15183 – aixacl is broken from Samba 4.15 onwards

Bug 15183 - aixacl is broken from Samba 4.15 onwards

Summary: aixacl is broken from Samba 4.15 onwards

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	VFS Modules (show other bugs)
Version:	4.15.9
Hardware:	PPC AIX

Importance:	P5 regression (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-09-22 13:11 UTC by Ayappan
Modified:	2022-09-23 11:04 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ayappan 2022-09-22 13:11:40 UTC

A simple share using Samba 4.15.9 fails with "NT_STATUS_ACCESS_DENIED opening remote file \test" 

Below is the contents of smb.conf

[global]
        security = user

        log file = /var/log/samba/samba.log
        log level = 10

        server multi channel support = no
        load printers = no
        printcap name = /dev/null
        disable spoolss = yes

[samba_share]
        path = /smbtest/samba/share
        public = yes
        writable = yes
        guest ok = yes
        browseable = yes
        guest account = nobody
        guest only = yes
        create mask = 666
        directory mask = 777

Looking into the logs, I see 

  posix_fget_nt_acl: called for file test
[2022/09/22 13:35:28.099703, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/modules/vfs_aixacl.c:44(aixacl_sys_acl_get_fd)
  Entering AIX sys_acl_get_fd
[2022/09/22 13:35:28.099740, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/modules/vfs_aixacl.c:45(aixacl_sys_acl_get_fd)
[2022/09/22 13:35:28.099772,  0, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/smbd/fd_handle.c:93(fsp_get_io_fd)
  fsp_get_io_fd: fsp [test] is a path referencing fsp
  fd is -1
[2022/09/22 13:35:28.099890,  0, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/smbd/fd_handle.c:93(fsp_get_io_fd)
  fsp_get_io_fd: fsp [test] is a path referencing fsp
[2022/09/22 13:35:28.099962, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/modules/vfs_aixacl.c:73(aixacl_sys_acl_get_fd)
  Got facl and returned it
[2022/09/22 13:35:28.100000, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/modules/vfs_aixacl_util.c:43(aixacl_to_smbacl)
  acl_entry is 300edc98
 acl_last(file_acl) id 300edc88
[2022/09/22 13:35:28.100083, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/modules/vfs_aixacl_util.c:139(aixacl_to_smbacl)
  i is 1
[2022/09/22 13:35:28.100123, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/modules/vfs_aixacl_util.c:154(aixacl_to_smbacl)
  ace->info.user.uid = 0
[2022/09/22 13:35:28.100163, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/modules/vfs_aixacl_util.c:182(aixacl_to_smbacl)
  ace->a_perm = 0
...
...
...
...
...
 canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
[2022/09/22 13:35:28.104383, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0), class=acls] ../../source3/smbd/posix_acls.c:2705(canonicalise_acl)
  canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
[2022/09/22 13:35:28.104450, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0), class=acls] ../../source3/smbd/posix_acls.c:2705(canonicalise_acl)
  canon_ace index 2. Type = allow SID = S-1-22-1-0 uid 0 SMB_ACL_USER_OBJ ace_flags = 0x0 perms ---
[2022/09/22 13:35:28.104518, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0), class=acls] ../../source3/smbd/posix_acls.c:766(print_canon_ace_list)
  print_canon_ace_list: canonicalise_acl: ace entries after arrange
  canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 SMB_ACL_USER_OBJ ace_flags = 0x0 perms ---
  canon_ace index 1. Type = allow SID = S-1-22-2-0 gid 0 SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
[2022/09/22 13:35:28.104656, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0), class=acls] ../../source3/smbd/posix_acls.c:1030(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2022/09/22 13:35:28.104701, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0), class=acls] ../../source3/smbd/posix_acls.c:1030(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2022/09/22 13:35:28.104745, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0), class=acls] ../../source3/smbd/posix_acls.c:1030(map_canon_ace_perms)
  map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
[2022/09/22 13:35:28.104805, 10, pid=4260330, effective(4294967294, 4294967294), real(0, 0)] ../../source3/smbd/open.c:187(smbd_check_access_rights_sd)
  smbd_check_access_rights_sd: File [test] requesting [0x120089] returning [0x120009] (NT_STATUS_ACCESS_DENIED)



"fsp_get_io_fd: fsp [test] is a path referencing fsp
  fd is -1 "

This issue is not there with aixacl2. And I see aixacl2 has the code to handle the case where fsp->fsp_flags.is_pathref is true , but not aixacl code.