.zz.221/24 bond0
xx.yy.zz.218/24 bond0
------------------------------------------------------

------------------------------------------------------
[root< at >gpfs02s05]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
       inet6 ::1/128 scope host
          valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
       link/ether 34:40:b5:ab:ff:f4 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
       link/ether 34:40:b5:ab:ff:f6 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
       link/ether 34:40:b5:a6:56:e4 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
       link/ether 34:40:b5:a6:56:e6 brd ff:ff:ff:ff:ff:ff
6: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
       link/ether 36:40:b5:ae:ee:bf brd ff:ff:ff:ff:ff:ff
       inet 169.254.95.120/24 brd 169.254.95.255 scope global usb0
       inet6 fe80::3440:b5ff:feae:eebf/64 scope link
          valid_lft forever preferred_lft forever
7: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
       link/ether 34:40:b5:ab:ff:f4 brd ff:ff:ff:ff:ff:ff
       inet xx.yy.zz.236/24 brd xx.yy.zz.255 scope global bond0
       inet xx.yy.zz.218/24 brd xx.yy.zz.255 scope global secondary bond0
       inet6 fe80::3640:b5ff:feab:fff4/64 scope link
          valid_lft forever preferred_lft forever
------------------------------------------------------

ctdb status show this:
------------------------------------------------------
Number of nodes:6
pnn:0 xx.yy.zz.236     OK (THIS NODE)
pnn:1 xx.yy.zz.237     OK
pnn:2 xx.yy.zz.231     OK
pnn:3 xx.yy.zz.230     OK
pnn:4 xx.yy.zz.229     OK
pnn:5 xx.yy.zz.226     OK
Generation:1676676043
Size:6
hash:0 lmaster:0
hash:1 lmaster:1
hash:2 lmaster:2
hash:3 lmaster:3
hash:4 lmaster:4
hash:5 lmaster:5
Recovery mode:NORMAL (0)
Recovery master:5
------------------------------------------------------


------------------------------------------------------
[root< at >gpfs02s05 samba]# ctdb listnodes
xx.yy.zz.236
xx.yy.zz.237
xx.yy.zz.231
xx.yy.zz.230
xx.yy.zz.229
xx.yy.zz.226
------------------------------------------------------

CTDB 2.0: how to get rid of these messages?

Ulrich Sibiller — 2013-06-14T15:14:50

Hi,

we have a 6 node GPFS cluster running on RHEL5 and 6 (4 RHEL5, 2xRHEL6) using ctdb-2.0-1.x86_64 and 
sernet's samba3-3.6.13-45.el6.x86_64 packages. This running fine most of the time. However, I have 
lots of lines like the following in the syslogs of all nodes. Example from node 5:

Jun 14 15:01:24 gpfs02s05 ctdbd: Could not add client IP xx.yy.zz.236. This is not a public address.

This address is the private address of the node's bond0 interface.

I am suspecting that ctdb complains because the nodes and the private adresses are located in the 
same subnet (the online documentation states "This should be a private non-routable subnet which is 
only used for internal cluster traffic."). Is that correct? I cannot
change that because there's is no way to establish a private subnet here. Can I do something - 
except changing the source - to get rid of the message?

Uli

PS: Some more info on the setup:

The nodes file:
------------------------------------------------------
[root< at >gpfs02s05 samba]# cat /etc/ctdb/nodes
xx.yy.zz.236
xx.yy.zz.237
xx.yy.zz.231
xx.yy.zz.230
xx.yy.zz.229
xx.yy.zz.226
------------------------------------------------------


the public_addresses file:
------------------------------------------------------
[root< at >gpfs02s05 samba]# cat /etc/ctdb/public_addresses
xx.yy.zz.216/24 bond0
xx.yy.zz.217/24 bond0
xx.yy.zz.219/24 bond0
xx.yy.zz.220/24 bond0
xx.yy.zz.221/24 bond0
xx.yy.zz.218/24 bond0
------------------------------------------------------

