Setting ACLs when creating files from Windows

Corinna Vinschen corinna at vinschen.de
Fri Jul 18 12:00:15 GMT 2008 

Hi,

I'm puzzeling over this problem for some time now.  So far I need
a special hack in Cygwin for Samba, probably because I simply don't
understand something about the user mapping correctly.

My current situation is, I have a Samba server (3.0.30) which is a domain member machine.  In smb.conf, security is set to domain.  There's
no winbindd running.  Before I set up the domain, I had the same problem
using security = server with the server being another Windows machine in
the same workgroup.

Usually when creating and changing files on the Samba shares, it
works fine, as long as creating the file uses a NULL security descriptor.

However, when Cygwin tries to create a file, it checks if the underlying
filesystem supports ACLs, and if so, it tries to set the ACL immediately
to correct POSIX permissions for the local user, along these lines (and
very simplifed):

  DESCRIPTOR *sd = NULL;
  if ((open_flags & O_CREATE)
      && (fs_flags & FS_PERSISTENT_ACLS))
    sd = create_posix_like_security_attributes_for_current_user()
  NtCreateFile (&fhandle, ..., sd, );

The ACL created for this case is equivalent to typical POSIX permissions,
and consists of three entries:

  - SID of current windows user 
  - SID of user's primary group
  - SID for "Everyone"

The problem is, when creating a file this way, the NtCreateFile call
fails with STATUS_ACCESS_DENIED.  But, the file *has* been created,
with default permissions and owned by the mapped unix user and group.
For testing purposes I changed the above code to

  SECURITY_DESCRIPTOR *sd = NULL;
  if ((open_flags & O_CREATE)
      && (fs_flags & FS_PERSISTENT_ACLS))
    sd = create_posix_like_security_attributes_for_current_user()
  NtCreateFile (&fhandle, ..., NULL sd, );
  NtSetSecurityObject (fhandle, ALL_SECURITY_INFORMATION, sd);

Now the NtCreateFile call succeeds, but the NtSetSecurityObject call
fails with STATUS_ACCESS_DENIED.

The smbd logfile contains this log entry:

  [2008/07/18 13:12:45, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1260)
    LEGACY: mapping failed for sid S-1-5-21-2913048732-1697188782-3448811101-1001

Here are my questions:

- Why does legacy_sid_to_uid fail?  The user with the above SID has been
  authenticated correctly and is mapped to a unix user:
  
  [2008/07/18 13:12:45, 5] smbd/uid.c:change_to_user(273)
    change_to_user uid=(500,500) gid=(0,11125)

  Why is the SID not mapped to that uid?

- I'm looking for a generic solution to this problem from a Windows
  application perspective.  Except that the underlying system is
  a Samba share, I heve no further knowledge about the underlying
  system.  I don't know which securty is used and I have no idea
  about the SIDs used for UNIX users and groups.  I only know the
  SID of my Windows environment.

  Is there any chance to have a generic solution, except for ignoring
  file permissions when creating files on Samba?

- Last but not least, in the first case, where the descriptor is give
  to NtCreateFile, why is the file not removed even though NtCreateFile
  failed?


Thanks in advance,
Corinna

More information about the samba-technical mailing list