get_nt_acl_internal: blob hash does not match for file XXX - returning file system SD mapping (after new UID and GID range introduced).
Partha Sarathi
parthasarathi.bl at gmail.com
Thu Sep 17 23:09:34 UTC 2015
Hi All,
We are facing an idmap migration issue in AD member server (SAMBA 4.1.17).
After I modified the idmap settings to support the Trusted Domain support,
I started hitting the this access_denied permission issue.
Before Trusted domain support I had the below idmap settings
idmap config *: backend = rid #RID based
idmap config *: range = 10000000-19999999
To support trusted Domains support I replaced it with below settings
allow trusted domains = yes
idmap config *: backend = autorid #AUTORRID based
idmap config *: range = 10000000-2020000000
idmap config *: rangesize = 100000000
Note: Also I had the following unix mask and mode settings for every share
before and after trusted domain support.
directory mask = 2777
force directory mode = 2777
create mask = 2777
force create mode = 2777
After the above idmap changes the AD users does not able to access their
existing files/folders and they get ACCESS_DENIED as the samba returning
UNIX BASED ACLs (S-1-22-2-10000513).
get_nt_acl_internal: blob hash does not match for file
Transaction2k/VIM_UMDB - returning file system SD mapping.
[2015/09/16 13:18:37.056160, 10, pid=27358, effective(110000500,
110000513), real(110000500, 0), class=vfs]
../source3/modules/vfs_acl_common.c:554(get_nt_acl_internal)
get_nt_acl_internal: acl for blob hash for Transaction2k/VIM_UMDB is:
[2015/09/16 13:18:37.056172, 1, pid=27358, effective(110000500,
110000513), real(110000500, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
pdesc_next: struct security_descriptor
revision : SECURITY_DESCRIPTOR_REVISION_1 (1)
type : 0x9004 (36868)
0: SEC_DESC_OWNER_DEFAULTED
0: SEC_DESC_GROUP_DEFAULTED
1: SEC_DESC_DACL_PRESENT
0: SEC_DESC_DACL_DEFAULTED
0: SEC_DESC_SACL_PRESENT
0: SEC_DESC_SACL_DEFAULTED
0: SEC_DESC_DACL_TRUSTED
0: SEC_DESC_SERVER_SECURITY
0: SEC_DESC_DACL_AUTO_INHERIT_REQ
0: SEC_DESC_SACL_AUTO_INHERIT_REQ
0: SEC_DESC_DACL_AUTO_INHERITED
0: SEC_DESC_SACL_AUTO_INHERITED
1: SEC_DESC_DACL_PROTECTED
0: SEC_DESC_SACL_PROTECTED
0: SEC_DESC_RM_CONTROL_VALID
1: SEC_DESC_SELF_RELATIVE
owner_sid : *
owner_sid : S-1-22-1-10000500
group_sid : *
group_sid : S-1-22-2-10000513
sacl : NULL
dacl : *
[2015/09/16 13:18:37.066720, 5, pid=27358, effective(110000500,
110000513), real(110000500, 0)]
../source3/smbd/open.c:297(check_parent_access)
check_parent_access: access check on directory Transaction2k/VIM_UMDB for
path Transaction2k/VIM_UMDB/VIM_UMDB_backup_2015_09_16_161825_5859297.trn
for mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED
The above issue will go away when I keep back the previous UID and GID
range.
Since the files and folders were created with 777 unix mask and mode, I
expected the new range of UID and GID should not cause any issue. If my
understanding is wrong could you please let me know whats the correct
procedure to support new UID and GID range for the existing files/folder
which are created with previous UID and GID range.
--
Thanks & Regards
-Partha
More information about the samba-technical
mailing list