Bug 12403 - smbcacls is unable to set an acl by a name when SMB2 is enabled
Summary: smbcacls is unable to set an acl by a name when SMB2 is enabled
Status: RESOLVED DUPLICATE of bug 12831
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.4.6
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-31 21:33 UTC by John Mulligan
Modified: 2017-07-04 14:47 UTC (History)
0 users

See Also:

Attachments
smbcacls & smbd logs (84.47 KB, application/x-bzip)
2016-10-31 21:33 UTC, John Mulligan 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Mulligan 2016-10-31 21:33:12 UTC 
Created attachment 12619 [details]
smbcacls & smbd logs

On systems running with the option 'client max protocol = SMB3' specified in smb.conf I can not longer set acls with a name specified in the "acl string". It does work when a sid is used.

Example:

[root@foo-6by6fe6f tmp]# rm -rf bob
[root@foo-6by6fe6f tmp]# mkdir bob
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@foo-6by6fe6f tmp]# smbcacls  -U 'johnm%Xxxxxxx1'  '-S'  'ACL:S-1-5-11:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'
WARNING: The "syslog" option is deprecated
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:200004:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:200004:rwx
default:mask::rwx
default:other::---

[root@foo-6by6fe6f tmp]# rm -rf bob
[root@foo-6by6fe6f tmp]# mkdir bob
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@foo-6by6fe6f tmp]# smbcacls  -U 'johnm%Xxxxxxx1'  '-S'  'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'
WARNING: The "syslog" option is deprecated
Failed to open \bob: NT_STATUS_NETWORK_NAME_DELETED
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
group::r-x
other::r-x

[root@foo-6by6fe6f tmp]# smbcacls  -U 'johnm%Xxxxxxx1'  '-S'  'ACL:S-1-5-11:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'
WARNING: The "syslog" option is deprecated
[root@foo-6by6fe6f tmp]# getfacl bob
# file: bob
# owner: root
# group: root
user::rwx
user:root:rwx
group::---
group:root:---
group:200004:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:root:---
default:group:200004:rwx
default:mask::rwx
default:other::---


I'm attaching a tarball with the output of the following commands:
# smbcacls -d10 -U 'johnm%Xxxxxxx1'  '-S'  'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'  &> byname.txt
# smbcacls -d10 -U 'johnm%Xxxxxxx1'  '-S'  'ACL:S-1-5-11:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'  &> bysid.txt

along with the corresponding log.smb at level 10.

At first I was going to blame Samba 4.4 but a little more investigation showed that this was due to a new setting on my 4.4 system 'client max protocol = SMB3' and if I removed this option to set it back to the default the by-name command succeeded. I then ran smbcacls on my 4.2 instance with --option="client max protocol = SMB2" and it failed like the earlier 4.4 command.

For now I can work around the issue by running :

smbcacls --option="client max protocol = NT1" -d10 -U 'johnm%Xxxxxxx1'  '-S'  'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL'  '//localhost/$$temporary$$' '/bob'

or the SID based version earlier.


Please let me know if there is any other information I can provide that will be helpful. Thank you.
Comment 1 Ralph Böhme 2017-07-04 14:47:31 UTC 

*** This bug has been marked as a duplicate of bug 12831 ***