smbcacls domain sid issue
Andrew Bartlett
abartlet at samba.org
Thu Feb 17 20:47:23 UTC 2022
On Thu, 2022-02-17 at 19:13 +0100, Björn Baumbach via samba-technical
wrote:
> Hey,
>
> I think I've detected a bug.
>
> First of all I place a file "file" as Administator on a share which
> uses
> the acl_xattr vfs module.
>
> # testparm -s --section-name=xattr
> [xattr]
> path = /share
> printing = cups
> read only = No
> vfs objects = acl_xattr
>
> The ACLs looks like this:
> # samba-tool ntacl get file --as-sddl --service=xattr --use-ntvfs
> O:LAG:DUD:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;DU)(A;;0x001200a9;;;WD
> )
>
> When I now use the smbcacls tool to set the ACLs again:
> # smbcacls --sddl
> -S="O:LAG:DUD:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;DU)(A;;0x001200a9;
> ;;WD)"
> -UAdministrator%Passw0rd //dm3.temp.test/xattr
>
> the SDDL ACL looks like this:
> # samba-tool ntacl get file --as-sddl --service=xattr --use-ntvfs
> O:S-1-5-21-3367907150-2849503042-2089288414-500G:S-1-5-21-3367907150-
> 2849503042-2089288414-513D:(A;;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-
> 5-21-3367907150-2849503042-2089288414-500)(A;;0x001200a9;;;S-1-5-21-
> 3367907150-2849503042-2089288414-513)
>
> Is seems that wrongly the local SID (instead of domain sid) is used
> here:
> # net getdomainsid
> SID for local machine DM3 is: S-1-5-21-3367907150-2849503042-
> 2089288414
> SID for domain TEMP is: S-1-5-21-4063336984-1021020757-935970304
>
> What do you think? I'm not sure whats the source of the issue. I've
> verified that setting the ACL in the SDDL format via "samba-tool
> ntacl
> set ..." works fine, so it might be an issue with the smbcacls tool:
Exactly. The smbcacls tool is not symmectric!
On the get path, it obtains to remote domain SID:
char *str = sddl_encode(talloc_tos(), sd,
get_domain_sid(cli));
On the set path it uses the local SID on the instance it is running on:
sd = sddl_decode(talloc_tos(), the_acl, get_global_sam_sid());
The inheritance path does likewise.
I've confirmed that get_domain_sid() is also getting the real domain
sid, and not the local sid of the member server being contacted,
thankfully, so a fix should be fairly easy.
See also the --domain-sid option, but just because the tool CAN be made
to use that doesn't mean the default is safe (it isn't!)
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the samba-technical
mailing list