Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\ Two bugs in change svn-22481
On Mon, Apr 30, 2007 at 09:13:48AM -0700, Jeremy Allison wrote: > Nope - looks good. What you missed is that there > are other areas in this loop that return without > freeing current_ace, so your fix is good but not > quite general enough :-). > > I'll add the extra SAFE_FREE's needed :-). I'm definately having a bad day :-). There are no extra SAFE_FREE's needed as we've added current_ace to the linked list Doh ! :-). Your fix is perfectly correct, thanks ! Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\ Two bugs in change svn-22481
On Mon, Apr 30, 2007 at 06:15:01PM +0200, Jens Nissen wrote: > Thanks Jeremy for the ACL-fix (svn-Revision 22481). > It points out the way to go, even though I think, you had a bad day: > IMHO, There are two bugs: > > (a) A minor bug in your util_sid.c - change. > The additional test > > if (sid_equal(sid, &global_sid_System)) > return True; > > is superfluous, as the global_sid_System is part of NT-Authority which > is lateron tested with > > if (sid_equal(&dom, &global_sid_NT_Authority)) > return True; > > I recommend reverting util_sic.c to revision 22480. Ok, I'll check this out. > (b) A severe bug in your change to posix_acls.c > > You have moved the test for non-mappable SIDs from a point BEFORE > SMB_MALLOC_P to a point beyond the call "current_ace = SMB_MALLOC_P(---)". > > Thus your fix leaks memory of size "canon_ace" each time a non-mappable > SID is called. > > The correct code in create_canon_ace_lists should look like this: > > /* >* Silently ignore map failures in non-mappable SIDs (NT > Authority, BUILTIN etc). >*/ > > if (non_mappable_sid(&psa->trustee)) { > DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n", > sid_to_string(str, &psa->trustee) )); > SAFE_FREE(current_ace); > continue; > } > > > I hope, I didn't miss a point in my analysis. Nope - looks good. What you missed is that there are other areas in this loop that return without freeing current_ace, so your fix is good but not quite general enough :-). I'll add the extra SAFE_FREE's needed :-). Thanks ! Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\ Two bugs in change svn-22481
Thanks Jeremy for the ACL-fix (svn-Revision 22481). It points out the way to go, even though I think, you had a bad day: IMHO, There are two bugs: (a) A minor bug in your util_sid.c - change. The additional test if (sid_equal(sid, &global_sid_System)) return True; is superfluous, as the global_sid_System is part of NT-Authority which is lateron tested with if (sid_equal(&dom, &global_sid_NT_Authority)) return True; I recommend reverting util_sic.c to revision 22480. (b) A severe bug in your change to posix_acls.c You have moved the test for non-mappable SIDs from a point BEFORE SMB_MALLOC_P to a point beyond the call "current_ace = SMB_MALLOC_P(---)". Thus your fix leaks memory of size "canon_ace" each time a non-mappable SID is called. The correct code in create_canon_ace_lists should look like this: /* * Silently ignore map failures in non-mappable SIDs (NT Authority, BUILTIN etc). */ if (non_mappable_sid(&psa->trustee)) { DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n", sid_to_string(str, &psa->trustee) )); SAFE_FREE(current_ace); continue; } I hope, I didn't miss a point in my analysis. Kind regards, Jens Nissen Jeremy Allison wrote: > On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote: >> I cannot set rights on a arbitrary file or folder for the Windows >> predefined group "Authenticated Users" (which has SID S-1-5-11) via >> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. >> >> Everything else works: >> - I can set rights for any other domain group. >> - I can read the ACL entry for "Authenticated Users" in the Windows 2000 >> File Attribute Dialog if I set it manually with setfacl before >> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked >> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the >> existence of this predefined group. >> >> What am I doing wrong? Is this supposed to work? >> Is there a workaround or any other suitable mapping for this group? >> >> In the "Unofficial Samba + ACL Howto", there is a reference (chapter >> 3.1.4) that this might not work, but that was back in 2003 and 4 years >> have passed since then. > > What fails ? Selecting the user in the GUI ? More info on > exactly what isn't working would be good. > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens Nissen wrote: > 1) wbinfo -Y S-1-5-11 -> 1018, which means, S-1-5-11 is mapped > to GID 1018, contradicting that S-1-5-11 is not mapped. Yeah. Jeremy and I discussed this earlier this week. The short version of the discussion is that the original ACL code dropped BUILT and WellKnown groups from the ACL even if they were mapped to a gid. This is fixed in 3.0.25rc3. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGMf91IR7qMdg1EfYRApnOAKC2ekBhvTjL0YD1d8FjHzlxxAKIPgCdFwrt bXcTSLgQ1kWQoGTf+S6gPpw= =wpze -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
