Trying to make sysvolreset/check work better

Rowland Penny rpenny at samba.org
Wed Jun 21 14:59:05 UTC 2017


I have been working on trying to make sysvolreset & sysvolcheck work
better, unfortunately I think I am hitting a problem that I cannot
fix ;-)

If I try to set this ACL with 'samba-tool ntacl sysvolreset'
O:BAG:SYD:AI(A;ID;0x001200a9;;;AU)(A;OICIIOID;GRGX;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;GRGX;;;SO)(A;ID;0x001e01bf;;;BA)(A;OICIIOID;WOWDGRGWGX;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;WOWDGRGWGX;;;CO)

I get an error if I then run 'samba-tool ntacl sysvolcheck', it gets the ACL
O:BAG:SYD:AI(A;ID;0x001200a9;;;AU)(A;OICIIOID;GRGX;;;AU)(A;ID;0x001200a9;;;SO)(A;OICIIOID;GRGX;;;SO)(A;ID;0x001f01ff;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;0x001f01ff;;;SY)(A;OICIIOID;GA;;;SY)(A;OICIIOID;GA;;;CO)

These two ACES:
(A;ID;0x001e01bf;;;BA)(A;OICIIOID;WOWDGRGWGX;;;BA)
Have Become
(A;ID;0x001f01ff;;;BA)(A;OICIIOID;GA;;;BA)

And

(A;OICIIOID;WOWDGRGWGX;;;CO)
Has become
(A;OICIIOID;GA;;;CO)

I have checked from Windows and get the same ACL that samba-tool does, so it seems that set_nt_acl from source3/smbd/posix_acls.c isn't setting the correct ACL.

Trying to find out why this is happening, lead to finding that SEC_STD_WRITE_DAC (aka WRITE_DAC or WD) from libcli/security/security.h is only in map_canon_ace_perms, which is called by posix_get_nt_acl_common which is called by posix_fget_nt_acl or posix_get_nt_acl. No mention of setting an ACL.

Am I barking up the wrong tree here ?

If not, can somebody please fix this.

Rowland




More information about the samba-technical mailing list