Bug 6638 - ADS Domain Member: Computer Mgr can not set share ACLs
ADS Domain Member: Computer Mgr can not set share ACLs
Product: Samba 3.4
Classification: Unclassified
Component: Domain Control
x64 Linux
: P3 major
: ---
Assigned To: Karolin Seeger
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2009-08-13 21:57 UTC by John H Terpstra
Modified: 2009-08-21 05:03 UTC (History)
1 user (show)

See Also:

smb.conf file (628 bytes, text/plain)
2009-08-13 21:58 UTC, John H Terpstra
no flags Details
The Samba loglevel 10 log files in a tarball (159.36 KB, application/octet-stream)
2009-08-13 22:00 UTC, John H Terpstra
no flags Details
Wireshark Capture (83.15 KB, application/octet-stream)
2009-08-13 22:01 UTC, John H Terpstra
no flags Details
Patch for 3.4.1. (2.22 KB, patch)
2009-08-20 13:13 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description John H Terpstra 2009-08-13 21:57:49 UTC
A Samba server is and ADS domain member and is administered using the Computer Manager. Setting of share permissions (share-level ACLs) fails due to lack of permission.

I was also unable to set rights and privileges for the domain administrator (or anyone else for that matter).

Attached are:
1) The smb.conf file
2) A tarball containing all the logs at loglevel 10
3) A wireshark capture of the entire process that failed
Comment 1 John H Terpstra 2009-08-13 21:58:47 UTC
Created attachment 4556 [details]
smb.conf file

The Samba config file.
Comment 2 John H Terpstra 2009-08-13 22:00:48 UTC
Created attachment 4557 [details]
The Samba loglevel 10 log files in a tarball

Tarball of loglevel 10 logs.  The Windows XP workstation from which the admin was attempted is at IP and its name is xptest.  The Samba server is at IP and its name is adsdms.
Comment 3 John H Terpstra 2009-08-13 22:01:38 UTC
Created attachment 4558 [details]
Wireshark Capture

The wireshark capture of the failed attempt to set share-level ACLs.
Comment 4 John H Terpstra 2009-08-13 22:08:30 UTC
To reproduce this problem:
1) Install the sample smb.conf.real file as smb.conf
2) Join the domain (succeeds):
    net ads join -Uadministrator%password
3) Start winbind and validate using: wbinfo -t  (succeeds)
4) Start smbd
5) Edit /etc/nsswitch.conf as follows:
   passwd:  files winbind
   shadow:  files
   group:   files winbind

Go to the Windows XP Workstation.
  a) Login as the domain administrator.
  b) Open Explorer on Control Panel, select the advanced admin tools folder
  c) Double click on "Computer Management"
  d) Connect to another computer, enter the name adsdms as the computer name and click OK.
  e) Navigate down to Shares
  f) Right click on the clientdata folder and select "Properties"
  g) Click on the Share Permissions tab
  h) Remove the group "Everyone", add a domain user or group, then click Apply.

Step (h) fails with the resulting logs submitted with this bug report.
Comment 5 John H Terpstra 2009-08-13 22:11:56 UTC
I tried the same operation from a Windows XP Pro system on a Samba domain controller installation.  This works without any problem.  The problem is isolated to ADS domain member server installations.

- John T.
Comment 6 John H Terpstra 2009-08-17 14:47:13 UTC
Elevating severity level as I believe this one needs to be fixed for 3.4.1.
Comment 7 Jeremy Allison 2009-08-19 15:31:29 UTC
My guess is it's this problem:

1530         /* fail out now if you are not root and not a disk op */
1532         if ( p->server_info->utok.uid != sec_initial_uid() && !is_disk_op )
1533                 return WERR_ACCESS_DENIED;

Does DOMAIN\Administrator have disk operator privileges on this machine ?

Comment 8 John H Terpstra 2009-08-19 17:10:05 UTC
Disk Operator privilege was not available. The procedure for creating this privilege needs to be better documented.  I will tend to that.

The thing that threw this is the misleading error message.  Lack of Disk Operator privilege should throw up a clear warning message that points to the solution.

Thank you for helping to resolve this, but please can we provide more meaningful error reports.  I will leave this bug open but reduce the severity.
Comment 9 Jeremy Allison 2009-08-20 13:13:54 UTC
Created attachment 4579 [details]
Patch for 3.4.1.

Patch for 3.4.1.
Comment 10 Jeremy Allison 2009-08-20 13:14:22 UTC
Re-assigning to Karolin for inclusion in 3.4.1.
Comment 11 Jeremy Allison 2009-08-20 14:21:53 UTC
FYI. Note for Karolin, everything worked after john gave the user SeDiskOperator privilege.
Comment 12 Karolin Seeger 2009-08-21 05:03:56 UTC
Okay, thanks.
Patch will be included in 3.4.1.
Closing out bug report.