Bug 12403 - smbcacls is unable to set an acl by a name when SMB2 is enabled
smbcacls is unable to set an acl by a name when SMB2 is enabled
Status: RESOLVED DUPLICATE of bug 12831
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools
4.4.6
All All
: P5 normal
: ---
Assigned To: Andrew Bartlett
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-10-31 21:33 UTC by John Mulligan
Modified: 2017-07-04 14:47 UTC (History)
0 users

See Also:


Attachments
smbcacls & smbd logs (84.47 KB, application/x-bzip)
2016-10-31 21:33 UTC, John Mulligan
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John Mulligan 2016-10-31 21:33:12 UTC
Created attachment 12619 [details]
smbcacls & smbd logs

On systems running with the option 'client max protocol = SMB3' specified in smb.conf I can not longer set acls with a name specified in the "acl string". It does work when a sid is used.

Example:

[root@foo-6by6fe6f tmp]# rm -rf bob
[root@foo-6by6fe6f tmp]# mkdir bob
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@foo-6by6fe6f tmp]# smbcacls  -U 'johnm%Xxxxxxx1'  '-S'  'ACL:S-1-5-11:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'
WARNING: The "syslog" option is deprecated
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:200004:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:200004:rwx
default:mask::rwx
default:other::---

[root@foo-6by6fe6f tmp]# rm -rf bob
[root@foo-6by6fe6f tmp]# mkdir bob
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@foo-6by6fe6f tmp]# smbcacls  -U 'johnm%Xxxxxxx1'  '-S'  'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'
WARNING: The "syslog" option is deprecated
Failed to open \bob: NT_STATUS_NETWORK_NAME_DELETED
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@foo-6by6fe6f tmp]# smbcacls  -U 'johnm%Xxxxxxx1'  '-S'  'ACL:S-1-5-11:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'
WARNING: The "syslog" option is deprecated
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:200004:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:200004:rwx
default:mask::rwx
default:other::---


I'm attaching a tarball with the output of the following commands:
# smbcacls -d10 -U 'johnm%Xxxxxxx1'  '-S'  'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'  &> byname.txt
# smbcacls -d10 -U 'johnm%Xxxxxxx1'  '-S'  'ACL:S-1-5-11:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'  &> bysid.txt

along with the corresponding log.smb at level 10.

At first I was going to blame Samba 4.4 but a little more investigation showed that this was due to a new setting on my 4.4 system 'client max protocol = SMB3' and if I removed this option to set it back to the default the by-name command succeeded. I then ran smbcacls on my 4.2 instance with --option="client max protocol = SMB2" and it failed like the earlier 4.4 command.

For now I can work around the issue by running :

smbcacls --option="client max protocol = NT1" -d10 -U 'johnm%Xxxxxxx1'  '-S'  'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'

or the SID based version earlier.


Please let me know if there is any other information I can provide that will be helpful. Thank you.
Comment 1 Ralph Böhme 2017-07-04 14:47:31 UTC

*** This bug has been marked as a duplicate of bug 12831 ***