[Samba] Possible bug with ACL handling after NT user migration
abartlet at samba.org
Sun Feb 29 06:29:36 GMT 2004
On Sun, 2004-02-29 at 05:28, Sebastian Hetze wrote:
> Hi *
> I encounter severe problems with changing ACL settings in Samba
> 3.0.2a after migrating users from NT PDC to LDAP-SAM.
> I did not find anything about this in the mailing list yet.
> However, I have no idea (if) what I am doing wrong here.
> Although I can hardly believe that I am the first one to trigger
> that bug, it looks like a problem with the sid_to_gid routine.
> So please take a look at that:
> After migrating users from NT4 to samba you get lots of RIDs that
> do not match the rid algorithm.
The code is designed such that it should look for a matching name in the
SAM -> posix account to establish the mapping, before resorting to the
> As one such user, prefereably one
> with an odd RID, create a new file on some samba share with Linux
> ACL enabled. Now open the Properties->Security->??? dialog
> (Eigenschaften->Sicherheit->Berechtigungen in German)
> and change anything. Add write permission to everyone, for example.
> Now take a look at that file in the Linux filesystem, specially
> the ACL on that file. The owner has lost write permission and
> some group has got full access instead.
> The GID of this (possible not even existing) group is exactly
> the result of the RID algorithm calculation.
> My brief investigations indicate that the function
> create_canon_ace_lists() from posix_acls.c calls both sid_to_gid()
> and sid_to_uid() in turn with the same SID just to try if it matches
> in one case or the other. Unfortunately, sid_to_gid() falls back to
> algorithmic mapping and in the case shown above it succeeds to
> calculate a gid out of the migrated users RID.
> Turning off algorithmic rid caluculation in general would solve
> the problem. However, I doubt that this is the correct solution
> at this time. For example, I would like to keep this algorithmic
> thing for automatic creation of new (machine) accounts.
I still think you should use the algorithmic rid base, but we need to
make these functions 'fail' for users in that range.
> One possible solution might be, to use the algorithmic rid base to
> open a window of free RIDs for NT user migration. This could possibly
> be done by checking the return value of pdb_group_rid_to_gid to be
> a non negative value before assigning the gid (just a quick shot).
We should allow these functions to fail, yes.
> Before I start coding and further testing I would like to get you
> involved. First of all, I would like you to either confirm the
> bug or help me blind man to find the misconfiguration on my side.
Sounds like a genuine bug to me. What we needed was the full idmap, but
in the meantime, we should have a sid_to_id() routine, that tries both
systems for an 'exact' match, before it guesses.
Please write this up in bugzilla, so we don't loose it. This is a
serious issue, as you have noted.
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20040229/3a1bbffc/attachment.bin
More information about the samba