smbcacls domain sid issue

Andrew Bartlett abartlet at samba.org
Thu Feb 17 20:47:23 UTC 2022 

On Thu, 2022-02-17 at 19:13 +0100, Björn Baumbach via samba-technical
wrote:
> Hey,
> 
> I think I've detected a bug.
> 
> First of all I place a file "file" as Administator on a share which
> uses 
> the acl_xattr vfs module.
> 
> # testparm -s --section-name=xattr
> [xattr]
>          path = /share
>          printing = cups
>          read only = No
>          vfs objects = acl_xattr
> 
> The ACLs looks like this:
> # samba-tool ntacl get file --as-sddl --service=xattr --use-ntvfs
> O:LAG:DUD:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;DU)(A;;0x001200a9;;;WD
> )
> 
> When I now use the smbcacls tool to set the ACLs again:
> # smbcacls --sddl 
> -S="O:LAG:DUD:(A;;0x001f01ff;;;LA)(A;;0x001200a9;;;DU)(A;;0x001200a9;
> ;;WD)" 
> -UAdministrator%Passw0rd //dm3.temp.test/xattr
> 
> the SDDL ACL looks like this:
> # samba-tool ntacl get file --as-sddl --service=xattr --use-ntvfs
> O:S-1-5-21-3367907150-2849503042-2089288414-500G:S-1-5-21-3367907150-
> 2849503042-2089288414-513D:(A;;0x001200a9;;;WD)(A;;0x001f01ff;;;S-1-
> 5-21-3367907150-2849503042-2089288414-500)(A;;0x001200a9;;;S-1-5-21-
> 3367907150-2849503042-2089288414-513)
> 
> Is seems that wrongly the local SID (instead of domain sid) is used
> here:
> # net getdomainsid
> SID for local machine DM3 is: S-1-5-21-3367907150-2849503042-
> 2089288414
> SID for domain TEMP is: S-1-5-21-4063336984-1021020757-935970304
> 
> What do you think? I'm not sure whats the source of the issue. I've 
> verified that setting the ACL in the SDDL format via "samba-tool
> ntacl 
> set ..." works fine, so it might be an issue with the smbcacls tool:

Exactly.  The smbcacls tool is not symmectric!

On the get path, it obtains to remote domain SID:

		char *str = sddl_encode(talloc_tos(), sd,
get_domain_sid(cli));


On the set path it uses the local SID on the instance it is running on:
	sd = sddl_decode(talloc_tos(), the_acl, get_global_sam_sid());

The inheritance path does likewise.

I've confirmed that get_domain_sid() is also getting the real domain
sid, and not the local sid of the member server being contacted,
thankfully, so a fix should be fairly easy.

See also the --domain-sid option, but just because the tool CAN be made
to use that doesn't mean the default is safe (it isn't!)

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba-technical mailing list