I previously submitted a patch to smbcacls here: http://lists.samba.org/archive/samba-technical/2003-June/029814.html My motivation (coped from that post) was: Though I have WriteOwner right to the directory in question, the Win2K server in question won't let me "change" the owner - even if I'm trying to set it to the same SID that it already is - as the particular SID in question isn't in my access token. From previous experiments, I think this is normal behaviour on the part of MS servers. ... main() calls cacl_set() which calls cli_set_secdesc() which will try to set the owner and group if the security descriptor it's passed has those fields. Perhaps the right fix is then to not initialise the owner and group fields in the security descriptor that's passed in Jeremy kindly applied my patch here: http://cvs.samba.org/cgi-bin/cvsweb/samba/source/utils/smbcacls.c.diff?r1=1.66.2.15&r2=1.66.2.16&f=h This was merged into the CVS MAIN branch here: http://cvs.samba.org/cgi-bin/cvsweb/samba/source/utils/smbcacls.c.diff?r1=1.89&r2=1.90 It is still in the CVS HEAD here: http://cvs.samba.org/cgi-bin/cvsweb/samba/source/utils/smbcacls.c?annotate=1.93 It's also in the latest revision on the SAMBA_3_0_RELEASE CVS branch here: http://cvs.samba.org/cgi-bin/cvsweb/samba/source/utils/smbcacls.c?annotate=1.89.2.4 Most of the patch is in the most recent SVN revision here: http://websvn.samba.org/cgi-bin/viewcvs.cgi/trunk/source/utils/smbcacls.c?rev=4090&view=markup Part of it was effectively backed out and an additional change was made in order to fix another problem (https://bugzilla.samba.org/show_bug.cgi?id=404 and https://bugzilla.samba.org/show_bug.cgi?id=2076) here: http://websvn.samba.org/cgi-bin/viewcvs.cgi?rev=3918&view=rev This has caused my problem to recur. I think I've understood the reason for the additional change and I've come up with a patch which fixes my problem and, I think, should preserve the fix for the #404 and #2076. Looking at bugzilla, I think this may be the cause of https://bugzilla.samba.org/show_bug.cgi?id=2111 but it's difficult to be sure, so I thought it might be better to raise a separate bug. Sadly, the svn protocol won't go through our corporate firewall at present (I have a ticket to get that addressed), so I used rsync to get the "unpacked" source from the head of the tree. I made my changes under the "samba" directory. I hope that was the right choice. I'll attach the patch when bugzilla gives me the option which I think will be when I've hit Commit. Here's my test file before trying any changes: martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U 'TERASTACK\devtest' //mdorey.terastack.bluearc.com/root /test/smbcacls.txt params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf": No such file or directory creating lame upcase table creating lame lowcase table Password: REVISION:1 OWNER:BUILTIN\Administrators GROUP:TERASTACK\Domain Users ACL:\Everyone:ALLOWED/0/FULL martind@duezer:~/download/samba.org/samba/source$ Here's where I test the code prior to my patch to see whether a user who should be able to overwrite the ACL but not the owner can add an ACE, modify the ACL or delete an ACE: martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U 'TERASTACK\devtest' -a 'ACL:\Everyone:ALLOWED/0/FULL' //mdorey.terastack.bluearc.com/root /test/smbcacls.txt params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf": No such file or directory creating lame upcase table creating lame lowcase table Password: NT_TRANSACT_SET_SECURITY_DESC failed ERROR: secdesc set failed: NT_STATUS_ACCESS_DENIED martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U 'TERASTACK\devtest' -M 'ACL:\Everyone:ALLOWED/0/FULL' //mdorey.terastack.bluearc.com/root /test/smbcacls.txt params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf": No such file or directory creating lame upcase table creating lame lowcase table Password: NT_TRANSACT_SET_SECURITY_DESC failed ERROR: secdesc set failed: NT_STATUS_ACCESS_DENIED martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U 'TERASTACK\devtest' -D 'ACL:\Everyone:ALLOWED/0/FULL' //mdorey.terastack.bluearc.com/root /test/smbcacls.txt params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf": No such file or directory creating lame upcase table creating lame lowcase table Password: NT_TRANSACT_SET_SECURITY_DESC failed ERROR: secdesc set failed: NT_STATUS_ACCESS_DENIED martind@duezer:~/download/samba.org/samba/source$ Then I made the changes and repeated the tests: martind@duezer:~/download/samba.org/samba/source$ make bin/smbcacls Compiling utils/smbcacls.c Linking bin/smbcacls martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U 'TERASTACK\devtest' -M 'ACL:\Everyone:ALLOWED/0/FULL' //mdorey.terastack.bluearc.com/root /test/smbcacls.txt params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf": No such file or directory creating lame upcase table creating lame lowcase table Password: martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U 'TERASTACK\devtest' -a 'ACL:\Everyone:ALLOWED/0/FULL' //mdorey.terastack.bluearc.com/root /test/smbcacls.txt params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf": No such file or directory creating lame upcase table creating lame lowcase table Password: martind@duezer:~/download/samba.org/samba/source$ ./bin/smbcacls -U 'TERASTACK\devtest' -D 'ACL:\Everyone:ALLOWED/0/FULL' //mdorey.terastack.bluearc.com/root /test/smbcacls.txt params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf": No such file or directory creating lame upcase table creating lame lowcase table Password: martind@duezer:~/download/samba.org/samba/source$
Created attachment 1234 [details] my proposed fix
> Here's my test file before trying any changes: I should say that the server I was using was Windows 2000 5.00.2195 service pack 4. I was interested to see that I now get NT_STATUS_ACCESS_DENIED instead of the NT_STATUS_INVALID_OWNER I got when I posted my original patch. That was probably an NT4 server.
I am facing issue with smbcacls command for user Administrateur [French domain user name]. ==================================================== #smbcacls //10.10.180.214/Rahultest /abc.txt -U es1fr\\Administrateur%Password Connecting to host=10.10.180.214 Connecting to 10.10.180.214 at port 445 Doing spnego session setup (blob length=103) got OID=1 2 840 48018 1 2 2 got OID=1 2 840 113554 1 2 2 got OID=1 2 840 113554 1 2 2 3 got OID=1 3 6 1 4 1 311 2 2 10 got principal=frdc$@ES1FR.COM Got challenge flags: Got NTLMSSP neg_flags=0x62890215 NTLMSSP: Set final flags: Got NTLMSSP neg_flags=0x60080215 NTLMSSP Sign/Seal - Initialising with flags: Got NTLMSSP neg_flags=0x60080215 Failed to open \hi\abc.txt: NT_STATUS_ACCESS_DENIED ==================================================== But if I execute same command with es1admin username, there is no issue. # smbcacls //10.10.180.214/Rahulktest /abc.txt -U es1fr\\es1admin%Password REVISION:1 OWNER:ES1FR+es1admin GROUP:ES1FR+Utilisa. du domaine ACL:+Tout le monde:DENIED/0/0x000d0116 ACL:ES1FR+èçàéîôüû:ALLOWED/0/FULL I am not getting why Administrateur user can not see permission as it is a superuser. Actually I am trying to change owner to Administrateur and it is not working. Does this patch resolves this issue? Has this fix gone into main samba release?
I am using samba 3.0.23c.
Samba 3.0.x has been out of maintenance for many years now. Please try and reproduce with the latest Samba. Jeremy.
I haven't seen such errors in recent samba versions if things are set up correctly.