Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\ Two bugs in change svn-22481
On Mon, Apr 30, 2007 at 09:13:48AM -0700, Jeremy Allison wrote: > Nope - looks good. What you missed is that there > are other areas in this loop that return without > freeing current_ace, so your fix is good but not > quite general enough :-). > > I'll add the extra SAFE_FREE's needed :-). I'm definately having a bad day :-). There are no extra SAFE_FREE's needed as we've added current_ace to the linked list Doh ! :-). Your fix is perfectly correct, thanks ! Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\ Two bugs in change svn-22481
On Mon, Apr 30, 2007 at 06:15:01PM +0200, Jens Nissen wrote:
> Thanks Jeremy for the ACL-fix (svn-Revision 22481).
> It points out the way to go, even though I think, you had a bad day:
> IMHO, There are two bugs:
>
> (a) A minor bug in your util_sid.c - change.
> The additional test
>
> if (sid_equal(sid, &global_sid_System))
> return True;
>
> is superfluous, as the global_sid_System is part of NT-Authority which
> is lateron tested with
>
> if (sid_equal(&dom, &global_sid_NT_Authority))
> return True;
>
> I recommend reverting util_sic.c to revision 22480.
Ok, I'll check this out.
> (b) A severe bug in your change to posix_acls.c
>
> You have moved the test for non-mappable SIDs from a point BEFORE
> SMB_MALLOC_P to a point beyond the call "current_ace = SMB_MALLOC_P(---)".
>
> Thus your fix leaks memory of size "canon_ace" each time a non-mappable
> SID is called.
>
> The correct code in create_canon_ace_lists should look like this:
>
> /*
>* Silently ignore map failures in non-mappable SIDs (NT
> Authority, BUILTIN etc).
>*/
>
> if (non_mappable_sid(&psa->trustee)) {
> DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
> sid_to_string(str, &psa->trustee) ));
> SAFE_FREE(current_ace);
> continue;
> }
>
>
> I hope, I didn't miss a point in my analysis.
Nope - looks good. What you missed is that there
are other areas in this loop that return without
freeing current_ace, so your fix is good but not
quite general enough :-).
I'll add the extra SAFE_FREE's needed :-).
Thanks !
Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\ Two bugs in change svn-22481
Thanks Jeremy for the ACL-fix (svn-Revision 22481).
It points out the way to go, even though I think, you had a bad day:
IMHO, There are two bugs:
(a) A minor bug in your util_sid.c - change.
The additional test
if (sid_equal(sid, &global_sid_System))
return True;
is superfluous, as the global_sid_System is part of NT-Authority which
is lateron tested with
if (sid_equal(&dom, &global_sid_NT_Authority))
return True;
I recommend reverting util_sic.c to revision 22480.
(b) A severe bug in your change to posix_acls.c
You have moved the test for non-mappable SIDs from a point BEFORE
SMB_MALLOC_P to a point beyond the call "current_ace = SMB_MALLOC_P(---)".
Thus your fix leaks memory of size "canon_ace" each time a non-mappable
SID is called.
The correct code in create_canon_ace_lists should look like this:
/*
* Silently ignore map failures in non-mappable SIDs (NT
Authority, BUILTIN etc).
*/
if (non_mappable_sid(&psa->trustee)) {
DEBUG(10,("create_canon_ace_lists: ignoring non-mappable SID %s\n",
sid_to_string(str, &psa->trustee) ));
SAFE_FREE(current_ace);
continue;
}
I hope, I didn't miss a point in my analysis.
Kind regards,
Jens Nissen
Jeremy Allison wrote:
> On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote:
>> I cannot set rights on a arbitrary file or folder for the Windows
>> predefined group "Authenticated Users" (which has SID S-1-5-11) via
>> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog.
>>
>> Everything else works:
>> - I can set rights for any other domain group.
>> - I can read the ACL entry for "Authenticated Users" in the Windows 2000
>> File Attribute Dialog if I set it manually with setfacl before
>> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked
>> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the
>> existence of this predefined group.
>>
>> What am I doing wrong? Is this supposed to work?
>> Is there a workaround or any other suitable mapping for this group?
>>
>> In the "Unofficial Samba + ACL Howto", there is a reference (chapter
>> 3.1.4) that this might not work, but that was back in 2003 and 4 years
>> have passed since then.
>
> What fails ? Selecting the user in the GUI ? More info on
> exactly what isn't working would be good.
>
> Jeremy.