Gerald (Jerry) Carter wrote: > Jens Nissen wrote: > >> SID S-1-5-11 ("Authenticated Users") is part of the NT Authority. >> Why should this SID be "non-mappable"? > > It's not mappable to a gid. > >> Can I simply comment the lines out? What will >> happen afterwards? > > Nope. All SIDs have to be converted to a gid. > Thanks, Jerry. But I have 4 comments (+1 extra): 1) wbinfo -Y S-1-5-11 -> 1018, which means, S-1-5-11 is mapped to GID 1018, contradicting that S-1-5-11 is not mapped. 2) If I set (with setfacl) proper rights to a folder for this group 1018 and I set "inherit permissions" for the whole share, Samba nicely copies the corresponding rights into any subfolder I create with Samba and Windows Explorer. So "Authenticated Users" becomes visible to Windows Clients on a Samba share. 3) Group S-1-5-11 does not make sense to Samba, but Windows can use it. Why is there a difference? Why can't Samba emulate Windows here? 4) Even if Samba can't make sense of S-1-5-11, others can. Think of the following scenario: Server A from domain A-Domain supplies Updates to Samba Server S (e.g. by using xcopy). Server B (which is a PDC in B-Domain) pulls this update from S (again by using xcopy) Clients X (from B-Domain) access the file on Server B. If the chain A->S->B maintains the proper rights for S-1-5-11, then X can access it, provided it can authenticate with B. This last scenario is what our customers would like to do and what they already do using a Windows Server in place S (which I would like to replace with a wonderful Unix server) Do you see any reasonable way to achieve this or something similar? Kind regards, Jens (/* very humble (I admit I do not see all the consequences using S-1-5-11 has) */) P.S: IMHO, deleting ACLs which Samba cannot map, probably is a bug. Think of a file, which is shared between two different domains, e.g., two different Samba processes. If one process deletes EXISTING ACLs of the other process simply because it cannot map them, this can be extremely annoying. ( Something like that: Samba Process (configuration) A -> GIDs from 1000-1999 Samba Process (configuration) B -> GIDs from 2000-2999 File X has ACL user:1500:RW- (via Samba Process A) Now a user of process (domain) B adds ACL user:2500:RWX to file X. Does Samba Process B automatically delete user:1500:RW- thus making the file unaccessible from A??? IMO, it should not be allowed to do this! BTW: The processes don't run concurrently at the same time, B is a kind of fallback domain in case the domain server from A fails. ) Thanks for your patience -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens Nissen wrote: > SID S-1-5-11 ("Authenticated Users") is part of the NT Authority. > Why should this SID be "non-mappable"? It's not mappable to a gid. > Can I simply comment the lines out? What will > happen afterwards? Nope. All SIDs have to be converted to a gid. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGJPQsIR7qMdg1EfYRAvC9AJ9wep0LnOF15cbp/T/N2+jXmJysAQCg3H/D uOmQ4CZqRiNFi3tjIENbYOI= =kjm3 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
Reading the code, I located the bug in smbd/posix_acls.c:create_canon_ace_lists, but I do need advice of someone who knows what is going on and what to do. The source code says: /// /* * Ignore non-mappable SIDs (NT Authority, BUILTIN etc). */ if (non_mappable_sid(&psa->trustee)) { fstring str; DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n", sid_to_string(str, &psa->trustee) )); continue; } /// SID S-1-5-11 ("Authenticated Users") is part of the NT Authority. Why should this SID be "non-mappable"? Windows Servers do allow setting this SID so I expect Samba Servers to do simply the same as the Windows Servers! Can I simply comment the lines out? What will happen afterwards? a) Does Samba correctly behave in case this SID is set? Will it allow reading the ACL in call cases? (It looks as if Samba displays it correctly, tested with setfacl on a small file) b) Does Samba correctly interpret the rights if they are set? "Authenticated Users" are simply defined as /// Quote from http://technet2.microsoft.com/WindowsServer/en/library/86cf2457-4f17-43f8-a2ab-7f4e2e5659091033.mspx?mfr=true /// "Includes all users and computers whose identities have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password." /// /// So Samba should know what to do. c) Does it make sense to file a bug in bugzilla? Jens -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
