samba.smb.SMB:set_acl seems to generate a bad nttrans:SET_SD request

Sun Mar 25 08:56:20 MDT 2012

2012/3/25 Richard Sharpe <realrichardsharpe at gmail.com>:
> On Sun, Mar 25, 2012 at 7:22 AM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
>> Hi folks,
>>
>> I was playing with set_acl and was getting:
>>
>>     RuntimeError: (-1073741811, 'Unexpected information received')
>>
>> When I look at the on-the-wire traffic I see that the SD is there but
>> that the Security Info field is zero.
>>
>> So, then I looked at source4/libcli/pysmb.c and see this:
>>
>>        fio.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
>>        fio.set_secdesc.in.file.fnum = fnum;
>>        fio.set_secdesc.in.secinfo_flags = 0;
>>        fio.set_secdesc.in.sd = sd;
>>
>>        status = smb_raw_set_secdesc(spdata->tree, &fio);
>>
>> It seems that we are setting the seconfo to 0. Perhaps we should be
>> passing secinfo into set_acl, or perhaps it should scan the SD, or
>> maybe I am just doing something wrong.
There are quite few places where Python bindings are not yet finished.
Basically, they followed needs of Samba4 thus perhaps certain features
are hardcoded.

>>
>> Here is the code I am using:
>>
>>    if sd_sddl.find("S-1-3-4") < 0:
>>        sd_sddl = sd_sddl + "(A;OICIIO;0x00060000;;;S-1-3-4)"
>>
>>        root_sd = security.descriptor.from_sddl(sd_sddl,
>> security.dom_sid("S-2-0-0"))
>>        print "New SD: ", root_sd.as_sddl()
>>
>>        conn.set_acl("\\", root_sd)
>
> I think we have to do something like:
>
> diff --git a/source4/libcli/pysmb.c b/source4/libcli/pysmb.c
> index 2f9a579..b6331e1 100644
> --- a/source4/libcli/pysmb.c
> +++ b/source4/libcli/pysmb.c
> @@ -367,9 +367,10 @@ static PyObject *py_smb_setacl(pytalloc_Object *self, PyObj
>        const char *filename;
>        PyObject *py_sd;
>        struct security_descriptor *sd;
> +       uint32_t sinfo = 0;
>        int fnum;
>
> -       if (!PyArg_ParseTuple(args, "sO:set_acl", &filename, &py_sd)) {
> +       if (!PyArg_ParseTuple(args, "sOl:set_acl", &filename, &py_sd, &sinfo)) {
>                return NULL;
>        }
>
> @@ -398,7 +399,7 @@ static PyObject *py_smb_setacl(pytalloc_Object *self, PyObje
>        io.ntcreatex.in.alloc_size = 0;
>        io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
>        io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
> -       io.ntcreatex.in.security_flags = 0;
> +       io.ntcreatex.in.security_flags = sinfo;
>        io.ntcreatex.in.fname = filename;
>
>        status = smb_raw_open(spdata->tree, self->talloc_ctx, &io);
>
>
> and then call it like:
>
>    conn.set_acl(file, sd, SECINFO_DACL + SECINFO_OWNER + SECINFO_GROUP_
Yes. Please also fix docstring to acccount for new argument.

-- 
/ Alexander Bokovoy