From bf13fec51bd667eaea85e753404a50daa1293785 Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Wed, 27 Nov 2013 15:26:14 +1300 Subject: [PATCH 1/4] provision: Fix failures on re-provision incorrectly blamed on posix acl support. By doing the test later, there is an actual sam.ldb file that can be connected to. Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett Reviewed-by: Jelmer Vernooij (cherry picked from commit a89060a0217f8740798d1dac4466222301a4d81b) --- python/samba/provision/__init__.py | 51 +++++++++++++++++++------------------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index 46d2cbc..d2a8a57 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -1527,6 +1527,31 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain, s4_passdb = None if not use_ntvfs: + s3conf = s3param.get_context() + s3conf.load(lp.configfile) + + file = tempfile.NamedTemporaryFile(dir=os.path.abspath(sysvol)) + try: + try: + smbd.set_simple_acl(file.name, 0755, gid) + except Exception: + if not smbd.have_posix_acls(): + # This clue is only strictly correct for RPM and + # Debian-like Linux systems, but hopefully other users + # will get enough clue from it. + raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires. " + "Try installing libacl1-dev or libacl-devel, then re-run configure and make.") + + raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. " + "Try the mounting the filesystem with the 'acl' option.") + try: + smbd.chown(file.name, uid, gid) + except Exception: + raise ProvisioningError("Unable to chown a file on your filesystem. " + "You may not be running provision as root.") + finally: + file.close() + # This will ensure that the smbd code we are running when setting ACLs # is initialised with the smb.conf s3conf = s3param.get_context() @@ -2031,32 +2056,6 @@ def provision(logger, session_info, credentials, smbconf=None, if paths.sysvol and not os.path.exists(paths.sysvol): os.makedirs(paths.sysvol, 0775) - if not use_ntvfs and serverrole == "active directory domain controller": - s3conf = s3param.get_context() - s3conf.load(lp.configfile) - - if paths.sysvol is None: - raise MissingShareError("sysvol", paths.smbconf) - - file = tempfile.NamedTemporaryFile(dir=os.path.abspath(paths.sysvol)) - try: - try: - smbd.set_simple_acl(file.name, 0755, root_gid) - except Exception: - if not smbd.have_posix_acls(): - # This clue is only strictly correct for RPM and - # Debian-like Linux systems, but hopefully other users - # will get enough clue from it. - raise ProvisioningError("Samba was compiled without the posix ACL support that s3fs requires. Try installing libacl1-dev or libacl-devel, then re-run configure and make.") - - raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires. Try the mounting the filesystem with the 'acl' option.") - try: - smbd.chown(file.name, root_uid, root_gid) - except Exception: - raise ProvisioningError("Unable to chown a file on your filesystem. You may not be running provision as root.") - finally: - file.close() - ldapi_url = "ldapi://%s" % urllib.quote(paths.s4_ldapi_path, safe="") schema = Schema(domainsid, invocationid=invocationid, -- 1.9.1 From 9dc6de91a6f2a2b09a4f8ead12a6c0ba2fb88dc2 Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Wed, 5 Feb 2014 15:29:18 +1300 Subject: [PATCH 2/4] provision: improve error message when connecting to samdb without the correct permissions Signed-off-by: Garming Sam Signed-off-by: Andrew Bartlett Reviewed-by: Andrew Bartlett Reviewed-by: Jelmer Vernooij (cherry picked from commit b27543aa729ca893270831d5c4fc74ea7ac6d407) --- python/samba/provision/__init__.