Very embarassing indeed :-() What I do: Put the "Authenticated Users" to the list of users already having access. I then assign some rights (let's say Read and Write) and then I press OK. What I see: After reopening the GUI (or pressing Update), the entry has simply vanished. Checking with getfacl shows, that "Authenticated Users" have received no ACL entry. What is even stranger: I set the permissions for "Authenticated Users" with setfacl and edit a completely different domain user ACL entry and press OK again. What I see: The ACL entry for "Authenticated Users" has gone. The ACL entry for the domain user is perfectly oK. Again, I checked with getfacl that what the GUI shows indeed is correct. I'm using security=ADS - may this have an impact? Jens Jeremy Allison wrote: > On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote: >> I cannot set rights on a arbitrary file or folder for the Windows >> predefined group "Authenticated Users" (which has SID S-1-5-11) via >> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. >> >> Everything else works: >> - I can set rights for any other domain group. >> - I can read the ACL entry for "Authenticated Users" in the Windows 2000 >> File Attribute Dialog if I set it manually with setfacl before >> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked >> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the >> existence of this predefined group. >> >> What am I doing wrong? Is this supposed to work? >> Is there a workaround or any other suitable mapping for this group? >> >> In the "Unofficial Samba + ACL Howto", there is a reference (chapter >> 3.1.4) that this might not work, but that was back in 2003 and 4 years >> have passed since then. > > What fails ? Selecting the user in the GUI ? More info on > exactly what isn't working would be good. > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote: > I cannot set rights on a arbitrary file or folder for the Windows > predefined group "Authenticated Users" (which has SID S-1-5-11) via > SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. > > Everything else works: > - I can set rights for any other domain group. > - I can read the ACL entry for "Authenticated Users" in the Windows 2000 > File Attribute Dialog if I set it manually with setfacl before > - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked > with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the > existence of this predefined group. > > What am I doing wrong? Is this supposed to work? > Is there a workaround or any other suitable mapping for this group? > > In the "Unofficial Samba + ACL Howto", there is a reference (chapter > 3.1.4) that this might not work, but that was back in 2003 and 4 years > have passed since then. What fails ? Selecting the user in the GUI ? More info on exactly what isn't working would be good. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)
I cannot set rights on a arbitrary file or folder for the Windows predefined group "Authenticated Users" (which has SID S-1-5-11) via SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. Everything else works: - I can set rights for any other domain group. - I can read the ACL entry for "Authenticated Users" in the Windows 2000 File Attribute Dialog if I set it manually with setfacl before - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the existence of this predefined group. What am I doing wrong? Is this supposed to work? Is there a workaround or any other suitable mapping for this group? In the "Unofficial Samba + ACL Howto", there is a reference (chapter 3.1.4) that this might not work, but that was back in 2003 and 4 years have passed since then. Kind regards for any hint, Jens P.S: smb.conf output from testparm, nt acl support = Yes is also set (testparm does not show it) [global] dos charset = ISO-8859-1 unix charset = ISO-8859-1 display charset = ISO-8859-1 workgroup = XXX realm = XXX.TEST security = ADS password server = xxx.xxx.test passdb backend = tdbsam guest account = samba name resolve order = host wins bcast idmap uid = 1000-6 idmap gid = 1000-6 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 ldapsam:trusted = Yes admin users = XXX\\Administrator ea support = Yes map acl inherit = Yes hide dot files = No map hidden = Yes map readonly = permissions dos filemode = Yes [homes] comment = Home Directories read only = No browseable = No preexec = mkdir -m 700 %P [shared] comment = ACL shared folder path = /export/shared read only = No create mask = 0777 directory mask = 0777 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba