14249 – smbcacls always fails with NT_STATUS_ACCESS_DENIED when root is mapped to <DOMAIN>\administrator, under certain conditions

Bug 14249 - smbcacls always fails with NT_STATUS_ACCESS_DENIED when root is mapped to <DOMAIN>\administrator, under certain conditions

Summary: smbcacls always fails with NT_STATUS_ACCESS_DENIED when root is mapped to <DO...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	4.9.15
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-01-24 15:01 UTC by Micah Veilleux
Modified:	2020-08-31 21:37 UTC (History)
CC List:	0 users

See Also:

Attachments
log.smbd (348.58 KB, application/gzip) 2020-01-24 15:01 UTC, Micah Veilleux	no flags	Details
log.smbd (348.58 KB, application/gzip) 2020-05-14 16:10 UTC, Micah Veilleux	no flags	Details
log.smbd (4.41 MB, text/plain) 2020-05-14 16:13 UTC, Micah Veilleux	no flags	Details
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Micah Veilleux 2020-01-24 15:01:13 UTC

Created attachment 15752 [details]
log.smbd

Attempts to use smbcacls always fail with NT_STATUS_ACCESS_DENIED, when:
 - the fileshare is hosted on an AD DM
 - smbcacls is run as root
 - there is a mapping between root and <DOMAIN>\administrator

Probably "root" is used in place of "<DOMAIN>\administrator" at some point during the authentication.

Version of sernet-samba is: 99:4.9.15-20.suse150

OS:
------------------------------
datarec:~ # cat /etc/os-release
NAME="SLES"
VERSION="15"
VERSION_ID="15"
PRETTY_NAME="SUSE Linux Enterprise Server 15"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15"
datarec:~ #
------------------------------

Behavior:
------------------------------
datarec:~ # smbcacls //datarec/TCS / -U administrator
Enter VPTC3\administrator's password:
cli_full_connection failed! (NT_STATUS_ACCESS_DENIED)
datarec:~ #
------------------------------

Info relating to permissions in the test environment (smbcacls succeeds here because the root/Administrator mapping was removed):
------------------------------
datarec:~ # smbcacls //datarec/TCS / -U administrator
Enter VPTC3\administrator's password:
REVISION:1
CONTROL:SR|DP
OWNER:VPTC3\administrator
GROUP:VPTC3\Unix Admins
ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
ACL:VPTC3\Domain Users:ALLOWED/0x0/CHANGE
ACL:VPTC3\Unix Admins:ALLOWED/OI|CI|IO/FULL
datarec:~ #
datarec:~ # sharesec -v TCS
REVISION:1
CONTROL:SR|DP
OWNER:
GROUP:
ACL:S-1-5-21-1186222027-375203681-1372933539-513:ALLOWED/0x0/CHANGE
ACL:S-1-5-21-1186222027-375203681-1372933539-1103:ALLOWED/0x0/FULL
datarec:~ #
datarec:~ # wbinfo --sid-to-name S-1-5-21-1186222027-375203681-1372933539-513
VPTC3\Domain Users 2
datarec:~ # wbinfo --sid-to-name S-1-5-21-1186222027-375203681-1372933539-1103
VPTC3\Unix Admins 2
datarec:~ #
datarec:~ # samba-tool group listmembers "unix admins" -U administrator --URL ldap://mcbackup
Password for [VPTC3\administrator]:
Administrator
atihon
mveil
pan
ohrstka
datarec:~ #
datarec:~ # net rpc rights list privileges SeDiskOperatorPrivilege -U administrator
Enter administrator's password:
SeDiskOperatorPrivilege:
  VPTC3\Domain Admins
  VPTC3\administrator
  VPTC3\Unix Admins
  BUILTIN\Administrators
datarec:~ #
------------------------------

smb.conf:
------------------------------
[global]
    log level = 10
    security = ADS
    workgroup = VPTC3
    realm = VPTC3.ORG

    idmap config * : backend = tdb
    idmap config * : range = 3000-7999

    idmap config VPTC3 : backend = ad
    idmap config VPTC3 : schema = rfc2307
    idmap config VPTC3 : range = 10000-999999

    idmap config VPTC3 : unix_nss_info = yes
    idmap config VPTC3 : unix_primary_group = yes

    template shell = /bin/bash
    template homedir = /tcs_usr/%U

    username map = /etc/samba/user.map

    kerberos method = secrets and keytab

    winbind refresh tickets = yes
    winbind offline logon = yes
    winbind use default domain = yes

    vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
    durable handles = no
    kernel oplocks = yes
  durable handles = no
  kernel oplocks = yes
### BEGIN /TCS share ###
[TCS]
  path = /TCS
  read only = no
### END /TCS share ###
### BEGIN /TCS/runtimeStore/log share ###
[TCS-runtimeStore-log]
  path = /TCS/runtimeStore/log
  read only = no
### END /TCS/runtimeStore/log share ###
### BEGIN /home/VPTC3 share ###
[home-VPTC3]
  path = /home/VPTC3
  read only = no
### END /home/VPTC3 share ###
------------------------------

user.map:
------------------------------
!root = VPTC3\Administrator VPTC3\administrator Administrator administrator
------------------------------

