The read ACL issues with Samba 4.0.0

Andrew Bartlett abartlet at
Fri Dec 28 05:01:12 MST 2012

I've started looking seriously at the read ACL issues we have had with
Samba 4.0.0.

I don't think the actual ACL code is to blame, instead I thin it is an
authorization issue, related to how we construct the user token.  

I've looked over the ACL for a typical object, and one of the ACEs
refers to S-1-5-32-554 "Pre-Windows 2000 compatible access".

Comparing a Windows 2008 domain:

[abartlet at jesse samba]$ bin/ldbsearch -H ldap://
-Uabartlet%penguin12# tokenGroups -s base -b ""
# record 1
tokenGroups: S-1-5-21-3666733363-4032383065-1918016110-1106
tokenGroups: S-1-5-21-3666733363-4032383065-1918016110-513
tokenGroups: S-1-1-0
tokenGroups: S-1-5-32-545
tokenGroups: S-1-5-32-554
tokenGroups: S-1-5-2
tokenGroups: S-1-5-11
tokenGroups: S-1-5-15
tokenGroups: S-1-5-64-10

With a Samba master testenv:

[abartlet at jesse samba]$ bin/ldbsearch -H ldap://localdc -Uabartlet%
penguin12# --
# record 1
tokenGroups: S-1-5-21-1828832633-1820792291-2210390191-1103
tokenGroups: S-1-5-21-1828832633-1820792291-2210390191-513
tokenGroups: S-1-5-32-545
tokenGroups: S-1-1-0
tokenGroups: S-1-5-2
tokenGroups: S-1-5-11

shows us that we need to improve the calculation of tokenGroups.

Specifically, the addition of the extra SIDs needs to be at the start of
the group expansion, not the end.  This would then mean that we would
expand S-1-5-11 "Authenticated Users" into S-1-5-32-554, and that may
solve this.  While I'm at it, I'll implement S-1-5-64-10 "NTLM
Authentication" and close any other gaps.

I'm sorry I took so long to get started on this, because I'll very much
enjoy to finish chasing this down.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list