[PATCH] Patches required for POSIX ACL support of GPOs
Andrew Bartlett
abartlet at samba.org
Thu May 10 04:37:38 MDT 2012
On Thu, 2012-05-10 at 11:45 +0200, Stefan (metze) Metzmacher wrote:
> Hi Andrew Bartlett,
>
> > These patches are in my master-devel branch, and are needed for GPO
> > support to create the correct POSIX ACL. I would very much appreciate
> > review, so we can consider enabling s3fs by default, and making the 4.0
> > Beta release.
>
> Do you handle the way back from posix to nt? I guess we need to filter out
> dupplicate ace's. But that is a bit tricky, because we need to be careful
> so that we don't change the current behavior without IDMAP_BOTH.
I've made no change here. For s3fs we should not be translating the
reverse, because we always store the real NT ACL.
For the normal case, when we start having IDMAP_BOTH in general, we need
to be very careful - any change to the POSIX -> NT mapping will disrupt
the hash we store in the NT ACL, as it is the hash of the NT mapping of
the POSIX ACL, not the hash of the POSIX ACL! This will mean that the
NT ACL will be ignored (as it will appear that the POSIX ACL has
changed). I think this was a very poor design choice, but we can't undo
that now.
> > https://git.samba.org/?p=abartlet/samba.git/.git;a=shortlog;h=refs/heads/master-devel
> >
> > commit caa318ea1b9346778e564ed6a67449e02d5a6d6c
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date: Wed May 9 12:11:45 2012 +1000
> >
> > s3-smbd: Do not merge UID ACE values with GID ACE values for posix ACL
> >
> > This might happen when we get a SID mapped to IDMAP_BOTH.
> >
> > Andrew Bartlett
> >
> > commit 52cf66b11cac3f4f8717a4b3a9fe91088cdc1659
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date: Thu May 10 09:16:51 2012 +1000
> >
> > s3-smbd: Also consider a matching SID when making up owning user permissions
> >
> > This covers a case where an IDMAP_BOTH mapping creates group permissions, but must own
> > the file.
> >
> > Andrew Bartlett
> >
> > commit 80c5c407517671040ffc4ddfa7a52adf1c8b5dd2
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date: Thu May 3 11:07:58 2012 +1000
> >
> > s3-posix_acls: Add helper function add_current_ace_to_acl for IDMAP_BOTH support
> >
> > We need to split things up into a new helper function
> > add_current_ace_to_acl() in order for there to be more posix ACL
> > elements than NT ACL elements (so a group SID can own a file, but also
> > get the group permissions that will be honoured)
> >
> > Andrew Bartlett
> >
> > commit ea323ef2bd1555405885b2be71b55f4e5074f56e
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date: Thu May 10 10:10:38 2012 +1000
> >
> > s3-smbd: Handle IDMAP_BOTH by mapping to both a group ACL entry and file ownership
> >
> > This will allow groups, such as domain administrators, to own files
> > while correctly handling the rest of the ACL permissions.
>
> Here, you move and partly extend comments, please format them
> as specified in README.Coding.
>
> There's also one 'False' in the new lines, which should be 'false'
>
> This line should be in the if branch under ZERO_STRUCT()
> sid_copy(¤t_ace->trustee, &psa->trustee);
OK. I'll look at it tomorrow if someone hasn't sorted it out by then.
> > Andrew Bartlett
> >
> > This patch is needed for the same idea, in the NFSv4 ACL code. It removes the sidmap as discussed, but I can't test it.
> >
> > commit 5193b7f00181831c3d631e8b6f88cd3b783fd577
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date: Mon May 7 08:48:24 2012 +1000
> >
> > s3-nfs4acls: Remove lookup_sid and sidmap from NFSv4 ACL mapping and check gid first
> >
> > By checking just the IDMAP, and by removing the sidmap and lookup_sid calls, we support
> > IDMAP_BOTH. This is because by checking for a mapping to a GID first, we can rely on
> > the fact that IDMAP_BOTH will resolve to a GID.
> >
> > If the sidmap idea is valued - it allows multiple SIDs to map to a single unix ID, this should
> > be done in the IDMAP layer.
> >
> > Andrew Bartlett
> >
> >
> > This came up when looking over the debug logs while fixing another bug,
> > but I think is worthwhile. It isn't strictly required, but avoids going
> > via NSS to build the fake token.
> >
> > commit abf6ca1c560e1bec5656d830c61227cfb8af6133
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date: Thu May 10 09:19:46 2012 +1000
> >
> > s3-smbd: Create a shortcut for building the token of a user by SID for posix_acls
> >
> > When a user owns a file, but does not have specific permissions on that file, we need to
> > make up the user permissions. This change ensures that the first thing that we do
> > is to look up the SID, and confirm it is a user. Then, we avoid the getpwnam()
> > and directly create the token via the SID.
> >
> > Andrew Bartlett
> >
> >
> > These two patches avoid creating a UID ACE when we are working with an owning group, for the file ACL.
