samba.smb.SMB:set_acl seems to generate a bad nttrans:SET_SD request

Richard Sharpe realrichardsharpe at gmail.com
Sun Mar 25 08:48:10 MDT 2012 

On Sun, Mar 25, 2012 at 7:22 AM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> Hi folks,
>
> I was playing with set_acl and was getting:
>
>     RuntimeError: (-1073741811, 'Unexpected information received')
>
> When I look at the on-the-wire traffic I see that the SD is there but
> that the Security Info field is zero.
>
> So, then I looked at source4/libcli/pysmb.c and see this:
>
>        fio.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
>        fio.set_secdesc.in.file.fnum = fnum;
>        fio.set_secdesc.in.secinfo_flags = 0;
>        fio.set_secdesc.in.sd = sd;
>
>        status = smb_raw_set_secdesc(spdata->tree, &fio);
>
> It seems that we are setting the seconfo to 0. Perhaps we should be
> passing secinfo into set_acl, or perhaps it should scan the SD, or
> maybe I am just doing something wrong.
>
> Here is the code I am using:
>
>    if sd_sddl.find("S-1-3-4") < 0:
>        sd_sddl = sd_sddl + "(A;OICIIO;0x00060000;;;S-1-3-4)"
>
>        root_sd = security.descriptor.from_sddl(sd_sddl,
> security.dom_sid("S-2-0-0"))
>        print "New SD: ", root_sd.as_sddl()
>
>        conn.set_acl("\\", root_sd)

I think we have to do something like:

diff --git a/source4/libcli/pysmb.c b/source4/libcli/pysmb.c
index 2f9a579..b6331e1 100644
--- a/source4/libcli/pysmb.c
+++ b/source4/libcli/pysmb.c
@@ -367,9 +367,10 @@ static PyObject *py_smb_setacl(pytalloc_Object *self, PyObj
        const char *filename;
        PyObject *py_sd;
        struct security_descriptor *sd;
+       uint32_t sinfo = 0;
        int fnum;

-       if (!PyArg_ParseTuple(args, "sO:set_acl", &filename, &py_sd)) {
+       if (!PyArg_ParseTuple(args, "sOl:set_acl", &filename, &py_sd, &sinfo)) {
                return NULL;
        }

@@ -398,7 +399,7 @@ static PyObject *py_smb_setacl(pytalloc_Object *self, PyObje
        io.ntcreatex.in.alloc_size = 0;
        io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
        io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
-       io.ntcreatex.in.security_flags = 0;
+       io.ntcreatex.in.security_flags = sinfo;
        io.ntcreatex.in.fname = filename;

        status = smb_raw_open(spdata->tree, self->talloc_ctx, &io);


and then call it like:

    conn.set_acl(file, sd, SECINFO_DACL + SECINFO_OWNER + SECINFO_GROUP_

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list