DFS ACL delete bit on, but ACCESS_DENIED on delete.

Thu Jan 25 20:55:31 GMT 2007

jmcdough at gmail.com wrote on 01/25/2007 01:41:16 PM:

> Jeremy,
> John Janosik is trying to delete a file hosted on DFS, where the
> write mode bit is off, but the acl's delete bit is on, and with the
> new code in unlink_internals() (I say new, relative to the 3.0.11
> which was previously running), he's getting an ACCESS_DENIED from
> can_delete (which then in turn must be getting it from
> open_file_ntcreate()).  Any thoughts on the best way to approach this?
>
> John, can you verify in a sniff that ACCESS_DENIED is what's coming
> across the wire, and not just the client message?

I took a network trace and I see it isn't in unlink_internals as I guessed.
The client is getting ACCESS_DENIED from a NT Create AndX Request with the
Delete Share access bit set according to Wireshark.

Here is what I see in the command prompt trying to delete the file:

X:\u0\admin\private>erase testfile
X:\u0\admin\private\testfile
Access is denied.

Here is the level 10 debug log of the request:

  switch message SMBntcreateX (pid 20418) conn 0x203484a8
[2007/01/25 14:36:52, 4] smbd/uid.c:change_to_user(184)
  change_to_user: Skipping user change - already user
[2007/01/25 14:36:52, 10] smbd/nttrans.c:reply_ntcreate_and_X(501)
  reply_ntcreateX: flags = 0x10, access_mask = 0x10000 file_attributes =
0x0, share_access = 0x7, create_disposition = 0x1 create_options = 0x200040
root_dir_fid = 0x0
[2007/01/25 14:36:52, 5] smbd/filename.c:unix_convert(108)
  unix_convert called on file "u0/admin/private/testfile"
[2007/01/25 14:36:52, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [U0/ADMIN/PRIVATE/TESTFILE]
-> [u0/admin/private/testfile]
[2007/01/25 14:36:52, 10] smbd/reply.c:can_delete(1874)
  can_delete: u0/admin/private/testfile, dirtype = 0
[2007/01/25 14:36:52, 8] smbd/dosmode.c:dos_mode(377)
  dos_mode: u0/admin/private/testfile
[2007/01/25 14:36:52, 8] smbd/dosmode.c:dos_mode_from_sbuf(193)
  dos_mode_from_sbuf returning
[2007/01/25 14:36:52, 8] smbd/dosmode.c:dos_mode(415)
  dos_mode returning
[2007/01/25 14:36:52, 10]
smbd/posix_acls.c:check_posix_acl_group_access(3927)
  check_posix_acl_group_access: requesting 0x2 on file u0/admin/private
[2007/01/25 14:36:52, 10]
smbd/posix_acls.c:check_posix_acl_group_access(4184)
  check_posix_acl_group_access: file u0/admin/private failed to match on
user or group in token (ret = -1).
[2007/01/25 14:36:52, 10]
smbd/posix_acls.c:check_posix_acl_group_access(4194)
  check_posix_acl_group_access: file u0/admin/private returning (ret = -1).
[2007/01/25 14:36:52, 3] smbd/error.c:error_packet(146)
  error packet at smbd/nttrans.c(674) cmd=162 (SMBntcreateX)
NT_STATUS_ACCESS_DENIED

The mode bits and acl on the file are as follows (I'm connecting as
ajpjanos which is a member of subsys/dce/dfs-admin):

.../admin/private> /bin/ls -ld .
drwxrwx---   3 rawales  rawales         512 Jan 24 14:37 .
.../admin/private> dcecp -c acl show .
{mask_obj rwxcid}
{user_obj rwxcid}
{group_obj ------}
{group subsys/dce/dfs-admin rwxcid}
{other_obj ------}
.../admin/private>

I'm maintaining my own version of Samba for this environment since I've had
to add AFS and DFS pags to the UNIX_USER_TOKEN in the security context so I
can switch between AFS and DFS users.  I'm willing to take any suggestions
even if they wouldn't be accepted back into Samba since I have to maintain
my own patches anyway.  I'm hoping not having to implement mapping between
DCE ACLs and Windows ACLs for this problem.

Thanks,

John Janosik
jpjanosi at us.ibm.com