smbd: Broken access to share
Купчук Михаил Георгиевич
MKupchuk at inno.tech
Thu Feb 15 16:26:48 UTC 2024
Hello everyone!
Found out that this patch https://gitlab.com/samba-team/samba/-/commit/0e3836e3961f2b7c39173ce1023d3c92addef630 broke access to sysvol for "Domain Admins" group members.
Case:
We have a windows task that copies sysvol contents from Windows DC to Samba DC using robocopy, i.e.
robocopy C:\Windows\SYSVOL\domain\Policies\ \\samba-dc\SYSVOL\windom.lan\Policies\ /MIR /COPY:DATSO /DCOPY:DAT
Task is being run using dedicated MSA account which is added to Domain Admins group.
Everything worked fine till this patch.
Now we get "ERROR 5 (0x00000005) Copying NTFS Security to Destination Directory \\samba-dc\SYSVOL\windom.lan\Policies\ Access is denied." error.
If I rollback this one commit - everything comes back to normal.
I see that there are a set of similar commits replacing call to "unbecome_root()" in favour to "drop_effective_capability(DAC_OVERRIDE_CAPABILITY)".
Not sure if there are more cases related to other commits, but this one break compatibility in our case.
Samba running in environment:
Ubuntu 22.04
Self-build (no extra build flags, "--prefix" only) Samba. But also tried to install fresh Michael Tokarev packages from https://www.corpit.ru/mjt/packages/samba
Nothing changed in smbd.conf - generated by "samba-tool domain join"
With patch:
[2024/02/15 19:18:14.604295, 10, pid=344928, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/open.c:180(smbd_check_access_rights_sd)
smbd_check_access_rights_sd: File [windom4.lan/Policies] requesting [0x2] returning [0x2] (NT_STATUS_OK)
[2024/02/15 19:18:14.604300, 10, pid=344928, effective(3000023, 3000022), real(3000023, 0), class=acls] ../../source3/smbd/posix_acls.c:2943(set_canon_ace_list)
set_canon_ace_list: acl group control on and current user in file [windom4.lan/Policies] primary group.
[2024/02/15 19:18:14.604303, 4, pid=344928, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:206(push_sec_ctx)
push_sec_ctx(3000023, 3000022) : sec_ctx_stack_ndx = 1
[2024/02/15 19:18:14.604313, 4, pid=344928, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/uid.c:566(push_conn_ctx)
push_conn_ctx(3662615508) : conn_ctx_stack_ndx = 0
[2024/02/15 19:18:14.604335, 4, pid=344928, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2024/02/15 19:18:14.604338, 5, pid=344928, effective(3000023, 3000022), real(3000023, 0)] ../../libcli/security/security_token.c:114(security_token_debug)
Security token: (NULL)
[2024/02/15 19:18:14.604342, 5, pid=344928, effective(3000023, 3000022), real(3000023, 0)] ../../source3/auth/token_util.c:912(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2024/02/15 19:18:14.604356, 4, pid=344928, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:443(pop_sec_ctx)
pop_sec_ctx (3000023, 3000022) - sec_ctx_stack_ndx = 0
[2024/02/15 19:18:14.604362, 10, pid=344928, effective(3000023, 3000022), real(3000023, 0), class=acls] ../../source3/smbd/posix_acls.c:3366(posix_fget_nt_acl)
posix_fget_nt_acl: called for file windom4.lan/Policies
...
