Setting ACLs when creating files from Windows

Corinna Vinschen corinna at vinschen.de
Wed Jul 23 10:22:20 GMT 2008


Ping?


Corinna

On Jul 18 14:00, Corinna Vinschen wrote:
> Hi,
> 
> I'm puzzeling over this problem for some time now.  So far I need
> a special hack in Cygwin for Samba, probably because I simply don't
> understand something about the user mapping correctly.
> 
> My current situation is, I have a Samba server (3.0.30) which is a domain member machine.  In smb.conf, security is set to domain.  There's
> no winbindd running.  Before I set up the domain, I had the same problem
> using security = server with the server being another Windows machine in
> the same workgroup.
> 
> Usually when creating and changing files on the Samba shares, it
> works fine, as long as creating the file uses a NULL security descriptor.
> 
> However, when Cygwin tries to create a file, it checks if the underlying
> filesystem supports ACLs, and if so, it tries to set the ACL immediately
> to correct POSIX permissions for the local user, along these lines (and
> very simplifed):
> 
>   DESCRIPTOR *sd = NULL;
>   if ((open_flags & O_CREATE)
>       && (fs_flags & FS_PERSISTENT_ACLS))
>     sd = create_posix_like_security_attributes_for_current_user()
>   NtCreateFile (&fhandle, ..., sd, );
> 
> The ACL created for this case is equivalent to typical POSIX permissions,
> and consists of three entries:
> 
>   - SID of current windows user 
>   - SID of user's primary group
>   - SID for "Everyone"
> 
> The problem is, when creating a file this way, the NtCreateFile call
> fails with STATUS_ACCESS_DENIED.  But, the file *has* been created,
> with default permissions and owned by the mapped unix user and group.
> For testing purposes I changed the above code to
> 
>   SECURITY_DESCRIPTOR *sd = NULL;
>   if ((open_flags & O_CREATE)
>       && (fs_flags & FS_PERSISTENT_ACLS))
>     sd = create_posix_like_security_attributes_for_current_user()
>   NtCreateFile (&fhandle, ..., NULL sd, );
>   NtSetSecurityObject (fhandle, ALL_SECURITY_INFORMATION, sd);
> 
> Now the NtCreateFile call succeeds, but the NtSetSecurityObject call
> fails with STATUS_ACCESS_DENIED.
> 
> The smbd logfile contains this log entry:
> 
>   [2008/07/18 13:12:45, 10] passdb/lookup_sid.c:legacy_sid_to_uid(1260)
>     LEGACY: mapping failed for sid S-1-5-21-2913048732-1697188782-3448811101-1001
> 
> Here are my questions:
> 
> - Why does legacy_sid_to_uid fail?  The user with the above SID has been
>   authenticated correctly and is mapped to a unix user:
>   
>   [2008/07/18 13:12:45, 5] smbd/uid.c:change_to_user(273)
>     change_to_user uid=(500,500) gid=(0,11125)
> 
>   Why is the SID not mapped to that uid?
> 
> - I'm looking for a generic solution to this problem from a Windows
>   application perspective.  Except that the underlying system is
>   a Samba share, I heve no further knowledge about the underlying
>   system.  I don't know which securty is used and I have no idea
>   about the SIDs used for UNIX users and groups.  I only know the
>   SID of my Windows environment.
> 
>   Is there any chance to have a generic solution, except for ignoring
>   file permissions when creating files on Samba?
> 
> - Last but not least, in the first case, where the descriptor is give
>   to NtCreateFile, why is the file not removed even though NtCreateFile
>   failed?
> 
> 
> Thanks in advance,
> Corinna


More information about the samba-technical mailing list