Problem with posix_acls.c/unpack_nt_owners

Gerson Kurz gerson.kurz at
Wed Nov 28 03:57:02 GMT 2001

Hi folks,

first post, please be gentle. In September 2001, Paul Herman posted this

I have checked the "samba-lastest.tar.gz" and the fix is not in there. Let
me explain what the problem is from the windows side.

On Windows NT/2000, when you use the CreateFile() API you can specify the
ACL for the file. If an application specifies NULL as ACL (as does the
standard lib) the file is created with default access permissions. This
works fine on Samba.

However, it is common practice on NT to create files with an ACL, for the
following reason. If a file is created by one user, other users -if they are
not administrators- cannot access the file. This is not always desirable.
For example, a shared application wants to create files that can be accessed
by all users. So, many NT-specific applications specify an ACL when doing
CreateFile(). It is common to use an "ALL-ACCESS-FOR-EVERYONE" ACL, for two
reasons, a) because that is what you want, and b) its the only simple thing
to do with the braindead NT ACL API.

Note that, on Windows9x, you cannot use ACLs so many "windows" applications
do NOT use ACLs because they were never designed for NT/2000 in the first

The problem is, that this CreateFile() will create the file, but then return
INVALID_HANDLE_VALUE, because the ACL cannot be set. So, windows thinks the
file has never been created even though it exists! It is not deleted after
the failed ACL-settings, either. In the samba log, you can see the entry

[2001/11/28 11:20:49, 0] smbd/posix_acls.c:unpack_nt_owners(421)
  unpack_nt_owners: no security info sent !

The problem is even more serious if you open the file for reading. On
Windows, if you want to open a file for reading, you do a
CreateFile(GENERIC_READ,OPEN_EXISTING). Again, you can specify an ACL, and
if you don't, then everything works OK. But, if you specify an ACL the file
cannot be opened! even though a normal open without ACL works! Note that
Windows ignores the ACL if you open the file for reading (the CreateFile API
documentation explicitly states this), so samba should probably, too.

I can send you a small program with source to test this behaviour, if anyone
is interested. I'm trying to install a source version of samba (mine came
preconfigured with Suse Linux) so as to check if the patch from Paul Herman

Bye, Gerson Kurz

More information about the samba-technical mailing list