------------------------------------------------------
[root< at >gpfs02s05]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
        link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
        inet 127.0.0.1/8 scope host lo
        inet6 ::1/128 scope host
           valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
        link/ether 34:40:b5:ab:ff:f4 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
        link/ether 34:40:b5:ab:ff:f6 brd ff:ff:ff:ff:ff:ff
4: eth2: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
        link/ether 34:40:b5:a6:56:e4 brd ff:ff:ff:ff:ff:ff
5: eth3: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc mq master bond0 state UP qlen 1000
        link/ether 34:40:b5:a6:56:e6 brd ff:ff:ff:ff:ff:ff
6: usb0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
        link/ether 36:40:b5:ae:ee:bf brd ff:ff:ff:ff:ff:ff
        inet 169.254.95.120/24 brd 169.254.95.255 scope global usb0
        inet6 fe80::3440:b5ff:feae:eebf/64 scope link
           valid_lft forever preferred_lft forever
7: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
        link/ether 34:40:b5:ab:ff:f4 brd ff:ff:ff:ff:ff:ff
        inet xx.yy.zz.236/24 brd xx.yy.zz.255 scope global bond0
        inet xx.yy.zz.218/24 brd xx.yy.zz.255 scope global secondary bond0
        inet6 fe80::3640:b5ff:feab:fff4/64 scope link
           valid_lft forever preferred_lft forever
------------------------------------------------------

ctdb status show this:
------------------------------------------------------
Number of nodes:6
pnn:0 xx.yy.zz.236     OK (THIS NODE)
pnn:1 xx.yy.zz.237     OK
pnn:2 xx.yy.zz.231     OK
pnn:3 xx.yy.zz.230     OK
pnn:4 xx.yy.zz.229     OK
pnn:5 xx.yy.zz.226     OK
Generation:1676676043
Size:6
hash:0 lmaster:0
hash:1 lmaster:1
hash:2 lmaster:2
hash:3 lmaster:3
hash:4 lmaster:4
hash:5 lmaster:5
Recovery mode:NORMAL (0)
Recovery master:5
------------------------------------------------------


------------------------------------------------------
[root< at >gpfs02s05 samba]# ctdb listnodes
xx.yy.zz.236
xx.yy.zz.237
xx.yy.zz.231
xx.yy.zz.230
xx.yy.zz.229
xx.yy.zz.226
------------------------------------------------------

Server Role questions

Ricky Nance — 2013-06-14T14:47:34

Ok, so I am back to the issue of trying to get the samba binary to 'do the
right thing' and only start the needed services (instead of just warning
the user about it not being an AD DC).

Currently samba has 5 different server roles defined:

} srv_role_tab [] = {
        { ROLE_STANDALONE, "ROLE_STANDALONE" },
        { ROLE_DOMAIN_MEMBER, "ROLE_DOMAIN_MEMBER" },
        { ROLE_DOMAIN_BDC, "ROLE_DOMAIN_BDC" },
        { ROLE_DOMAIN_PDC, "ROLE_DOMAIN_PDC" },
        { ROLE_ACTIVE_DIRECTORY_DC, "ROLE_ACTIVE_DIRECTORY_DC" },
        { 0, NULL }

so if its not defined it falls into the NULL role. In my continuing efforts
to make things 'easier' I would like to know what all can fall under the
NULL (what kind of setups don't match the above). Obviously things like a
standalone NMBD server or WINBINDD server, but are there others? If so can
anyone explain what needs to be spawned and why?

Is there a need to add new roles? Can the 'server services =' be taken into
account when the above roles aren't matched? Is there documentation on how
the roles are supposed to act when they are used (and if not, can we start
there)? Sorry for all the questions, but I am really needing some developer
feedback here.

Thanks for reading,
Ricky

Samb4 GPO Issues

Mike Howard — 2013-06-14T08:29:58

Hi All,

I'm having problems with the Default GPO in that it can't be applied. 
I'm using samba Version 4.0.5, build from Git a few months back. It's 
only the Default Domain Policy that is causing problems and has always, 
until now, been blank. Only now that it is no longer empty, the problem 
has become apparent. Other GPOs are applied ok.

