[Samba] Possible bug with ACL handling after NT user migration

Andrew Bartlett abartlet at samba.org
Sun Feb 29 06:29:36 GMT 2004


On Sun, 2004-02-29 at 05:28, Sebastian Hetze wrote:
> Hi *
> 
> I encounter severe problems with changing ACL settings in Samba
> 3.0.2a after migrating users from NT PDC to LDAP-SAM.
> 
> I did not find anything about this in the mailing list yet.
> However, I have no idea (if) what I am doing wrong here.
> Although I can hardly believe that I am the first one to trigger
> that bug, it looks like a problem with the sid_to_gid routine.
> So please take a look at that:
> 
> After migrating users from NT4 to samba you get lots of RIDs that
> do not match the rid algorithm. 

The code is designed such that it should look for a matching name in the
SAM -> posix account to establish the mapping, before resorting to the
algorithmic mapping.

> As one such user, prefereably one
> with an odd RID, create a new file on some samba share with Linux
> ACL enabled. Now open the Properties->Security->??? dialog
> (Eigenschaften->Sicherheit->Berechtigungen in German)
> and change anything. Add write permission to everyone, for example.
> Now take a look at that file in the Linux filesystem, specially
> the ACL on that file. The owner has lost write permission and
> some group has got full access instead.
> The GID of this (possible not even existing) group is exactly
> the result of the RID algorithm calculation.

OUCH.

> My brief investigations indicate that the function
> create_canon_ace_lists() from posix_acls.c calls both sid_to_gid()
> and sid_to_uid() in turn with the same SID just to try if it matches
> in one case or the other. Unfortunately, sid_to_gid() falls back to
> algorithmic mapping and in the case shown above it succeeds to
> calculate a gid out of the migrated users RID.
> 
> Turning off algorithmic rid caluculation in general would solve
> the problem. However, I doubt that this is the correct solution
> at this time. For example, I would like to keep this algorithmic
> thing for automatic creation of new (machine) accounts.

I still think you should use the algorithmic rid base, but we need to
make these functions 'fail' for users in that range.

> One possible solution might be, to use the algorithmic rid base to
> open a window of free RIDs for NT user migration. This could possibly
> be done by checking the return value of pdb_group_rid_to_gid to be
> a non negative value before assigning the gid (just a quick shot).

We should allow these functions to fail, yes.

> Before I start coding and further testing I would like to get you
> involved. First of all, I would like you to either confirm the
> bug or help me blind man to find the misconfiguration on my side.

Sounds like a genuine bug to me.  What we needed was the full idmap, but
in the meantime, we should have a sid_to_id() routine, that tries both
systems for an 'exact' match, before it guesses.

Please write this up in bugzilla, so we don't loose it.  This is a
serious issue, as you have noted.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040229/3a1bbffc/attachment.bin


More information about the samba mailing list