DFS ACL delete bit on, but ACCESS_DENIED on delete.

John P Janosik jpjanosi at us.ibm.com
Thu Jan 25 20:55:31 GMT 2007

jmcdough at gmail.com wrote on 01/25/2007 01:41:16 PM:

> Jeremy,
> John Janosik is trying to delete a file hosted on DFS, where the
> write mode bit is off, but the acl's delete bit is on, and with the
> new code in unlink_internals() (I say new, relative to the 3.0.11
> which was previously running), he's getting an ACCESS_DENIED from
> can_delete (which then in turn must be getting it from
> open_file_ntcreate()).  Any thoughts on the best way to approach this?
> John, can you verify in a sniff that ACCESS_DENIED is what's coming
> across the wire, and not just the client message?

I took a network trace and I see it isn't in unlink_internals as I guessed.
The client is getting ACCESS_DENIED from a NT Create AndX Request with the
Delete Share access bit set according to Wireshark.

Here is what I see in the command prompt trying to delete the file:

X:\u0\admin\private>erase testfile
Access is denied.

Here is the level 10 debug log of the request:

  switch message SMBntcreateX (pid 20418) conn 0x203484a8
[2007/01/25 14:36:52, 4] smbd/uid.c:change_to_user(184)
  change_to_user: Skipping user change - already user
[2007/01/25 14:36:52, 10] smbd/nttrans.c:reply_ntcreate_and_X(501)
  reply_ntcreateX: flags = 0x10, access_mask = 0x10000 file_attributes =
0x0, share_access = 0x7, create_disposition = 0x1 create_options = 0x200040
root_dir_fid = 0x0
[2007/01/25 14:36:52, 5] smbd/filename.c:unix_convert(108)
  unix_convert called on file "u0/admin/private/testfile"
[2007/01/25 14:36:52, 10] smbd/statcache.c:stat_cache_lookup(248)
  stat_cache_lookup: lookup succeeded for name [U0/ADMIN/PRIVATE/TESTFILE]
-> [u0/admin/private/testfile]
[2007/01/25 14:36:52, 10] smbd/reply.c:can_delete(1874)
  can_delete: u0/admin/private/testfile, dirtype = 0
[2007/01/25 14:36:52, 8] smbd/dosmode.c:dos_mode(377)
  dos_mode: u0/admin/private/testfile
[2007/01/25 14:36:52, 8] smbd/dosmode.c:dos_mode_from_sbuf(193)
  dos_mode_from_sbuf returning
[2007/01/25 14:36:52, 8] smbd/dosmode.c:dos_mode(415)
  dos_mode returning
[2007/01/25 14:36:52, 10]
  check_posix_acl_group_access: requesting 0x2 on file u0/admin/private
[2007/01/25 14:36:52, 10]
  check_posix_acl_group_access: file u0/admin/private failed to match on
user or group in token (ret = -1).
[2007/01/25 14:36:52, 10]
  check_posix_acl_group_access: file u0/admin/private returning (ret = -1).
[2007/01/25 14:36:52, 3] smbd/error.c:error_packet(146)
  error packet at smbd/nttrans.c(674) cmd=162 (SMBntcreateX)

The mode bits and acl on the file are as follows (I'm connecting as
ajpjanos which is a member of subsys/dce/dfs-admin):

.../admin/private> /bin/ls -ld .
drwxrwx---   3 rawales  rawales         512 Jan 24 14:37 .
.../admin/private> dcecp -c acl show .
{mask_obj rwxcid}
{user_obj rwxcid}
{group_obj ------}
{group subsys/dce/dfs-admin rwxcid}
{other_obj ------}

I'm maintaining my own version of Samba for this environment since I've had
to add AFS and DFS pags to the UNIX_USER_TOKEN in the security context so I
can switch between AFS and DFS users.  I'm willing to take any suggestions
even if they wouldn't be accepted back into Samba since I have to maintain
my own patches anyway.  I'm hoping not having to implement mapping between
DCE ACLs and Windows ACLs for this problem.


John Janosik
jpjanosi at us.ibm.com

More information about the samba-technical mailing list