The read ACL issues with Samba 4.0.0
abartlet at samba.org
Fri Dec 28 05:01:12 MST 2012
I've started looking seriously at the read ACL issues we have had with
I don't think the actual ACL code is to blame, instead I thin it is an
authorization issue, related to how we construct the user token.
I've looked over the ACL for a typical object, and one of the ACEs
refers to S-1-5-32-554 "Pre-Windows 2000 compatible access".
Comparing a Windows 2008 domain:
[abartlet at jesse samba]$ bin/ldbsearch -H ldap://192.168.122.24
-Uabartlet%penguin12# tokenGroups -s base -b ""
# record 1
With a Samba master testenv:
[abartlet at jesse samba]$ bin/ldbsearch -H ldap://localdc -Uabartlet%
# record 1
shows us that we need to improve the calculation of tokenGroups.
Specifically, the addition of the extra SIDs needs to be at the start of
the group expansion, not the end. This would then mean that we would
expand S-1-5-11 "Authenticated Users" into S-1-5-32-554, and that may
solve this. While I'm at it, I'll implement S-1-5-64-10 "NTLM
Authentication" and close any other gaps.
I'm sorry I took so long to get started on this, because I'll very much
enjoy to finish chasing this down.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical