[jcifs] Re: Share permissions

Karl Wright kwright at metacarta.com
Tue Jan 2 18:08:41 GMT 2007 

Karl Wright wrote:
> Thanks, Mike.
> 
> I already sent the remote query to you (or, rather, a TCPDUMP of the 
> entire session where I opened the properties panel for the dir7share 
> from a remote Windows machine).  Windows *did* let me into the 
> "properties" panel, but before it did it said that I could not access 
> security for that share remotely, and when I got in sure enough the 
> security display was grey'd.  I've reattached them.  What interested me 
> was that you said that you saw "Access denied" in that dump for at least 
> one transaction.  If that transaction had anything to do with dir7share 
> I'd love to know which transaction that was, and what Windows seemed to 
> be asking for at that time.
> 
> Karl
> 

After looking at these with ethereal, I found two interesting issues in 
the tcpdump.out.2 trace, which is the one where I tried to access dir7share.

First, there's a protocol error!  Look for a SMB NT_Trans_Request packet 
that is a NT_QUERY_SECURITY_DESC request.  One of them comes back with 
"Buffer too small".  Not sure why Windows would fail in this way - 
although it could well be that there is a version difference between the 
client and the server.

Second, there's a NetrShareGetInfo request that goes out to 
wxp-ie-65-201 for dir7share.  Do you have any idea what this request 
might be for, and would Jcifs submit a similar request at any point?

Thanks again,
Karl

> 
> Michael B Allen wrote:
> 
>> Empty response:
>>
>> NtTransQuerySecurityResponse[command=SMB_COM_NT_TRANSACT,received=false,errorCode=0,flags=0x0098,flags2=0xC003,signSeq=0,tid=2048,pid=40463,uid=2048,mid=8,wordCount=18,byteCount=25,totalParameterCount=4,totalDataCount=20,parameterCount=4,parameterOffset=72,parameterDisplacement=0,dataCount=20,dataOffset=76,dataDisplacement=0,setupCount=0,pad=1,pad1=0] 
>>
>>
>> Not much JCIFS can do about that.
>>
>> If you recall we tried to get a capture of Windows acquiring the security
>> descriptor on the errant share but you could not get it remotely due to
>> the associated ACL editor dialogs being grey'd out (or something like
>> that). If you can get a capture of a remote query of the share's ACL
>> I'd be happy to look. Otherwise, when I run the GetSecurity example an
>> a share in my environment it is successful. So there must me something
>> special about the shares you're using.
>>
>> Also, you might consider directing some of these questions through
>> the JCIFS mailing list. Someone else may have an explaination for the
>> behavior.
>>
>> Mike
>>
>> On Tue, 02 Jan 2007 09:24:04 -0500
>> Karl Wright <kwright at metacarta.com> wrote:
>>
>>
>>> Hi Michael,
>>>
>>> I hope you had a restful vacation.
>>>
>>> I still have not figured out what the issue is fundamentally with the 
>>> share permissions for the test case that is failing for me.  Just to 
>>> recap, there's a share which does not seem to permit its security to 
>>> be examined by a remote Windows machine, but when I query the share's 
>>> security using jCifs I get back no SIDs at all, and no exception 
>>> either.  I'd like to figure out what's happening, and what I need to 
>>> do to behave in a manner similar to what Windows does.
>>>
>>> The test in question requests information for dir7share (which is the 
>>> share) and for dir7share/7 (which is a file).
>>>
>>> I've attached two logs.  The first (agents_out.log) is a standard-out 
>>> log made with jcifs debugging level set to 10.  The second 
>>> (agents.log) is my crawler's log, which simply shows that I get back 
>>> zero SIDs for dir7share.
>>>
>>> I did not see any "access is denied" responses in here anywhere, nor 
>>> do I see NTSECURITY requests, so I presume they are not specially 
>>> noted in the debug output.  Can you confirm that the security request 
>>> for dir7share simply returns no SIDs, and does not indicate an 
>>> error?  If so, I'd love to compare against the Windows interaction 
>>> TCPDUMP captures I sent back in December to see what the difference is.
>>>
>>> Thanks,
>>> Karl
>>>
>>>
>>> Michael B Allen wrote:
>>>
>>>> On Fri, 22 Dec 2006 22:57:37 -0500
>>>> Karl Wright <kwright at metacarta.com> wrote:
>>>>
>>>>
>>>>
>>>>> Michael B Allen wrote:
>>>>>
>>>>>
>>>>>> On Fri, 22 Dec 2006 22:21:41 -0500
>>>>>> Karl Wright <kwright at metacarta.com> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> All of the NT_QUERY_SECURITY_DESC calls are still clearly not 
>>>>>>>> returning
>>>>>>>> ACLs. It's either empty or the response is ACCESS_DENIED. But if 
>>>>>>>> you
>>>>>>>> never really saw the ACLs in the ACL editor I guess this is no 
>>>>>>>> surprise.
>>>>>>>>
>>>>>>>
>>>>>>> For the ACCESS_DENIED responses, what will JCifs return?
>>>>>>> Karl
>>>>>>
>>>>>>
>>>>>>
>>>>>> It should throw an SmbAuthException with text "Access denied" but 
>>>>>> you'll
>>>>>> want to confirm that as there might be some logic that prevents it.
>>>>>>
>>>>>> Mike
>>>>>>
>>>>>
>>>>> I don't seem to get that for the "access denied" share.  It seems 
>>>>> to return an empty ACE array instead.  I'll try to turn on debug 
>>>>> for JCifs next.  Where exactly do I do that?
>>>>
>>>>
>>>>
>>>> There were also instances where the NT_QUERY_SECURITY_DESC returned
>>>> successfully but with no ACEs in which will result in an empty ACE[]
>>>> array. You have to be prepared to deal with both cases (at least).
>>>>
>>>> See the API overview page for the jcifs.util.loglevel property.
>>>>
>>>> Mike
>>>>
>>>
>>>
>>
>>

More information about the jcifs mailing list