Relevant portion of log (full log attached):
------------------------------
[2020/01/15 17:54:39.723607,  3, pid=13163, effective(0, 0), real(0, 0)] ../lib/util/access.c:365(allow_access)
  Allowed connection from 10.110.30.80 (10.110.30.80)
[2020/01/15 17:54:39.723631, 10, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:219(user_ok_token)
  user_ok_token: share TCS is ok for unix user root
[2020/01/15 17:54:39.723676, 10, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:70(set_conn_connectpath)
  set_conn_connectpath: service TCS, connectpath = /TCS
[2020/01/15 17:54:39.723700,  3, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/service.c:605(make_connection_snum)
  make_connection_snum: Connect path is '/TCS' for service [TCS]
[2020/01/15 17:54:39.723719, 10, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:219(user_ok_token)
  user_ok_token: share TCS is ok for unix user root
[2020/01/15 17:54:39.723737, 10, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/share_access.c:266(is_share_read_only_for_token)
  is_share_read_only_for_user: share TCS is read-write for unix user root
[2020/01/15 17:54:39.723778, 10, pid=13163, effective(0, 0), real(0, 0)] ../libcli/security/access_check.c:366(se_file_access_check)
  se_file_access_check: MAX desired = 0x2000000 mapped to 0x0
[2020/01/15 17:54:39.723797,  3, pid=13163, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:157(check_user_share_access)
  check_user_share_access: user root connection to TCS denied due to share security descriptor.
------------------------------

Comment 1 Rowland Penny 2020-05-14 09:35:46 UTC

I cannot reproduce this on Samba 4.11.7 (Running on Debian) with a very similar smb.conf and user.map

I also cannot extract the log file attachment

Comment 2 Micah Veilleux 2020-05-14 16:10:01 UTC

Created attachment 15980 [details]
log.smbd

Sorry, apparently I had gzipped the log file twice.

Comment 3 Micah Veilleux 2020-05-14 16:13:18 UTC

Created attachment 15981 [details]
log.smbd

Comment 4 Rowland Penny 2020-08-04 14:42:45 UTC

Sorry for late reply, but I still cannot reproduce this and I am now using Samba 4.12.5 from Louis Van Belle's repo.

I can only surmise that there was a problem before 4.11.x and it has now been fixed. If you still have the problem and are still using 4.9.x, I suggest you upgrade to a Samba supported version (preferably 4.11.x upwards) and see if you still have the problem.

One thought I did have, you are using the 'ad' backend, you haven't given Administrator a uidNumber attribute, have you ?

Comment 5 Micah Veilleux 2020-08-31 21:37:09 UTC

Administrator did have a uidNumber at first, but I had the same behavior after recreating my environment with no such assignment.  Currently, I am still able to reproduce the issue with sernet samba 99:4.12.2-11.suse150.  Given that you cannot reproduce it, I may have some other config issue..

I currently have:
------------------------------
mcaddc1:~ # samba-tool user show administrator | grep idNumber
mcaddc1:~ # samba-tool user show administrator | grep memberOf
memberOf: CN=Domain Admins,CN=Users,DC=vptc3,DC=org
memberOf: CN=Schema Admins,CN=Users,DC=vptc3,DC=org
memberOf: CN=Enterprise Admins,CN=Users,DC=vptc3,DC=org
memberOf: CN=Group Policy Creator Owners,CN=Users,DC=vptc3,DC=org
memberOf: CN=Administrators,CN=Builtin,DC=vptc3,DC=org
memberOf: CN=Unix Admins,CN=Users,DC=vptc3,DC=org
mcaddc1:~ #
mcaddc1:~ #
mcaddc1:~ # samba-tool group show domain\ admins | grep idNumber
mcaddc1:~ # samba-tool group show domain\ admins | grep memberOf
memberOf: CN=Denied RODC Password Replication Group,CN=Users,DC=vptc3,DC=org
memberOf: CN=Administrators,CN=Builtin,DC=vptc3,DC=org
mcaddc1:~ #
mcaddc1:~ #
mcaddc1:~ # samba-tool group show unix\ admins | grep idNumber
gidNumber: 100001
mcaddc1:~ # samba-tool group show unix\ admins | grep memberOf
memberOf: CN=Domain Admins,CN=Users,DC=vptc3,DC=org
------------------------------