Bug 12831 - smbcacls got error NT_STATUS_NETWORK_NAME_DELETED
Summary: smbcacls got error NT_STATUS_NETWORK_NAME_DELETED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.3.11
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
: 12403 (view as bug list)
Depends on:
Reported: 2017-06-09 00:17 UTC by Andy Qian
Modified: 2017-07-04 14:47 UTC (History)
4 users (show)

See Also:

The is the output of failed smbcacls call with debug 10 (8.55 KB, text/plain)
2017-06-09 00:17 UTC, Andy Qian
no flags Details
"Raw" patch for master. (17.48 KB, patch)
2017-06-13 22:21 UTC, Jeremy Allison
no flags Details
git-am fix for master. (25.29 KB, patch)
2017-06-14 00:03 UTC, Jeremy Allison
no flags Details
git-am fix for 4.6.x (26.13 KB, patch)
2017-06-19 18:47 UTC, Jeremy Allison
slow: review+
rsharpe: review+
git-am fix for 4.5.next. (26.26 KB, patch)
2017-06-28 19:27 UTC, Jeremy Allison
jra: review? (rsharpe)
slow: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Qian 2017-06-09 00:17:01 UTC
Created attachment 13265 [details]
The is the output of failed smbcacls call with debug 10

we run smbcacls tool from linux machine to set file permissions on windows server.

here is our environment:

Linux machine:  Ubuntu 14.04 LTS, kernel version 3.13.0-112-generic

Samba version: 4.3.11

Windows machine: Windows server 2012

the cmd we run is something like following:

/usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' '//win_server/testshare' 'TestFolder\Test.txt' -S 'REVISION:1','ACL:win_server\Administrator:DENIED/0/0x100116','ACL:win_server\Administrator:ALLOWED/0/0x1200a9','ACL:Domain\Administrator:ALLOWED/16/FULL'

The smbcacls cmd worked before till recently. Due to the recent Windows patch which disables SMB v1, we have to add the following line into the [global] section in smb.conf file on Linux machine so that the smbcacls can talk to the Windows server otherwise it gets error NT_STATUS_CONNECTION_RESET:

client max protocol = SMB3

with this option added, the smbcacls cmd ran into error NT_STATUS_NETWORK_NAME_DELETED.

but if we just run smbcacls cmd to get ACLs, like

/usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' '//win_server/testshare' 'TestFolder\Test.txt'

it works without any problem, and does return all ACL entries.

if we remove this "client max protocol == SMB3" option from smb.conf file and turn on the SMBv1 on Windows server side, the exactly same smbcacls cmd for setting permission works as before.
Comment 1 Jeremy Allison 2017-06-13 22:21:41 UTC
Created attachment 13274 [details]
"Raw" patch for master.

This seems to pass a local make test.

The problem is that we have cases in our client tools where we expect to be able to temporarily replace the tcon connection struct internally to the client with a new connection to IPC$, do some calls on that new connection, then replace the old values of the tcon and continue.

This has some problems. (a). It only worked for SMB1 (for SMB2 we overwrote the tcon pointer) and (b). It didn't really work for SMB1 either - we ended up with a bastardized cli->smb1.tcon pointer that contains type and string from the IPC$ connection whilst being connected to the share connection.

This patch unifies the cli->smb[1|2].tcon pointer handling and allows temporary replacement of the pointer, and also SMB2 access to the get/set the 32-bit tid value.

Most of this patch is fixing up the smbclient/smbcacls and smbtorture3 code so everything keeps working.

Next job is to split this into micro commits so Ralph can follow it and review (yeah I asked for review already, but I don't really want a formal +1 as it's not complete yet, if you do a +1 on it it'll be more of a "yeah, this looks OK" comment :-).

Comment 2 Jeremy Allison 2017-06-13 22:27:48 UTC
Reproducer (from the mailing list).

> Just tried but couldn't reproduce this against an smbd server running
> master. Ralph, do you have a reproducer ?

$ ./bin/smbcacls -m smb3 -U slow%x //localhost/share "" -a "ACL:SLOWSERVER\slow:ALLOWED/0x0/READ"
Comment 3 Jeremy Allison 2017-06-14 00:03:16 UTC
Created attachment 13275 [details]
git-am fix for master.

This is what I'm planning to go with. It's the "raw" patch split into micro-commits to make it easier to review. Need to make sure it passes make test first then I'll post on the list.

Comment 4 Jeremy Allison 2017-06-19 18:47:12 UTC
Created attachment 13292 [details]
git-am fix for 4.6.x

Cherry-picked from what went into master.
Comment 5 Jeremy Allison 2017-06-28 00:15:02 UTC
Re-assigning to Karolin for inclusion in 4.6.next. I'm still thinking if this can be back-ported to 4.5.x or not, but in the meantime 4.6.next needs this !

Comment 6 Karolin Seeger 2017-06-28 09:12:03 UTC
(In reply to Jeremy Allison from comment #5)
Pushed to autobuild-v4-6-test.
Comment 7 Jeremy Allison 2017-06-28 19:27:44 UTC
Created attachment 13323 [details]
git-am fix for 4.5.next.

I closed this bug too soon - here is the back-port for 4.5.next (wasn't so hard :-).
Comment 8 Ralph Böhme 2017-06-29 14:02:12 UTC
Reassigning to Karolin for inclusion in 4.5.
Comment 9 Karolin Seeger 2017-06-30 08:42:54 UTC
(In reply to Ralph Böhme from comment #8)
Pushed to autobuild-v4-45-test.
Comment 10 Karolin Seeger 2017-06-30 08:43:43 UTC
(In reply to Karolin Seeger from comment #9)
autobuild-v4-5-test... ;-)
Comment 11 Karolin Seeger 2017-07-03 08:54:23 UTC
(In reply to Karolin Seeger from comment #10)
Pushed to v4-5-test.
Closing out bug report.

Comment 12 Ralph Böhme 2017-07-04 14:47:31 UTC
*** Bug 12403 has been marked as a duplicate of this bug. ***