> >
> > commit 21b9371732b65ecc341fe2f810942011982f8bd2
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date: Thu May 10 11:05:41 2012 +1000
> >
> > s3-smbd: Consider a group with the same SID as sufficient duplication
> >
> > This code is to ensure that the user does not loose rights when their file
> > ownership is taken away. If the owner (an IDMAP_BOTH SID) appears as a group
> > then a duplicate user is not required.
> >
> > commit 5b163cc42173f142c46d8296cf3c9d0dc52c3bd9
> > Author: Andrew Bartlett <abartlet at samba.org>
> > Date: Thu May 10 11:18:04 2012 +1000
> >
> > s3-smbd: Avoid creating a UID ACL entry for SIDs that are mapped as IDMAP_BOTH
> >
> > The GID ACL entry is what will be mapped in most cases, and so is sufficient.
>
> This seems to fix a problem in 21b9371732b65ecc341fe2f810942011982f8bd2.
Yes, there seems to be such an additional fix in there, and the two
issues are related. The best option would probably be to squash the
patches.
> > The end result is an ACL like this below. The only remaining issue is
> > that we should not create a user: entry (SMB_ACL_USER) for the owning
> > group in the default acl. The code assumes this is required if a
> > SMB_ACL_USER_OBJ is created, but this is from when only users could own
> > files, as owning groups will never match on this. It is additionally
> > only triggered in the default acl case, due to the way the priority for
> > Creator User is handled.
> >
> > getfacl: Removing leading '/' from absolute path names
> > # file:
> > data/samba/samba4/prefix/var/locks/sysvol/s4.obed.abartlet.net/Policies/{EDCD016E-C4A0-412E-A503-76F832AFDD46}
> > # owner: 3000007
> > # group: 3000007
> > user::rwx
> > group::rwx
> > group:3000002:r-x
> > group:3000005:rwx
> > group:3000007:rwx
> > group:3000066:rwx
> > group:3000067:r-x
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:3000007:rwx
> > default:group::---
> > default:group:3000002:r-x
> > default:group:3000005:rwx
> > default:group:3000007:rwx
> > default:group:3000066:rwx
> > default:group:3000067:r-x
> > default:mask::rwx
> > default:other::---
>
> Can you also paste the ndr dumped nt security descriptor (incoming from
> the client and returned to clients)
This is what I have in my logs:
/data/samba-2/bin/smbd: set_sd for file s4.obed.abartlet.net/Policies/{EDCD016E-C4A0-412E-A503-76F832AFDD46}
/data/samba-2/bin/smbd: psd: struct security_descriptor
/data/samba-2/bin/smbd: revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
/data/samba-2/bin/smbd: type : 0x9d04 (40196)
/data/samba-2/bin/smbd: 0: SEC_DESC_OWNER_DEFAULTED
/data/samba-2/bin/smbd: 0: SEC_DESC_GROUP_DEFAULTED
/data/samba-2/bin/smbd: 1: SEC_DESC_DACL_PRESENT
/data/samba-2/bin/smbd: 0: SEC_DESC_DACL_DEFAULTED
/data/samba-2/bin/smbd: 0: SEC_DESC_SACL_PRESENT
/data/samba-2/bin/smbd: 0: SEC_DESC_SACL_DEFAULTED
/data/samba-2/bin/smbd: 0: SEC_DESC_DACL_TRUSTED
/data/samba-2/bin/smbd: 0: SEC_DESC_SERVER_SECURITY
/data/samba-2/bin/smbd: 1: SEC_DESC_DACL_AUTO_INHERIT_REQ
/data/samba-2/bin/smbd: 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
/data/samba-2/bin/smbd: 1: SEC_DESC_DACL_AUTO_INHERITED
/data/samba-2/bin/smbd: 1: SEC_DESC_SACL_AUTO_INHERITED
/data/samba-2/bin/smbd: 1: SEC_DESC_DACL_PROTECTED
/data/samba-2/bin/smbd: 0: SEC_DESC_SACL_PROTECTED
/data/samba-2/bin/smbd: 0: SEC_DESC_RM_CONTROL_VALID
/data/samba-2/bin/smbd: 1: SEC_DESC_SELF_RELATIVE
/data/samba-2/bin/smbd: owner_sid : *
/data/samba-2/bin/smbd: owner_sid : S-1-5-21-4177067393-1453636373-93818737-512
/data/samba-2/bin/smbd: group_sid : *
/data/samba-2/bin/smbd: group_sid : S-1-5-21-4177067393-1453636373-93818737-512
/data/samba-2/bin/smbd: sacl : NULL
/data/samba-2/bin/smbd: dacl : *
/data/samba-2/bin/smbd: dacl: struct security_acl
/data/samba-2/bin/smbd: revision : SECURITY_ACL_REVISION_ADS (4)
/data/samba-2/bin/smbd: size : 0x00c4 (196)
/data/samba-2/bin/smbd: num_aces : 0x00000007 (7)
/data/samba-2/bin/smbd: aces: ARRAY(7)
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0024 (36)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-21-4177067393-1453636373-93818737-512
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0024 (36)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-21-4177067393-1453636373-93818737-519
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x0b (11)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0014 (20)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-3-0
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0024 (36)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-21-4177067393-1453636373-93818737-512
