[Samba] Cannot set ACL rights for group "Authenticated Users"
(SID S-1-5-11)\ Two bugs in change svn-22481
Jens Nissen
jens.nissen at gmx.net
Mon Apr 30 16:15:01 GMT 2007
Thanks Jeremy for the ACL-fix (svn-Revision 22481).
It points out the way to go, even though I think, you had a bad day:
IMHO, There are two bugs:
(a) A minor bug in your util_sid.c - change.
The additional test
if (sid_equal(sid, &global_sid_System))
return True;
is superfluous, as the global_sid_System is part of NT-Authority which
is lateron tested with
if (sid_equal(&dom, &global_sid_NT_Authority))
return True;
I recommend reverting util_sic.c to revision 22480.
(b) A severe bug in your change to posix_acls.c
You have moved the test for non-mappable SIDs from a point BEFORE
SMB_MALLOC_P to a point beyond the call "current_ace = SMB_MALLOC_P(---)".
Thus your fix leaks memory of size "canon_ace" each time a non-mappable
SID is called.
The correct code in create_canon_ace_lists should look like this:
/*
* Silently ignore map failures in non-mappable SIDs (NT
Authority, BUILTIN etc).
*/
if (non_mappable_sid(&psa->trustee)) {
DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
sid_to_string(str, &psa->trustee) ));
SAFE_FREE(current_ace);
continue;
}
I hope, I didn't miss a point in my analysis.
Kind regards,
Jens Nissen
Jeremy Allison wrote:
> On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote:
>> I cannot set rights on a arbitrary file or folder for the Windows
>> predefined group "Authenticated Users" (which has SID S-1-5-11) via
>> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
>>
>> Everything else works:
>> - I can set rights for any other domain group.
>> - I can read the ACL entry for "Authenticated Users" in the Windows 2000
>> File Attribute Dialog if I set it manually with setfacl before
>> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
>> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
>> existence of this predefined group.
>>
>> What am I doing wrong? Is this supposed to work?
>> Is there a workaround or any other suitable mapping for this group?
>>
>> In the "Unofficial Samba + ACL Howto", there is a reference (chapter
>> 3.1.4) that this might not work, but that was back in 2003 and 4 years
>> have passed since then.
>
> What fails ? Selecting the user in the GUI ? More info on
> exactly what isn't working would be good.
>
> Jeremy.
>
More information about the samba
mailing list