Prevent samba-tool online backup crash

On some GPOs, getting a files ntacl throws an
NT_STATUS_ACCESS_DENIED. Catch and log the
failure when this happens.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14088

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Tim Beale <timbeale@samba.org>

python/samba/netcmd/domain_backup.py

@@ -267,6 +267,7 @@ class cmd_domain_backup_online(samba.netcmd.Command):
         realm = remote_sam.domain_dns_name()
 
         # Grab the remote DC's sysvol files and bundle them into a tar file
+        logger.info("Backing up sysvol files (via SMB)...")
         sysvol_tar = os.path.join(tmpdir, 'sysvol.tar.gz')
         smb_conn = smb_sysvol_conn(server, lp, creds)
         backup_online(smb_conn, sysvol_tar, remote_sam.get_domain_sid())

python/samba/ntacls.py

@@ -33,6 +33,8 @@ from samba.dcerpc import security, xattr, idmap
 from samba.ndr import ndr_pack, ndr_unpack
 from samba.samba3 import smbd
 from samba.samba3 import libsmb_samba_internal as libsmb
+from samba.logger import get_samba_logger
+from samba import NTSTATUSError
 
 # don't include volumes
 SMB_FILE_ATTRIBUTE_FLAGS = libsmb.FILE_ATTRIBUTE_SYSTEM | \
@@ -466,7 +468,12 @@ def _create_ntacl_file(dst, ntacl_sddl_str):
 
 
 def _read_ntacl_file(src):
-    with open(src + '.NTACL', 'r') as f:
+    ntacl_file = src + '.NTACL'
+
+    if not os.path.exists(ntacl_file):
+        return None
+
+    with open(ntacl_file, 'r') as f:
         return f.read()
 
 
@@ -481,6 +488,8 @@ def backup_online(smb_conn, dest_tarfile_path, dom_sid):
     5. Delete contianer dir
     """
 
+    logger = get_samba_logger()
+
     if isinstance(dom_sid, str):
         dom_sid = security.dom_sid(dom_sid)
 
@@ -511,8 +520,14 @@ def backup_online(smb_conn, dest_tarfile_path, dom_sid):
                     f.write(data)
 
             # get ntacl for this entry and save alongside
+            try:
                 ntacl_sddl_str = smb_helper.get_acl(r_name, as_sddl=True)
                 _create_ntacl_file(l_name, ntacl_sddl_str)
+            except NTSTATUSError as e:
+                logger.error('Failed to get the ntacl for %s: %s' % \
+                             (r_name, e.args[1]))
+                logger.warning('The permissions for %s may not be' % r_name +
+                               ' restored correctly')
 
     with tarfile.open(name=dest_tarfile_path, mode='w:gz') as tar:
         for name in os.listdir(localdir):
@@ -576,6 +591,7 @@ def backup_restore(src_tarfile_path, dst_service_path, samdb_conn, smb_conf_path
     """
     Restore files and ntacls from a tarfile to a service
     """
+    logger = get_samba_logger()
     service = dst_service_path.rstrip('/').rsplit('/', 1)[-1]
     tempdir = tempfile.mkdtemp()  # src files
 
@@ -600,8 +616,14 @@ def backup_restore(src_tarfile_path, dst_service_path, samdb_conn, smb_conf_path
                 if not os.path.isdir(dst):
                     # dst must be absolute path for smbd API
                     smbd.mkdir(dst, service)
+
                 ntacl_sddl_str = _read_ntacl_file(src)
+                if ntacl_sddl_str:
                     ntacls_helper.setntacl(dst, ntacl_sddl_str)
+                else:
+                    logger.warning(
+                        'Failed to restore ntacl for directory %s.' % dst
+                        + ' Please check the permissions are correct')
 
         for filename in filenames:
             if not filename.endswith('.NTACL'):
@@ -610,8 +632,13 @@ def backup_restore(src_tarfile_path, dst_service_path, samdb_conn, smb_conf_path
                 if not os.path.isfile(dst):
                     # dst must be absolute path for smbd API
                     smbd.create_file(dst, service)
+
                 ntacl_sddl_str = _read_ntacl_file(src)
+                if ntacl_sddl_str:
                     ntacls_helper.setntacl(dst, ntacl_sddl_str)
+                else:
+                    logger.warning('Failed to restore ntacl for file %s.' % dst
+                                 + ' Please check the permissions are correct')
 
                 # now put data in
                 with open(src, 'rb') as src_file: