get_nt_acl_internal: blob hash does not match for file XXX - returning file system SD mapping (after new UID and GID range introduced).

Partha Sarathi parthasarathi.bl at gmail.com
Thu Sep 17 23:09:34 UTC 2015 

Hi All,

We are facing an idmap migration issue  in AD member server (SAMBA 4.1.17).


After I modified the  idmap settings to support the Trusted Domain support,
I started hitting the this access_denied permission issue.


Before Trusted domain support I had the below  idmap settings

idmap config *: backend = rid   #RID based

idmap config *: range = 10000000-19999999

To support trusted Domains support I replaced it with below settings

allow trusted domains = yes

idmap config *: backend = autorid   #AUTORRID based

idmap config *: range = 10000000-2020000000

idmap config *: rangesize = 100000000



Note: Also I had the following unix mask and mode settings for every share
before and after trusted domain support.

directory mask = 2777

force directory mode = 2777

create mask = 2777

force create mode = 2777


After the above idmap changes the AD users does not able to access their
existing files/folders and they get ACCESS_DENIED as the samba returning
UNIX BASED ACLs (S-1-22-2-10000513).


  get_nt_acl_internal: blob hash does not match for file
Transaction2k/VIM_UMDB - returning file system SD mapping.
[2015/09/16 13:18:37.056160, 10, pid=27358, effective(110000500,
110000513), real(110000500, 0), class=vfs]
../source3/modules/vfs_acl_common.c:554(get_nt_acl_internal)
  get_nt_acl_internal: acl for blob hash for Transaction2k/VIM_UMDB is:
[2015/09/16 13:18:37.056172,  1, pid=27358, effective(110000500,
110000513), real(110000500, 0)] ../librpc/ndr/ndr.c:296(ndr_print_debug)
       pdesc_next: struct security_descriptor
          revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
          type                     : 0x9004 (36868)
                 0: SEC_DESC_OWNER_DEFAULTED
                 0: SEC_DESC_GROUP_DEFAULTED
                 1: SEC_DESC_DACL_PRESENT
                 0: SEC_DESC_DACL_DEFAULTED
                 0: SEC_DESC_SACL_PRESENT
                 0: SEC_DESC_SACL_DEFAULTED
                 0: SEC_DESC_DACL_TRUSTED
                 0: SEC_DESC_SERVER_SECURITY
                 0: SEC_DESC_DACL_AUTO_INHERIT_REQ
                 0: SEC_DESC_SACL_AUTO_INHERIT_REQ
                 0: SEC_DESC_DACL_AUTO_INHERITED
                 0: SEC_DESC_SACL_AUTO_INHERITED
                 1: SEC_DESC_DACL_PROTECTED
                 0: SEC_DESC_SACL_PROTECTED
                 0: SEC_DESC_RM_CONTROL_VALID
                 1: SEC_DESC_SELF_RELATIVE
          owner_sid                : *
              owner_sid                : S-1-22-1-10000500
          group_sid                : *
              group_sid                : S-1-22-2-10000513
          sacl                     : NULL
          dacl                     : *



[2015/09/16 13:18:37.066720,  5, pid=27358, effective(110000500,
110000513), real(110000500, 0)]
../source3/smbd/open.c:297(check_parent_access)
  check_parent_access: access check on directory Transaction2k/VIM_UMDB for
path Transaction2k/VIM_UMDB/VIM_UMDB_backup_2015_09_16_161825_5859297.trn
for mask 0x2 returned (0x2) NT_STATUS_ACCESS_DENIED


The above issue will go away when I keep back the previous UID and GID
range.


Since the files and folders were created with 777 unix mask and mode, I
expected the new range of UID and GID should not cause any issue. If my
understanding is wrong could you please let me know whats the correct
procedure to support new UID and GID range for the existing files/folder
which are created with previous UID and GID range.

-- 

Thanks & Regards
-Partha

More information about the samba-technical mailing list