Created attachment 13265 [details]
The is the output of failed smbcacls call with debug 10
we run smbcacls tool from linux machine to set file permissions on windows server.
here is our environment:
Linux machine: Ubuntu 14.04 LTS, kernel version 3.13.0-112-generic
Samba version: 4.3.11
Windows machine: Windows server 2012
the cmd we run is something like following:
/usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' '//win_server/testshare' 'TestFolder\Test.txt' -S 'REVISION:1','ACL:win_server\Administrator:DENIED/0/0x100116','ACL:win_server\Administrator:ALLOWED/0/0x1200a9','ACL:Domain\Administrator:ALLOWED/16/FULL'
The smbcacls cmd worked before till recently. Due to the recent Windows patch which disables SMB v1, we have to add the following line into the [global] section in smb.conf file on Linux machine so that the smbcacls can talk to the Windows server otherwise it gets error NT_STATUS_CONNECTION_RESET:
client max protocol = SMB3
with this option added, the smbcacls cmd ran into error NT_STATUS_NETWORK_NAME_DELETED.
but if we just run smbcacls cmd to get ACLs, like
/usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' '//win_server/testshare' 'TestFolder\Test.txt'
it works without any problem, and does return all ACL entries.
if we remove this "client max protocol == SMB3" option from smb.conf file and turn on the SMBv1 on Windows server side, the exactly same smbcacls cmd for setting permission works as before.
Created attachment 13274 [details]
"Raw" patch for master.
This seems to pass a local make test.
The problem is that we have cases in our client tools where we expect to be able to temporarily replace the tcon connection struct internally to the client with a new connection to IPC$, do some calls on that new connection, then replace the old values of the tcon and continue.
This has some problems. (a). It only worked for SMB1 (for SMB2 we overwrote the tcon pointer) and (b). It didn't really work for SMB1 either - we ended up with a bastardized cli->smb1.tcon pointer that contains type and string from the IPC$ connection whilst being connected to the share connection.
This patch unifies the cli->smb[1|2].tcon pointer handling and allows temporary replacement of the pointer, and also SMB2 access to the get/set the 32-bit tid value.
Most of this patch is fixing up the smbclient/smbcacls and smbtorture3 code so everything keeps working.
Next job is to split this into micro commits so Ralph can follow it and review (yeah I asked for review already, but I don't really want a formal +1 as it's not complete yet, if you do a +1 on it it'll be more of a "yeah, this looks OK" comment :-).
Reproducer (from the mailing list).
> Just tried but couldn't reproduce this against an smbd server running
> master. Ralph, do you have a reproducer ?
$ ./bin/smbcacls -m smb3 -U slow%x //localhost/share "" -a "ACL:SLOWSERVER\slow:ALLOWED/0x0/READ"
Failed to open \: NT_STATUS_NETWORK_NAME_DELETED
Created attachment 13275 [details]
git-am fix for master.
This is what I'm planning to go with. It's the "raw" patch split into micro-commits to make it easier to review. Need to make sure it passes make test first then I'll post on the list.
Created attachment 13292 [details]
git-am fix for 4.6.x
Cherry-picked from what went into master.
Re-assigning to Karolin for inclusion in 4.6.next. I'm still thinking if this can be back-ported to 4.5.x or not, but in the meantime 4.6.next needs this !
(In reply to Jeremy Allison from comment #5)
Pushed to autobuild-v4-6-test.
Created attachment 13323 [details]
git-am fix for 4.5.next.
I closed this bug too soon - here is the back-port for 4.5.next (wasn't so hard :-).
Reassigning to Karolin for inclusion in 4.5.
(In reply to Ralph Böhme from comment #8)
Pushed to autobuild-v4-45-test.
(In reply to Karolin Seeger from comment #9)
(In reply to Karolin Seeger from comment #10)
Pushed to v4-5-test.
Closing out bug report.
*** Bug 12403 has been marked as a duplicate of this bug. ***