[Samba] Possible bug with ACL handling after NT user migration

Sebastian Hetze s.hetze at linux-ag.de
Sat Feb 28 18:28:54 GMT 2004 

Hi *

I encounter severe problems with changing ACL settings in Samba
3.0.2a after migrating users from NT PDC to LDAP-SAM.

I did not find anything about this in the mailing list yet.
However, I have no idea (if) what I am doing wrong here.
Although I can hardly believe that I am the first one to trigger
that bug, it looks like a problem with the sid_to_gid routine.
So please take a look at that:

After migrating users from NT4 to samba you get lots of RIDs that
do not match the rid algorithm. As one such user, prefereably one
with an odd RID, create a new file on some samba share with Linux
ACL enabled. Now open the Properties->Security->??? dialog
(Eigenschaften->Sicherheit->Berechtigungen in German)
and change anything. Add write permission to everyone, for example.
Now take a look at that file in the Linux filesystem, specially
the ACL on that file. The owner has lost write permission and
some group has got full access instead.
The GID of this (possible not even existing) group is exactly
the result of the RID algorithm calculation.

My brief investigations indicate that the function
create_canon_ace_lists() from posix_acls.c calls both sid_to_gid()
and sid_to_uid() in turn with the same SID just to try if it matches
in one case or the other. Unfortunately, sid_to_gid() falls back to
algorithmic mapping and in the case shown above it succeeds to
calculate a gid out of the migrated users RID.

Turning off algorithmic rid caluculation in general would solve
the problem. However, I doubt that this is the correct solution
at this time. For example, I would like to keep this algorithmic
thing for automatic creation of new (machine) accounts.

One possible solution might be, to use the algorithmic rid base to
open a window of free RIDs for NT user migration. This could possibly
be done by checking the return value of pdb_group_rid_to_gid to be
a non negative value before assigning the gid (just a quick shot).

Before I start coding and further testing I would like to get you
involved. First of all, I would like you to either confirm the
bug or help me blind man to find the misconfiguration on my side.

Best regards,

  Sebastian

More information about the samba mailing list