Fixing ACL Issues

Nagaraj Shyam Nagaraj_Shyam at
Tue Sep 7 12:41:20 MDT 2010

Hi All,


I had posted an email earlier enquiring about the reason for
source4/bin/smbtorture RAW-ACLS test failures in samba 3.5.4.  In my
test configuration, I have "store dos attributes = yes",

"ea support = yes", "vfs object = acl_xattr" for the test share.  Most
of the tests are failing because the function:


Smbd daemon calls create_canon_ace_lists() subsequently from
fset_nt_acl_common() which does not find a <uid,gid> mapping for the
test SID S-1-5-32-1234-5432 referred to in one of the ACEs in the ACL
sent over the wire.  create_cannon_ace_lists() will remove the ACE
containing the S-1-5-32-1234-5432  SID.  Further on, create_acl_blob()
and store_acl_blob_fsp() store the cannonicalized ACL and return


1.       This is not the same behavior seen on windows servers which
store the blob even if it refers to a SID that it doesn't recognize.
Shouldn't smbd be doing the same, especially if acl_xattr is the vfs
module doing the ACL storage retrieval?

2.       If acl_xattr was not the vfs module doing the ACL
storage/retrieval (and posix acls were used instead), then if the
create_cannon_ace_lists() finds an unrecognized SID, shouldn't a error
be returned to the smb command over the wire, instead of storing a
different ACL than what the client wants and returning success?


se_access_check() which does the actual ACL evaluation seems to be
capable of handling unrecognized SIDs.


Thanks for any comments/answers to the above.





More information about the samba-technical mailing list