[Samba] Bug: ACL entries for user w/o uidNumber are silently discarded

Jonathon Reinhart jonathon.reinhart at gmail.com
Thu Jan 27 04:16:53 UTC 2022

TL;DR: I'm seeing Samba silently ignore any ACL entries being added to
the security descriptor for a user without the uidNumber attribute set
in LDAP.

File server:
  Samba 4.13.14 (TrueNAS-12.0-U7)
  Domain member (idmap: rfc2307)
  "Full" smb.conf posted at the end (note that TrueNAS uses "registry
shares" so that I dumped from "testparm -v")

I'm aware that if you use RFC2307, then users must have a uidNumber
set. I ran three tests:

1) Adding an ACE with an unknown user (using python-smbc)
   Result: setxattr() returns "Invalid argument" (as reasonably expected)

2) Adding an ACE with known user who is missing uidNumber (by name,
using python-smbc)
   Result: setxattr() returns no errors, but the ACE is gone

3) Adding an ACE with known user who is missing uidNumber (using the
Windows Security tab)
   Result: After clicking Apply, the new ACE just disappears (same as #2)

It seems like Samba should be returning an error if someone tries to
set an ACE with an "invalid" user (b/c they don't have a uidNumber).

I have a slight suspicion that this is actually caused by the "zfsacl"
vfs object.

Please let me know if anyone has any thoughts related to this, or if I
should open a ticket in bugzilla.



        dns proxy = No
        aio max threads = 2
        max log size = 5120
        load printers = No
        printing = bsd
        disable spoolss = Yes
        dos filemode = Yes
        kernel change notify = No
        directory name cache size = 0
        nsupdate command = /usr/local/bin/samba-nsupdate -g
        unix charset = UTF-8
        log level =  1 auth_audit:5 smb:3 smb2:3
        obey pam restrictions = False
        enable web service discovery = True
        logging = syslog at 2 file
        server min protocol =  SMB3_00
        unix extensions = No
        restrict anonymous = 2
        server string = FreeNAS Server
        bind interfaces only = Yes
        netbios name = nas
        netbios aliases =
        server role = member server
        kerberos method = secrets and keytab
        workgroup = EXAMPLE
        realm = INTERNAL.EXAMPLE.COM
        security = ADS
        local master = No
        domain master = No
        preferred master = No
        winbind cache time = 7200
        winbind max domain connections = 10
        client ldap sasl wrapping = seal
        template shell = /bin/sh
        template homedir = /home/%D/%U
        ads dns update = Yes
        allow trusted domains = Yes
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind nss info = rfc2307
        idmap config EXAMPLE: backend = ad
        idmap config EXAMPLE: range = 10000-90000000
        idmap config EXAMPLE: schema_mode = rfc2307
        idmap config *: backend = tdb
        idmap config *: range = 90000001-100000000
        smb encrypt =  desired
        registry shares = yes
        include = registry

        ea support = No
        path = /mnt/Pool1/fileshare1
        read only = No
        vfs objects = zfs_space zfsacl streams_xattr
        nfs4:chown = true

More information about the samba mailing list