The error from a Win XP client is;

Windows cannot access the file gpt.ini for GPO 
cn={BD961E94-0103-437A-B37D-2A0D67B76FA7},cn=policies,cn=system,DC=mydomain,DC=co,DC=uk. 
The file must be present at the location 
<\\mydomain\SysVol\mydomain.co.uk\Policies\{BD961E94-0103-437A-B37D-2A0D67B76FA7}\gpt.ini>. 
(Access is denied. ). Group Policy processing aborted.

I've tried to match up the permissions using 'setfacl' (using a working 
GPO as the template), I've even tried chmod -R 777, just to see if 
access really is the issue, but still no go.

'samba-tool gpo aclcheck' gives me;

ERROR: Invalid GPO ACL 
O:DAG:DAD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;;0x001f01ff;;;DA)(A;;0x001f01ff;;;WD)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;;;;CG)(A;OICIIO;;;;WD) 
on path 
(mydomain.co.uk\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}), should 
be 
O:DAG:DAD:PAR(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;DC)(A;OICI;0x001f01ff;;;EA)(A;OICI;0x001200a9;;;ED)

but I can't see in samba-tool how to fix this.

I would be happy to delete and recreate the GPO but Windows tools tells 
me that 'The server is unwilling to process the request' and 'samba-tool 
gpo del {31B2F340-016D-11D2-945F-00C04FB984F9}' gives me;

ERROR(ldb): uncaught exception - LDAP error 53 LDAP_UNWILLING_TO_PERFORM 
-  <00002035: objectclass: Cannot delete 
CN=User,CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=co,DC=uk, 
it isn't permitted!> <>
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 
1083, in run
     self.samdb.delete(ldb.Dn(self.samdb, "CN=User,%s" % str(gpo_dn)))

Anybody any ideas?

Cheers,

ACL Inheritance and merging of ACEs ...

Richard Sharpe — 2013-06-14T02:18:03

Hi folks,

There is good evidence from Windows that ACEs are merged when an entry
is added because of CREATOR OWNER or CREATOR GROUP ACEs on a parent.

Consider this parent folder on Windows:

cc1# smbcacls //192.168.56.50/c /test1 -Unimbus-10/labview\ r\&d%xxxxxxxxx
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
REVISION:1
CONTROL:0x9404
OWNER:BUILTIN\Administrators
GROUP:NIMBUS-10\Domain Users
ACL:NIMBUS-10\Administrator:ALLOWED/0x0/FULL
ACL:BUILTIN\Administrators:ALLOWED/0x0/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO/FULL
ACL:NIMBUS-10\Domain Users:ALLOWED/0x0/0x001200af
ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI/0x001000a1

And, as NIMBUS-10\LabVIEW R&D I created a new folder in test1 and got
these permissions:

cc1# smbcacls //192.168.56.50/c /test1/anewfolder -Unimbus-10/labview\
r\&d%xxxxxx
Failed to load upcase.dat, will use lame ASCII-only case sensitivity rules
Failed to load lowcase.dat, will use lame ASCII-only case sensitivity rules
REVISION:1
CONTROL:0x8404
OWNER:NIMBUS-10\LabVIEW R&D
GROUP:NIMBUS-10\Domain Users
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/I/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO|I/FULL
ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|IO|I/0x001000a1

Why did I get OI|CI|IO on that last entry (ignoring the I flag for the moment)?

That is because this entry:

ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|/0x001000a1

is actually two entries:

ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/0x0/0x001000a1
ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/OI|CI|IO/0x001000a1

and because there is also this entry from the CREATOR OWNER ACE on the parent:

ACL:NIMBUS-10\LabVIEW R&D:ALLOWED/I/FULL

Windows merged the first non-inheritable entry above, leaving the
entry that says OI|CI|IO.

We need to take a pass across the ACL after we created the new ACL
from inheritance and merge any ACEs that can be merged. Fortunately,
we only need to consider ACEs where the trustee matches the OWNER and
GROUP SIDs on the new object.