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jens Nissen wrote: > 1) wbinfo -Y S-1-5-11 -> 1018, which means, S-1-5-11 is mapped > to GID 1018, contradicting that S-1-5-11 is not mapped. Yeah. Jeremy and I discussed this earlier this week. The short version of the discussion is that the original ACL code dropped BUILT and WellKnown groups from the ACL even if they were mapped to a gid. This is fixed in 3.0.25rc3. cheers, jerry = Samba--- http://www.samba.org Centeris --- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGMf91IR7qMdg1EfYRApnOAKC2ekBhvTjL0YD1d8FjHzlxxAKIPgCdFwrt bXcTSLgQ1kWQoGTf+S6gPpw= =wpze -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
Gerald (Jerry) Carter wrote:
> Jens Nissen wrote:
>
>> SID S-1-5-11 ("Authenticated Users") is part of the NT Authority.
>> Why should this SID be "non-mappable"?
>
> It's not mappable to a gid.
>
>> Can I simply comment the lines out? What will
>> happen afterwards?
>
> Nope. All SIDs have to be converted to a gid.
>
Thanks, Jerry.
But I have 4 comments (+1 extra):
1) wbinfo -Y S-1-5-11 -> 1018, which means, S-1-5-11 is mapped to GID
1018, contradicting that S-1-5-11 is not mapped.
2) If I set (with setfacl) proper rights to a folder for this group 1018
and I set "inherit permissions" for the whole share, Samba nicely copies
the corresponding rights into any subfolder I create with Samba and
Windows Explorer. So "Authenticated Users" becomes visible to Windows
Clients on a Samba share.
3) Group S-1-5-11 does not make sense to Samba, but Windows can use it.
Why is there a difference? Why can't Samba emulate Windows here?
4) Even if Samba can't make sense of S-1-5-11, others can.
Think of the following scenario:
Server A from domain A-Domain supplies Updates to Samba Server S (e.g.
by using xcopy).
Server B (which is a PDC in B-Domain) pulls this update from S (again by
using xcopy)
Clients X (from B-Domain) access the file on Server B.
If the chain A->S->B maintains the proper rights for S-1-5-11, then X
can access it, provided it can authenticate with B.
This last scenario is what our customers would like to do and what they
already do using a Windows Server in place S (which I would like to
replace with a wonderful Unix server)
Do you see any reasonable way to achieve this or something similar?
Kind regards,
Jens (/* very humble (I admit I do not see all the consequences using
S-1-5-11 has) */)
P.S: IMHO, deleting ACLs which Samba cannot map, probably is a bug.
Think of a file, which is shared between two different domains, e.g.,
two different Samba processes. If one process deletes EXISTING ACLs of
the other process simply because it cannot map them, this can be
extremely annoying.
(
Something like that:
Samba Process (configuration) A -> GIDs from 1000-1999
Samba Process (configuration) B -> GIDs from 2000-2999
File X has ACL user:1500:RW- (via Samba Process A)
Now a user of process (domain) B adds ACL user:2500:RWX to file X.
Does Samba Process B automatically delete user:1500:RW- thus making the
file unaccessible from A???
IMO, it should not be allowed to do this!
BTW: The processes don't run concurrently at the same time, B is a kind
of fallback domain in case the domain server from A fails.
)
Thanks for your patience
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jens Nissen wrote:
> SID S-1-5-11 ("Authenticated Users") is part of the NT Authority.
> Why should this SID be "non-mappable"?
It's not mappable to a gid.
> Can I simply comment the lines out? What will
> happen afterwards?
Nope. All SIDs have to be converted to a gid.
cheers, jerry
=
Samba--- http://www.samba.org
Centeris --- http://www.centeris.com
"What man is a man who does not make the world better?" --Balian
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGJPQsIR7qMdg1EfYRAvC9AJ9wep0LnOF15cbp/T/N2+jXmJysAQCg3H/D
uOmQ4CZqRiNFi3tjIENbYOI=
=kjm3
-END PGP SIGNATURE-
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
Reading the code, I located the bug in
smbd/posix_acls.c:create_canon_ace_lists, but I do need advice of
someone who knows what is going on and what to do.
The source code says:
///
/*
* Ignore non-mappable SIDs (NT Authority, BUILTIN etc).
*/
if (non_mappable_sid(&psa->trustee)) {
fstring str;
DEBUG(10,("create_canon_ace_lists: ignoring
non-mappable SID %s\n",
sid_to_string(str, &psa->trustee) ));
continue;
}
///
SID S-1-5-11 ("Authenticated Users") is part of the NT Authority.
Why should this SID be "non-mappable"?
Windows Servers do allow setting this SID so I expect Samba Servers to
do simply the same as the Windows Servers!
Can I simply comment the lines out? What will happen afterwards?
a) Does Samba correctly behave in case this SID is set? Will it allow
reading the ACL in call cases? (It looks as if Samba displays it
correctly, tested with setfacl on a small file)
b) Does Samba correctly interpret the rights if they are set?
