Bug 6395 - File truncated when the editor is not the unix owner of the file in some applications
File truncated when the editor is not the unix owner of the file in some appl...
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: File services
unspecified
Other Linux
: P3 critical
: ---
Assigned To: Andrew Tridgell
Andrew Bartlett
:
Depends on:
Blocks: 6600
  Show dependency treegraph
 
Reported: 2009-05-22 18:06 UTC by Matthieu Patou
Modified: 2009-08-05 02:53 UTC (History)
0 users

See Also:


Attachments
Tcpdump capture of the exchange while trying to edit policy (39.80 KB, application/octet-stream)
2009-05-22 18:07 UTC, Matthieu Patou
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-05-22 18:06:59 UTC
Some applications use a file backend to store their data, using those applications with different user (having full right in NT ACL and rwx in unix) leads to truncated files.

One of this application is the policy editor. To reproduce the problem:

Create a policy with the domain administrator (Administrator), set the number of days for password expiration (
Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy)

Save
Ensure that the domain admin groups has full rights on the domain policy folder (\\myadserver.domain\sysvol\domain\Policies)
Set group write right on all files and dir in the <samba_base_dir>/var/locks/sysvol directory.
Ensure that this folder and subfolder and files are owned by the unix group of the domain users (check idmap.tdb for the group mapping). 
Login with a different user member of the domain admin group as well.
Try to modify the same policy (ie. add one more day) and receive an error message.

In my case it's this file:
"smb4.tst/Policies/{4c3e9dec-4702-4a69-b9f2-895ec7d5b35b}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf"

ls "{4c3e9dec-4702-4a69-b9f2-895ec7d5b35b}/Machine/Microsoft/Windows NT/SecEdit"/ -l

-rw-rw-r-- 1 root 3000005 314 2009-04-30 16:45 GptTmpl.inf   

The account used is user_adm which is part of the "domain admins" group which translate to unix group 3000005.
Comment 1 Matthieu Patou 2009-05-22 18:07:49 UTC
Created attachment 4190 [details]
Tcpdump capture of the exchange while trying to edit policy
Comment 2 Matthias Dieter Wallnöfer 2009-08-04 12:30:08 UTC
Hi Matthieu,
I reproduced your bug. It's perfectly valid.

I get an error box telling me: "Not saved. Not saved. <GPO path>\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf".

In the directory of "GptTmpl.inf" I locate the file empty and the old content in a "GptTmpl.tmp" file (which the GPO editor for sure created as a backup). After clicking on "OK" both files are totally cleared.

But as said I marked the bug as "critical" and as "must-have" for the upcoming first beta release (consider the tracking bug).

I hope Tridge is able to fix this nasty problem soon (I personally am not skilled to fix file server issues).
Comment 3 Matthieu Patou 2009-08-05 02:25:43 UTC
smb.conf content:
[globals]
        netbios name    = test
        workgroup       = SAMBA4
        realm           = smb4.tst
        server role     = domain controller
  debug level =         2

[tests]
  path = /tmp/tests
        read only = no
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/smb4.tst/scripts
        read only = no

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = no
Comment 4 Andrew Tridgell 2009-08-05 02:53:25 UTC
This has been fixed with git commit 00a8ff5fe9acf965395b99b39b0c24a5517b6e2b

Please test!