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0014 (20)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-18
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0014 (20)
/data/samba-2/bin/smbd: access_mask : 0x001200a9 (1179817)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-11
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0014 (20)
/data/samba-2/bin/smbd: access_mask : 0x001200a9 (1179817)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-9
And on the return:
/data/samba-2/bin/smbd: posix_eadb_getattr called for file s4.obed.abartlet.net/Policies/{EDCD016E-C4A0-412E-A503-76F832AFDD46}/fd -1, name security.NTACL
/data/samba-2/bin/smbd: pop_sec_ctx (0, 100) - sec_ctx_stack_ndx = 0
/data/samba-2/bin/smbd: get_nt_acl_internal: blob hash matches for file s4.obed.abartlet.net/Policies/{EDCD016E-C4A0-412E-A503-76F832AFDD46}
/data/samba-2/bin/smbd: get_nt_acl_internal: returning acl for s4.obed.abartlet.net/Policies/{EDCD016E-C4A0-412E-A503-76F832AFDD46} is:
/data/samba-2/bin/smbd: psd: struct security_descriptor
/data/samba-2/bin/smbd: revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
/data/samba-2/bin/smbd: type : 0x9d04 (40196)
/data/samba-2/bin/smbd: 0: SEC_DESC_OWNER_DEFAULTED
/data/samba-2/bin/smbd: 0: SEC_DESC_GROUP_DEFAULTED
/data/samba-2/bin/smbd: 1: SEC_DESC_DACL_PRESENT
/data/samba-2/bin/smbd: 0: SEC_DESC_DACL_DEFAULTED
/data/samba-2/bin/smbd: 0: SEC_DESC_SACL_PRESENT
/data/samba-2/bin/smbd: 0: SEC_DESC_SACL_DEFAULTED
/data/samba-2/bin/smbd: 0: SEC_DESC_DACL_TRUSTED
/data/samba-2/bin/smbd: 0: SEC_DESC_SERVER_SECURITY
/data/samba-2/bin/smbd: 1: SEC_DESC_DACL_AUTO_INHERIT_REQ
/data/samba-2/bin/smbd: 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
/data/samba-2/bin/smbd: 1: SEC_DESC_DACL_AUTO_INHERITED
/data/samba-2/bin/smbd: 1: SEC_DESC_SACL_AUTO_INHERITED
/data/samba-2/bin/smbd: 1: SEC_DESC_DACL_PROTECTED
/data/samba-2/bin/smbd: 0: SEC_DESC_SACL_PROTECTED
/data/samba-2/bin/smbd: 0: SEC_DESC_RM_CONTROL_VALID
/data/samba-2/bin/smbd: 1: SEC_DESC_SELF_RELATIVE
/data/samba-2/bin/smbd: owner_sid : NULL
/data/samba-2/bin/smbd: group_sid : NULL
/data/samba-2/bin/smbd: sacl : NULL
/data/samba-2/bin/smbd: dacl : *
/data/samba-2/bin/smbd: dacl: struct security_acl
/data/samba-2/bin/smbd: revision : SECURITY_ACL_REVISION_ADS (4)
/data/samba-2/bin/smbd: size : 0x00c4 (196)
/data/samba-2/bin/smbd: num_aces : 0x00000007 (7)
/data/samba-2/bin/smbd: aces: ARRAY(7)
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0024 (36)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-21-4177067393-1453636373-93818737-512
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0024 (36)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-21-4177067393-1453636373-93818737-519
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x0b (11)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x0b: SEC_ACE_FLAG_VALID_INHERIT (11)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0014 (20)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-3-0
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0024 (36)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-21-4177067393-1453636373-93818737-512
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0014 (20)
/data/samba-2/bin/smbd: access_mask : 0x001f01ff (2032127)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-18
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0014 (20)
/data/samba-2/bin/smbd: access_mask : 0x001200a9 (1179817)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-11
/data/samba-2/bin/smbd: aces: struct security_ace
/data/samba-2/bin/smbd: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
/data/samba-2/bin/smbd: flags : 0x03 (3)
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_OBJECT_INHERIT
/data/samba-2/bin/smbd: 1: SEC_ACE_FLAG_CONTAINER_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERIT_ONLY
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_INHERITED_ACE
/data/samba-2/bin/smbd: 0x03: SEC_ACE_FLAG_VALID_INHERIT (3)
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
/data/samba-2/bin/smbd: 0: SEC_ACE_FLAG_FAILED_ACCESS
/data/samba-2/bin/smbd: size : 0x0014 (20)
/data/samba-2/bin/smbd: access_mask : 0x001200a9 (1179817)
/data/samba-2/bin/smbd: object : union security_ace_object_ctr(case 0)
/data/samba-2/bin/smbd: trustee : S-1-5-9
/data/samba-2/bin/smbd: calling open_file with flags=0x2 flags2=0x40 mode=0744, access_mask = 0x12019f, open_access_mask = 0x12019f
/data/samba-2/bin/smbd: check_parent_access: root override on s4.obed.abartlet.net/Policies/{EDCD016E-C4A0-412E-A503-76F832AFDD46}/GPT.INI. Granting 0x2
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list