"Authenticated Users" are simply defined as
/// Quote from
http://technet2.microsoft.com/WindowsServer/en/library/86cf2457-4f17-43f8-a2ab-7f4e2e5659091033.mspx?mfr=true
///
"Includes all users and computers whose identities have been
authenticated. Authenticated Users does not include Guest even if the
Guest account has a password."
///
///
So Samba should know what to do.
c) Does it make sense to file a bug in bugzilla?
Jens
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
Very embarassing indeed :-() What I do: Put the "Authenticated Users" to the list of users already having access. I then assign some rights (let's say Read and Write) and then I press OK. What I see: After reopening the GUI (or pressing Update), the entry has simply vanished. Checking with getfacl shows, that "Authenticated Users" have received no ACL entry. What is even stranger: I set the permissions for "Authenticated Users" with setfacl and edit a completely different domain user ACL entry and press OK again. What I see: The ACL entry for "Authenticated Users" has gone. The ACL entry for the domain user is perfectly oK. Again, I checked with getfacl that what the GUI shows indeed is correct. I'm using security=ADS - may this have an impact? Jens Jeremy Allison wrote: > On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote: >> I cannot set rights on a arbitrary file or folder for the Windows >> predefined group "Authenticated Users" (which has SID S-1-5-11) via >> SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. >> >> Everything else works: >> - I can set rights for any other domain group. >> - I can read the ACL entry for "Authenticated Users" in the Windows 2000 >> File Attribute Dialog if I set it manually with setfacl before >> - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked >> with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the >> existence of this predefined group. >> >> What am I doing wrong? Is this supposed to work? >> Is there a workaround or any other suitable mapping for this group? >> >> In the "Unofficial Samba + ACL Howto", there is a reference (chapter >> 3.1.4) that this might not work, but that was back in 2003 and 4 years >> have passed since then. > > What fails ? Selecting the user in the GUI ? More info on > exactly what isn't working would be good. > > Jeremy. > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)\
On Thu, Apr 12, 2007 at 08:06:21PM +0200, Jens Nissen wrote: > I cannot set rights on a arbitrary file or folder for the Windows > predefined group "Authenticated Users" (which has SID S-1-5-11) via > SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. > > Everything else works: > - I can set rights for any other domain group. > - I can read the ACL entry for "Authenticated Users" in the Windows 2000 > File Attribute Dialog if I set it manually with setfacl before > - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked > with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the > existence of this predefined group. > > What am I doing wrong? Is this supposed to work? > Is there a workaround or any other suitable mapping for this group? > > In the "Unofficial Samba + ACL Howto", there is a reference (chapter > 3.1.4) that this might not work, but that was back in 2003 and 4 years > have passed since then. What fails ? Selecting the user in the GUI ? More info on exactly what isn't working would be good. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Cannot set ACL rights for group "Authenticated Users" (SID S-1-5-11)
I cannot set rights on a arbitrary file or folder for the Windows predefined group "Authenticated Users" (which has SID S-1-5-11) via SAMBA 3.0.23d and the standard Windows 2000 File Attribute Dialog. Everything else works: - I can set rights for any other domain group. - I can read the ACL entry for "Authenticated Users" in the Windows 2000 File Attribute Dialog if I set it manually with setfacl before - I am using tdbsam and the SID S-1-5-11 is mapped to GID 1018 (checked with "wbinfo -Y"), so SAMBA and Windows both seem to agree on the existence of this predefined group. What am I doing wrong? Is this supposed to work? Is there a workaround or any other suitable mapping for this group? In the "Unofficial Samba + ACL Howto", there is a reference (chapter 3.1.4) that this might not work, but that was back in 2003 and 4 years have passed since then. Kind regards for any hint, Jens P.S: smb.conf output from testparm, nt acl support = Yes is also set (testparm does not show it) [global] dos charset = ISO-8859-1 unix charset = ISO-8859-1 display charset = ISO-8859-1 workgroup = XXX realm = XXX.TEST security = ADS password server = xxx.xxx.test passdb backend = tdbsam guest account = samba name resolve order = host wins bcast idmap uid = 1000-6 idmap gid = 1000-6 winbind enum users = Yes winbind enum groups = Yes winbind nss info = rfc2307 ldapsam:trusted = Yes admin users = XXX\\Administrator ea support = Yes map acl inherit = Yes hide dot files = No map hidden = Yes map readonly = permissions dos filemode = Yes [homes] comment = Home Directories read only = No browseable = No preexec = mkdir -m 700 %P [shared] comment = ACL shared folder path = /export/shared read only = No create mask = 0777 directory mask = 0777 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
