[Samba] Bug: ACL entries for user w/o uidNumber are silently discarded
Jonathon Reinhart
jonathon.reinhart at gmail.com
Thu Jan 27 04:16:53 UTC 2022
TL;DR: I'm seeing Samba silently ignore any ACL entries being added to
the security descriptor for a user without the uidNumber attribute set
in LDAP.
File server:
Samba 4.13.14 (TrueNAS-12.0-U7)
Domain member (idmap: rfc2307)
"Full" smb.conf posted at the end (note that TrueNAS uses "registry
shares" so that I dumped from "testparm -v")
I'm aware that if you use RFC2307, then users must have a uidNumber
set. I ran three tests:
1) Adding an ACE with an unknown user (using python-smbc)
Result: setxattr() returns "Invalid argument" (as reasonably expected)
2) Adding an ACE with known user who is missing uidNumber (by name,
using python-smbc)
Result: setxattr() returns no errors, but the ACE is gone
3) Adding an ACE with known user who is missing uidNumber (using the
Windows Security tab)
Result: After clicking Apply, the new ACE just disappears (same as #2)
It seems like Samba should be returning an error if someone tries to
set an ACE with an "invalid" user (b/c they don't have a uidNumber).
I have a slight suspicion that this is actually caused by the "zfsacl"
vfs object.
(https://www.samba.org/samba/docs/current/man-html/vfs_zfsacl.8.html)
Please let me know if anyone has any thoughts related to this, or if I
should open a ticket in bugzilla.
Thanks,
Jonathon
----------------
smb.conf:
[global]
dns proxy = No
aio max threads = 2
max log size = 5120
load printers = No
printing = bsd
disable spoolss = Yes
dos filemode = Yes
kernel change notify = No
directory name cache size = 0
nsupdate command = /usr/local/bin/samba-nsupdate -g
unix charset = UTF-8
log level = 1 auth_audit:5 smb:3 smb2:3
obey pam restrictions = False
enable web service discovery = True
logging = syslog at 2 file
server min protocol = SMB3_00
unix extensions = No
restrict anonymous = 2
server string = FreeNAS Server
bind interfaces only = Yes
netbios name = nas
netbios aliases =
server role = member server
kerberos method = secrets and keytab
workgroup = EXAMPLE
realm = INTERNAL.EXAMPLE.COM
security = ADS
local master = No
domain master = No
preferred master = No
winbind cache time = 7200
winbind max domain connections = 10
client ldap sasl wrapping = seal
template shell = /bin/sh
template homedir = /home/%D/%U
ads dns update = Yes
allow trusted domains = Yes
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
winbind nss info = rfc2307
idmap config EXAMPLE: backend = ad
idmap config EXAMPLE: range = 10000-90000000
idmap config EXAMPLE: schema_mode = rfc2307
idmap config *: backend = tdb
idmap config *: range = 90000001-100000000
smb encrypt = desired
registry shares = yes
include = registry
[share]
ea support = No
path = /mnt/Pool1/fileshare1
read only = No
vfs objects = zfs_space zfsacl streams_xattr
nfs4:chown = true
More information about the samba
mailing list