Created attachment 12619 [details] smbcacls & smbd logs On systems running with the option 'client max protocol = SMB3' specified in smb.conf I can not longer set acls with a name specified in the "acl string". It does work when a sid is used. Example: [root@foo-6by6fe6f tmp]# rm -rf bob [root@foo-6by6fe6f tmp]# mkdir bob [root@foo-6by6fe6f tmp]# getfacl bob # file: bob # owner: root # group: root user::rwx group::r-x other::r-x [root@foo-6by6fe6f tmp]# smbcacls -U 'johnm%Xxxxxxx1' '-S' 'ACL:S-1-5-11:ALLOWED/0x3/FULL' '//localhost/$$temporary$$' '/bob' WARNING: The "syslog" option is deprecated [root@foo-6by6fe6f tmp]# getfacl bob # file: bob # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:200004:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:200004:rwx default:mask::rwx default:other::--- [root@foo-6by6fe6f tmp]# rm -rf bob [root@foo-6by6fe6f tmp]# mkdir bob [root@foo-6by6fe6f tmp]# getfacl bob # file: bob # owner: root # group: root user::rwx group::r-x other::r-x [root@foo-6by6fe6f tmp]# smbcacls -U 'johnm%Xxxxxxx1' '-S' 'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL' '//localhost/$$temporary$$' '/bob' WARNING: The "syslog" option is deprecated Failed to open \bob: NT_STATUS_NETWORK_NAME_DELETED [root@foo-6by6fe6f tmp]# getfacl bob # file: bob # owner: root # group: root user::rwx group::r-x other::r-x [root@foo-6by6fe6f tmp]# smbcacls -U 'johnm%Xxxxxxx1' '-S' 'ACL:S-1-5-11:ALLOWED/0x3/FULL' '//localhost/$$temporary$$' '/bob' WARNING: The "syslog" option is deprecated [root@foo-6by6fe6f tmp]# getfacl bob # file: bob # owner: root # group: root user::rwx user:root:rwx group::--- group:root:--- group:200004:rwx mask::rwx other::--- default:user::rwx default:user:root:rwx default:group::--- default:group:root:--- default:group:200004:rwx default:mask::rwx default:other::--- I'm attaching a tarball with the output of the following commands: # smbcacls -d10 -U 'johnm%Xxxxxxx1' '-S' 'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL' '//localhost/$$temporary$$' '/bob' &> byname.txt # smbcacls -d10 -U 'johnm%Xxxxxxx1' '-S' 'ACL:S-1-5-11:ALLOWED/0x3/FULL' '//localhost/$$temporary$$' '/bob' &> bysid.txt along with the corresponding log.smb at level 10. At first I was going to blame Samba 4.4 but a little more investigation showed that this was due to a new setting on my 4.4 system 'client max protocol = SMB3' and if I removed this option to set it back to the default the by-name command succeeded. I then ran smbcacls on my 4.2 instance with --option="client max protocol = SMB2" and it failed like the earlier 4.4 command. For now I can work around the issue by running : smbcacls --option="client max protocol = NT1" -d10 -U 'johnm%Xxxxxxx1' '-S' 'ACL:NT AUTHORITY\Authenticated Users:ALLOWED/0x3/FULL' '//localhost/$$temporary$$' '/bob' or the SID based version earlier. Please let me know if there is any other information I can provide that will be helpful. Thank you.
*** This bug has been marked as a duplicate of bug 12831 ***