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index d2a8a57..af0e080 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -1199,7 +1199,13 @@ def setup_samdb(path, session_info, provision_backend, lp, names, # And now we can connect to the DB - the schema won't be loaded from the # DB - samdb.connect(path) + try: + samdb.connect(path) + except ldb.LdbError, (num, string_error): + if (num == ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS): + raise ProvisioningError("Permission denied connecting to %s, are you running as root?" % path) + else: + raise # But we have to give it one more kick to have it use the schema # during provision - it needs, now that it is connected, to write -- 1.9.1 From a6823236c001f7184b3948759c16b1a1db466c4e Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Wed, 5 Feb 2014 15:31:22 +1300 Subject: [PATCH 3/4] pysmbd: improve the return of error codes in the python smbd bindings Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett Reviewed-by: Jelmer Vernooij (cherry picked from commit ad773cc01435e65fa5d8e84758b0642069e96c40) --- source3/smbd/pysmbd.c | 58 ++++++++++++++++++++++++--------------------------- 1 file changed, 27 insertions(+), 31 deletions(-) diff --git a/source3/smbd/pysmbd.c b/source3/smbd/pysmbd.c index 683c48c..df0f430 100644 --- a/source3/smbd/pysmbd.c +++ b/source3/smbd/pysmbd.c @@ -76,11 +76,10 @@ static connection_struct *get_conn(TALLOC_CTX *mem_ctx, const char *service) return conn; } -static NTSTATUS set_sys_acl_conn(const char *fname, +static int set_sys_acl_conn(const char *fname, SMB_ACL_TYPE_T acltype, SMB_ACL_T theacl, connection_struct *conn) { - NTSTATUS status = NT_STATUS_OK; int ret; mode_t saved_umask; @@ -91,16 +90,11 @@ static NTSTATUS set_sys_acl_conn(const char *fname, saved_umask = umask(0); ret = SMB_VFS_SYS_ACL_SET_FILE( conn, fname, acltype, theacl); - if (ret != 0) { - status = map_nt_error_from_unix_common(ret); - DEBUG(0,("set_sys_acl_conn: SMB_VFS_SYS_ACL_SET_FILE " - "returned zero.\n")); - } umask(saved_umask); TALLOC_FREE(frame); - return status; + return ret; } static NTSTATUS set_nt_acl_conn(const char *fname, @@ -319,8 +313,8 @@ static SMB_ACL_T make_simple_acl(gid_t gid, mode_t chmod_mode) static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject *kwargs) { const char * const kwnames[] = { "fname", "mode", "gid", "service", NULL }; - NTSTATUS status; char *fname, *service = NULL; + int ret; int mode, gid = -1; SMB_ACL_T acl; TALLOC_CTX *frame; @@ -340,12 +334,16 @@ static PyObject *py_smbd_set_simple_acl(PyObject *self, PyObject *args, PyObject return NULL; } - status = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn); + ret = set_sys_acl_conn(fname, SMB_ACL_TYPE_ACCESS, acl, conn); TALLOC_FREE(acl); - TALLOC_FREE(frame); + if (ret != 0) { + TALLOC_FREE(frame); + errno = ret; + return PyErr_SetFromErrno(PyExc_OSError); + } - PyErr_NTSTATUS_IS_ERR_RAISE(status); + TALLOC_FREE(frame); Py_RETURN_NONE; } @@ -357,7 +355,6 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs) { const char * const kwnames[] = { "fname", "uid", "gid", "service", NULL }; connection_struct *conn; - NTSTATUS status = NT_STATUS_OK; int ret; char *fname, *service = NULL; @@ -383,27 +380,26 @@ static PyObject *py_smbd_chown(PyObject *self, PyObject *args, PyObject *kwargs) ret = SMB_VFS_CHOWN( conn, fname, uid, gid); if (ret != 0) { - status = map_nt_error_from_unix_common(errno); - DEBUG(0,("chown returned failure: %s\n", strerror(errno))); + umask(saved_umask); + TALLOC_FREE(frame); + errno = ret; + return PyErr_SetFromErrno(PyExc_OSError); } umask(saved_umask); TALLOC_FREE(frame); - PyErr_NTSTATUS_IS_ERR_RAISE(status); - Py_RETURN_NONE; } /* - chown