[Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\ Two bugs in change svn-22481

Jens Nissen jens.nissen at gmx.net
Mon Apr 30 16:15:01 GMT 2007

Thanks Jeremy for the ACL-fix (svn-Revision 22481).
It points out the way to go, even though I think, you had a bad day:
IMHO, There are two bugs:

(a) A minor bug in your util_sid.c - change.
The additional test

	if (sid_equal(sid, &global_sid_System))
		return True;

is superfluous, as the global_sid_System is part of NT-Authority which
is lateron tested with

	if (sid_equal(&dom, &global_sid_NT_Authority))
		return True;

I recommend reverting util_sic.c to revision 22480.

(b) A severe bug in your change to posix_acls.c

You have moved the test for non-mappable SIDs from a point BEFORE
SMB_MALLOC_P to a point beyond the call "current_ace = SMB_MALLOC_P(---)".

Thus your fix leaks memory of size "canon_ace" each time a non-mappable
SID is called.

The correct code in create_canon_ace_lists should look like this:

       * Silently ignore map failures in non-mappable SIDs (NT
Authority, BUILTIN etc).

      if (non_mappable_sid(&psa->trustee)) {
        DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
          sid_to_string(str, &psa->trustee) ));

I hope, I didn't miss a point in my analysis.

Kind regards,

Jens Nissen

Jeremy Allison wrote:
> On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote:
>> I cannot set rights on a arbitrary file or folder for the Windows
>> predefined group "Authenticated Users" (which has SID S-1-5-11) via
>> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
>> Everything else works:
>> - I can set rights for any other domain group.
>> - I can read the ACL entry for "Authenticated Users" in the Windows 2000
>> File Attribute Dialog if I set it manually with setfacl before
>> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
>> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
>> existence of this predefined group.
>> What am I doing wrong? Is this supposed to work?
>> Is there a workaround or any other suitable mapping for this group?
>> In the "Unofficial Samba + ACL Howto", there is a reference (chapter
>> 3.1.4) that this might not work, but that was back in 2003 and 4 years
>> have passed since then.
> What fails ? Selecting the user in the GUI ? More info on
> exactly what isn't working would be good.
> Jeremy.

More information about the samba mailing list