Setting ACLs in share mode security?

Esh, Andrew AEsh at tricord.com
Thu Mar 28 12:40:03 GMT 2002 

I have a problem in SAMBA_2_2 with share mode security. I was running a
unix-like shell program on NT which is somehow able to exercise some open
modes that don't seem to be used commonly. The problem boils down to a call
to set_nt_acl from set_sd, from call_nt_transact_create in smbd/nttrans.c.
Here's some loggage:

We start with:
[2002/03/27 15:47:17, 5, pid=23898, effective(99, 80), real(0, 0)]
smbd/nttrans.c:call_nt_transact_create(1163)
  call_nt_transact_create

Which eventually calls:
[2002/03/27 15:47:17, 10, pid=23898, effective(99, 80), real(0, 0)]
smbd/posix_acls.c:set_nt_acl(2053)
  set_nt_acl: called for file xx412.txt

Which tries to resolve the SID for the sd that it's trying to set:
[2002/03/27 15:47:17, 5, pid=23898, effective(99, 80), real(0, 0)]
smbd/posix_acls.c:unpack_nt_owners(433)
  unpack_nt_owners: validating owner_sids.
[2002/03/27 15:47:19, 10, pid=23898, effective(99, 80), real(0, 0)]
smbd/uid.c:sid_to_uid(621)
  sid_to_uid: winbind lookup for sid
S-1-5-21-645162123-769410084-1105138716-1325 failed - trying local.
[2002/03/27 15:47:19, 3, pid=23898, effective(99, 80), real(0, 0)]
smbd/posix_acls.c:unpack_nt_owners(443)
  unpack_nt_owners: unable to validate owner sid.

Which it can't do because there is no PDC in share mode(?) and no local
SIDs(?), so it passes out a failure:
[2002/03/27 15:47:19, 3, pid=23898, effective(99, 80), real(0, 0)]
smbd/error.c:error_packet(91)
  error string = Operation not permitted
[2002/03/27 15:47:19, 3, pid=23898, effective(99, 80), real(0, 0)]
smbd/error.c:error_packet(99)
  error packet at smbd/nttrans.c(1404) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED

And the client reports "Operation not permitted." The file is actually
created, it just can't be written to in the first attempt. Later attempts to
open and write to the file succeed.

I added this fix in nttrans.c, and it solved the problem. A more correct one
could be put in smbd/vfs-wrap.c, in vfs_fset_nt_acl, and vfs_set_nt_acl. I
tried that and it worked as well. This fix allows me to pose a more focused
question: Should call_nt_transact_create be trying to set ACLs while the
server is in share mode?

[root at pluto smbd]# cvs -q diff
Index: nttrans.c
===================================================================
RCS file: /cvsroot/samba/source/smbd/nttrans.c,v
retrieving revision 1.104.4.44
diff -r1.104.4.44 nttrans.c
1358,1361c1358,1363
<   if (!set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION, &error_class,
&error_code)) {
<     close_file(fsp,False);
<     restore_case_semantics(file_attributes);
<     return ERROR_DOS(error_class, error_code);
---
>   if (lp_security() != SEC_SHARE) {
>     if (!set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION,
&error_class, &error_code)) {
>       close_file(fsp,False);
>       restore_case_semantics(file_attributes);
>       return ERROR_DOS(error_class, error_code);
>     }
[root at pluto smbd]# 

---
Andrew C. Esh                mail:Andrew.Esh at tricord.com
Tricord Systems, Inc.
2905 Northwest Blvd., Suite 20        763-557-9005 (main)
Plymouth, MN 55441-2644 USA      763-551-6418 (direct)
http://www.tricord.com - Tricord Home Page

-------------- next part --------------
HTML attachment scrubbed and removed

More information about the samba-technical mailing list