a file + unlink a file */ static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs) { const char * const kwnames[] = { "fname", "service", NULL }; connection_struct *conn; - NTSTATUS status = NT_STATUS_OK; int ret; struct smb_filename *smb_fname = NULL; char *fname, *service = NULL; @@ -427,19 +423,18 @@ static PyObject *py_smbd_unlink(PyObject *self, PyObject *args, PyObject *kwargs smb_fname = synthetic_smb_fname_split(frame, fname, NULL); if (smb_fname == NULL) { TALLOC_FREE(frame); - PyErr_NTSTATUS_IS_ERR_RAISE(NT_STATUS_NO_MEMORY); + return PyErr_NoMemory(); } ret = SMB_VFS_UNLINK(conn, smb_fname); if (ret != 0) { - status = map_nt_error_from_unix_common(errno); - DEBUG(0,("unlink returned failure: %s\n", strerror(errno))); + TALLOC_FREE(frame); + errno = ret; + return PyErr_SetFromErrno(PyExc_OSError); } TALLOC_FREE(frame); - PyErr_NTSTATUS_IS_ERR_RAISE(status); - Py_RETURN_NONE; } @@ -541,7 +536,7 @@ static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *k { const char * const kwnames[] = { "fname", "acl_type", "acl", "service", NULL }; TALLOC_CTX *frame = talloc_stackframe(); - NTSTATUS status; + int ret; char *fname, *service = NULL; PyObject *py_acl; struct smb_acl_t *acl; @@ -568,8 +563,12 @@ static PyObject *py_smbd_set_sys_acl(PyObject *self, PyObject *args, PyObject *k acl = pytalloc_get_type(py_acl, struct smb_acl_t); - status = set_sys_acl_conn(fname, acl_type, acl, conn); - PyErr_NTSTATUS_IS_ERR_RAISE(status); + ret = set_sys_acl_conn(fname, acl_type, acl, conn); + if (ret != 0) { + TALLOC_FREE(frame); + errno = ret; + return PyErr_SetFromErrno(PyExc_OSError); + } TALLOC_FREE(frame); Py_RETURN_NONE; @@ -588,7 +587,6 @@ static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *k TALLOC_CTX *frame = talloc_stackframe(); TALLOC_CTX *tmp_ctx = talloc_new(NULL); connection_struct *conn; - NTSTATUS status = NT_STATUS_OK; char *service = NULL; if (!tmp_ctx) { PyErr_NoMemory(); @@ -614,9 +612,7 @@ static PyObject *py_smbd_get_sys_acl(PyObject *self, PyObject *args, PyObject *k if (!acl) { TALLOC_FREE(frame); TALLOC_FREE(tmp_ctx); - status = map_nt_error_from_unix_common(errno); - DEBUG(0,("sys_acl_get_file returned NULL: %s\n", strerror(errno))); - PyErr_NTSTATUS_IS_ERR_RAISE(status); + return PyErr_SetFromErrno(PyExc_OSError); } py_acl = py_return_ndr_struct("samba.dcerpc.smb_acl", "t", acl, acl); -- 1.9.1 From e37be3edd622b1ec699d2387dd8817e59676d62b Mon Sep 17 00:00:00 2001 From: Garming Sam Date: Wed, 5 Feb 2014 15:40:59 +1300 Subject: [PATCH 4/4] provision: capture slightly less generic exceptions during the test for acls Signed-off-by: Garming Sam Reviewed-by: Andrew Bartlett Reviewed-by: Jelmer Vernooij (cherry picked from commit f279a297a4a94c5cbc049c9b2cde14b02960a76f) --- python/samba/provision/__init__.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py index af0e080..f11f3c4 100644 --- a/python/samba/provision/__init__.py +++ b/python/samba/provision/__init__.py @@ -1540,7 +1540,7 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain, try: try: smbd.set_simple_acl(file.name, 0755, gid) - except Exception: + except OSError: if not smbd.have_posix_acls(): # This clue is only strictly correct for RPM and # Debian-like Linux systems, but hopefully other users @@ -1552,7 +1552,7 @@ def setsysvolacl(samdb, netlogon, sysvol, uid, gid, domainsid, dnsdomain, "Try the mounting the filesystem with the 'acl' option.") try: smbd.chown(file.name, uid, gid) - except Exception: + except OSError: raise ProvisioningError("Unable to chown a file on your filesystem. " "You may not be running provision as root.") finally: -- 1.9.1