[PATCH] Patches required for POSIX ACL support of GPOs

Stefan (metze) Metzmacher metze at samba.org
Thu May 10 03:45:13 MDT 2012 

Hi Andrew Bartlett,

> These patches are in my master-devel branch, and are needed for GPO
> support to create the correct POSIX ACL.  I would very much appreciate
> review, so we can consider enabling s3fs by default, and making the 4.0
> Beta release.

Do you handle the way back from posix to nt? I guess we need to filter out
dupplicate ace's. But that is a bit tricky, because we need to be careful
so that we don't change the current behavior without IDMAP_BOTH.

> https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/master-devel
> 
> commit caa318ea1b9346778e564ed6a67449e02d5a6d6c
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Wed May 9 12:11:45 2012 +1000
> 
>     s3-smbd: Do not merge UID ACE values with GID ACE values for posix ACL
>     
>     This might happen when we get a SID mapped to IDMAP_BOTH.
>     
>     Andrew Bartlett
> 
> commit 52cf66b11cac3f4f8717a4b3a9fe91088cdc1659
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Thu May 10 09:16:51 2012 +1000
> 
>     s3-smbd: Also consider a matching SID when making up owning user permissions
>     
>     This covers a case where an IDMAP_BOTH mapping creates group permissions, but must own
>     the file.
>     
>     Andrew Bartlett
> 
> commit 80c5c407517671040ffc4ddfa7a52adf1c8b5dd2
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Thu May 3 11:07:58 2012 +1000
> 
>     s3-posix_acls: Add helper function add_current_ace_to_acl for IDMAP_BOTH support
>     
>     We need to split things up into a new helper function
>     add_current_ace_to_acl() in order for there to be more posix ACL
>     elements than NT ACL elements (so a group SID can own a file, but also
>     get the group permissions that will be honoured)
>     
>     Andrew Bartlett
> 
> commit ea323ef2bd1555405885b2be71b55f4e5074f56e
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Thu May 10 10:10:38 2012 +1000
> 
>     s3-smbd: Handle IDMAP_BOTH by mapping to both a group ACL entry and file ownership
>     
>     This will allow groups, such as domain administrators, to own files
>     while correctly handling the rest of the ACL permissions.

Here, you move and partly extend comments, please format them
as specified in README.Coding.

There's also one 'False' in the new lines, which should be 'false'

This line should be in the if branch under ZERO_STRUCT()
sid_copy(&current_ace->trustee, &psa->trustee);

>     Andrew Bartlett
> 
> This patch is needed for the same idea, in the NFSv4 ACL code.  It removes the sidmap as discussed, but I can't test it.
> 
> commit 5193b7f00181831c3d631e8b6f88cd3b783fd577
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Mon May 7 08:48:24 2012 +1000
> 
>     s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL mapping and check gid first
>     
>     By checking just the IDMAP, and by removing the sidmap and lookup_sid calls, we support
>     IDMAP_BOTH.  This is because by checking for a mapping to a GID first, we can rely on
>     the fact that IDMAP_BOTH will resolve to a GID.
>     
>     If the sidmap idea is valued - it allows multiple SIDs to map to a single unix ID, this should
>     be done in the IDMAP layer.
>     
>     Andrew Bartlett
> 
> 
> This came up when looking over the debug logs while fixing another bug,
> but I think is worthwhile.  It isn't strictly required, but avoids going
> via NSS to build the fake token. 
> 
> commit abf6ca1c560e1bec5656d830c61227cfb8af6133
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Thu May 10 09:19:46 2012 +1000
> 
>     s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls
>     
>     When a user owns a file, but does not have specific permissions on that file, we need to
>     make up the user permissions.  This change ensures that the first thing that we do
>     is to look up the SID, and confirm it is a user.  Then, we avoid the getpwnam()
>     and directly create the token via the SID.
>     
>     Andrew Bartlett
> 
> 
> These two patches avoid creating a UID ACE when we are working with an owning group, for the file ACL. 
> 
> commit 21b9371732b65ecc341fe2f810942011982f8bd2
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Thu May 10 11:05:41 2012 +1000
> 
>     s3-smbd: Consider a group with the same SID as sufficient duplication
>     
>     This code is to ensure that the user does not loose rights when their file
>     ownership is taken away.  If the owner (an IDMAP_BOTH SID) appears as a group
>     then a duplicate user is not required.
> 
> commit 5b163cc42173f142c46d8296cf3c9d0dc52c3bd9
> Author: Andrew Bartlett <abartlet at samba.org>
> Date:   Thu May 10 11:18:04 2012 +1000
> 
>     s3-smbd: Avoid creating a UID ACL entry for SIDs that are mapped as IDMAP_BOTH
>     
>     The GID ACL entry is what will be mapped in most cases, and so is sufficient.

This seems to fix a problem in 21b9371732b65ecc341fe2f810942011982f8bd2.


> The end result is an ACL like this below.  The only remaining issue is
> that we should not create a user: entry (SMB_ACL_USER) for the owning
> group in the default acl.  The code assumes this is required if a
> SMB_ACL_USER_OBJ is created, but this is from when only users could own
> files, as owning groups will never match on this.  It is additionally
> only triggered in the default acl case, due to the way the priority for
> Creator User is handled.
> 
> getfacl: Removing leading '/' from absolute path names
> # file:
> data/samba/samba4/prefix/var/locks/sysvol/s4.obed.abartlet.net/Policies/{EDCD016E-C4A0-412E-A503-76F832AFDD46}
> # owner: 3000007
> # group: 3000007
> user::rwx
> group::rwx
> group:3000002:r-x
> group:3000005:rwx
> group:3000007:rwx
> group:3000066:rwx
> group:3000067:r-x
> mask::rwx
> other::---
> default:user::rwx
> default:user:3000007:rwx
> default:group::---
> default:group:3000002:r-x
> default:group:3000005:rwx
> default:group:3000007:rwx
> default:group:3000066:rwx
> default:group:3000067:r-x
> default:mask::rwx
> default:other::---

Can you also paste the ndr dumped nt security descriptor (incoming from
the client and returned to clients)

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120510/332e3819/attachment.pgp>

More information about the samba-technical mailing list