[PATCH] Re: The read ACL issues with Samba 4.0.0 (avoid need for acl:search=false)

Andrew Bartlett abartlet at samba.org
Fri Dec 28 21:17:00 MST 2012

On Fri, 2012-12-28 at 23:01 +1100, Andrew Bartlett wrote:
> I've started looking seriously at the read ACL issues we have had with
> Samba 4.0.0.
> I don't think the actual ACL code is to blame, instead I thin it is an
> authorization issue, related to how we construct the user token.  
> I've looked over the ACL for a typical object, and one of the ACEs
> refers to S-1-5-32-554 "Pre-Windows 2000 compatible access".
> Comparing a Windows 2008 domain:
> [abartlet at jesse samba]$ bin/ldbsearch -H ldap://
> -Uabartlet%penguin12# tokenGroups -s base -b ""
> # record 1
> dn: 
> tokenGroups: S-1-5-21-3666733363-4032383065-1918016110-1106
> tokenGroups: S-1-5-21-3666733363-4032383065-1918016110-513
> tokenGroups: S-1-1-0
> tokenGroups: S-1-5-32-545
> tokenGroups: S-1-5-32-554
> tokenGroups: S-1-5-2
> tokenGroups: S-1-5-11
> tokenGroups: S-1-5-15
> tokenGroups: S-1-5-64-10
> With a Samba master testenv:
> [abartlet at jesse samba]$ bin/ldbsearch -H ldap://localdc -Uabartlet%
> penguin12# --
> # record 1
> dn: 
> tokenGroups: S-1-5-21-1828832633-1820792291-2210390191-1103
> tokenGroups: S-1-5-21-1828832633-1820792291-2210390191-513
> tokenGroups: S-1-5-32-545
> tokenGroups: S-1-1-0
> tokenGroups: S-1-5-2
> tokenGroups: S-1-5-11
> shows us that we need to improve the calculation of tokenGroups.
> Specifically, the addition of the extra SIDs needs to be at the start of
> the group expansion, not the end.  This would then mean that we would
> expand S-1-5-11 "Authenticated Users" into S-1-5-32-554, and that may
> solve this.  While I'm at it, I'll implement S-1-5-64-10 "NTLM
> Authentication" and close any other gaps.
> I'm sorry I took so long to get started on this, because I'll very much
> enjoy to finish chasing this down.

The attached patch solves the issue for me.

>From here, I plan to write or extend the tests we have for this area,
and cover the "NTLM Authenticated" access case as well.  

If anybody who was having trouble with read ACLs, particularly anybody
who had to set 'acl:search=false' in the smb.conf could please try this
patch, and report results, it would be most helpful.

Once that's done, we should get this change lined up for 4.0.1.


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-dsdb-Ensure-authenticated-users-is-processed-for-gro.patch
Type: text/x-patch
Size: 6122 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121229/326f4004/attachment.bin>

More information about the samba-technical mailing list