Bug 12243 - Owner not set to builtin-admins or system if parent dir has no inheritable ACEs
Summary: Owner not set to builtin-admins or system if parent dir has no inheritable ACEs
Status: ASSIGNED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Ralph Böhme
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-06 16:43 UTC by Ralph Böhme
Modified: 2016-09-06 16:43 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ralph Böhme 2016-09-06 16:43:02 UTC
When applying an SD to a new filesystem object, Windows sets the owner of the new object to builtin-admins  if the user is member of builtin-admins (similar for a system token).

On a Windows server this works regardless of whether the parent dir has inheritable ACEs or not:

$ ./bin/smbcacls -U Administrator%Passw0rd --numeric //10.10.10.14/data "dir"
REVISION:1
CONTROL:0x9404
OWNER:S-1-5-21-124412504-3197034837-3775081848-500
GROUP:S-1-5-21-124412504-3197034837-3775081848-513
ACL:S-1-5-21-124412504-3197034837-3775081848-500:0/0x0/0x001f01ff

$ ./bin/smbcacls -U Administrator%Passw0rd --numeric //10.10.10.14/data "dir/bitmap2.bmp"
REVISION:1
CONTROL:0x8404
OWNER:S-1-5-32-544
GROUP:S-1-5-21-124412504-3197034837-3775081848-513
ACL:S-1-5-32-544:0/0x0/0x001f01ff
ACL:S-1-5-18:0/0x0/0x001f01ff
ACL:S-1-5-5-0-144291:0/0x0/0x001200a9

$ ./bin/smbcacls -U Administrator%Passw0rd --numeric //10.10.10.14/data ""
REVISION:1
CONTROL:0x9404
OWNER:S-1-5-21-124412504-3197034837-3775081848-500
GROUP:S-1-5-21-124412504-3197034837-3775081848-513
ACL:S-1-5-21-124412504-3197034837-3775081848-500:0/0x3/0x001f01ff

[slow@kazak scratch]$ ./bin/smbcacls -U Administrator%Passw0rd --numeric //10.10.10.14/data "bitmap2.bmp"
REVISION:1
CONTROL:0x8404
OWNER:S-1-5-32-544
GROUP:S-1-5-21-124412504-3197034837-3775081848-513
ACL:S-1-5-21-124412504-3197034837-3775081848-500:0/0x10/0x001f01ff

On a Samba server the logic that implements the owner munging in inherit_new_acl() is only triggered if the parent ACL has inherited ACEs:

$ ./bin/smbcacls -U Administrator%locDCpass1 --numeric //127.0.0.30/tmp "dir" 
REVISION:1
CONTROL:0x8004
OWNER:S-1-5-32-544
GROUP:S-1-5-21-182694069-1167759452-2038352965-513
ACL:S-1-5-21-182694069-1167759452-2038352965-500:0/0x0/0x001f01ff
[slow@kazak scratch]$ ./bin/smbclient -U Administrator%locDCpass1 //127.0.0.30/tmp -c "put README dir/README"
Domain=[ADDOMAIN] OS=[Windows 6.1] Server=[Samba 4.6.0pre1-DEVELOPERBUILD]
putting file README as \dir/README (2883.7 kb/s) (average 2883.8 kb/s)

$ ./bin/smbcacls -U Administrator%locDCpass1 --numeric //127.0.0.30/tmp "dir/README" 
REVISION:1
CONTROL:0x8004
==> OWNER:S-1-5-21-182694069-1167759452-2038352965-500
GROUP:S-1-22-2-1000
ACL:S-1-5-21-182694069-1167759452-2038352965-500:0/0x0/0x001f019f
ACL:S-1-22-2-1000:0/0x0/0x00120089
ACL:S-1-1-0:0/0x0/0x00120089

Owner should be S-1-5-32-544 from token.