[2024/02/15 19:18:14.605851, 10, pid=344928, effective(3000023, 3000022), real(3000023, 0), class=vfs] ../../source3/modules/vfs_acl_xattr.c:132(store_acl_blob_fsp)
store_acl_blob_fsp: storing blob length 508 on file windom4.lan/Policies
[2024/02/15 19:18:14.605864, 5, pid=344928, effective(3000023, 3000022), real(3000023, 0), class=vfs] ../../source3/modules/vfs_acl_xattr.c:143(store_acl_blob_fsp)
store_acl_blob_fsp: setting attr failed for file windom4.lan/Policieswith error Operation not permitted
[2024/02/15 19:18:14.605876, 3, pid=344928, effective(3000023, 3000022), real(3000023, 0), class=smb2] ../../source3/smbd/smb2_server.c:4025(smbd_smb2_request_error_ex)
smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_ACCESS_DENIED] || at ../../source3/smbd/smb2_setinfo.c:137
[2024/02/15 19:18:14.605881, 10, pid=344928, effective(3000023, 3000022), real(3000023, 0), class=smb2] ../../source3/smbd/smb2_server.c:3910(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: mid [38] idx[1] status[NT_STATUS_ACCESS_DENIED] body[8] dyn[yes:1] at ../../source3/smbd/smb2_server.c:4076
[2024/02/15 19:18:14.605885, 10, pid=344928, effective(3000023, 3000022), real(3000023, 0), class=smb2_credits] ../../source3/smbd/smb2_server.c:1044(smb2_set_operation_credit)
smb2_set_operation_credit: smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 8162/8192, total granted/max/low/range 31/8192/39/31
Version prior to commit:
[2024/02/15 19:15:43.658696, 10, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/open.c:180(smbd_check_access_rights_sd)
smbd_check_access_rights_sd: File [windom4.lan/Policies] requesting [0x2] returning [0x2] (NT_STATUS_OK)
[2024/02/15 19:15:43.658701, 10, pid=339912, effective(3000023, 3000022), real(3000023, 0), class=acls] ../../source3/smbd/posix_acls.c:2943(set_canon_ace_list)
set_canon_ace_list: acl group control on and current user in file [windom4.lan/Policies] primary group.
[2024/02/15 19:15:43.658704, 4, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:206(push_sec_ctx)
push_sec_ctx(3000023, 3000022) : sec_ctx_stack_ndx = 1
[2024/02/15 19:15:43.658712, 4, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/uid.c:566(push_conn_ctx)
push_conn_ctx(2096715502) : conn_ctx_stack_ndx = 0
[2024/02/15 19:15:43.658717, 4, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2024/02/15 19:15:43.658720, 5, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../libcli/security/security_token.c:114(security_token_debug)
Security token: (NULL)
[2024/02/15 19:15:43.658724, 5, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/auth/token_util.c:912(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2024/02/15 19:15:43.658739, 4, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:443(pop_sec_ctx)
pop_sec_ctx (3000023, 3000022) - sec_ctx_stack_ndx = 0
[2024/02/15 19:15:43.658746, 10, pid=339912, effective(3000023, 3000022), real(3000023, 0), class=acls] ../../source3/smbd/posix_acls.c:3366(posix_fget_nt_acl)
posix_fget_nt_acl: called for file windom4.lan/Policies
...
[2024/02/15 19:15:43.659995, 10, pid=339912, effective(3000023, 3000022), real(3000023, 0), class=vfs] ../../source3/modules/vfs_acl_xattr.c:132(store_acl_blob_fsp)
store_acl_blob_fsp: storing blob length 508 on file windom4.lan/Policies
[2024/02/15 19:15:43.659999, 4, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:206(push_sec_ctx)
push_sec_ctx(3000023, 3000022) : sec_ctx_stack_ndx = 1
[2024/02/15 19:15:43.660007, 4, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/uid.c:566(push_conn_ctx)
push_conn_ctx(2096715502) : conn_ctx_stack_ndx = 0
[2024/02/15 19:15:43.660011, 4, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:317(set_sec_ctx_internal)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2024/02/15 19:15:43.660014, 5, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../libcli/security/security_token.c:114(security_token_debug)
Security token: (NULL)
[2024/02/15 19:15:43.660018, 5, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/auth/token_util.c:912(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2024/02/15 19:15:43.660032, 4, pid=339912, effective(3000023, 3000022), real(3000023, 0)] ../../source3/smbd/sec_ctx.c:443(pop_sec_ctx)
pop_sec_ctx (3000023, 3000022) - sec_ctx_stack_ndx = 0
[2024/02/15 19:15:43.660040, 10, pid=339912, effective(3000023, 3000022), real(3000023, 0), class=smb2] ../../source3/smbd/smb2_server.c:3910(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: mid [38] idx[1] status[NT_STATUS_OK] body[2] dyn[no:0] at ../../source3/smbd/smb2_setinfo.c:159
For a moment had no time to investigate deeper, but going to.
Best wishes,
Michael.
More information about the samba-technical
mailing list