Bug 7139 - owner of file not aviable with kerberos
owner of file not aviable with kerberos
Status: RESOLVED FIXED
Product: Samba 3.5
Classification: Unclassified
Component: File services
unspecified
x64 Linux
: P3 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-02-16 06:03 UTC by heinz hoelzl
Modified: 2010-02-17 10:44 UTC (History)
0 users

See Also:


Attachments
log.smbd for smbcacls using username%password (436.16 KB, application/octet-stream)
2010-02-16 10:53 UTC, heinz hoelzl
no flags Details
log.smbd for smbcacls using a kerberos principal (82.68 KB, application/octet-stream)
2010-02-16 10:57 UTC, heinz hoelzl
no flags Details
Proposed patch (1.90 KB, patch)
2010-02-16 16:33 UTC, Volker Lendecke
jra: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description heinz hoelzl 2010-02-16 06:03:09 UTC
i have a file with rights 600.
if i connect to samba using username%password i can see all the rights, acl, owner ecc.
if i connect to samba using kerberos i can not see the owner-information of the file. 
if i try to rename this file from a windows-client i get a NT_STATUS_ACCESS_DENIED because the owner-information is missing, but i can change the content of the file. (mode of the parent directory is 777)


# ls -l x.txt
-rw------- 1 heinz_sgv domusers 0 2010-02-15 10:33 x.txt

smbcacls with the kerberos-option -k (principal is the same as the owner of the file = heinz_sgv )
# smbcacls //localhost/samba -k kerberos/x.txt
Failed to open \kerberos\x.txt: NT_STATUS_ACCESS_DENIED

smbcacls with username%password
# smbcacls //localhost/samba -U heinz_sgv%password kerberos/x.txt
REVISION:1
CONTROL:0x9004
OWNER:GVCC.NET\heinz_sgv
GROUP:GVCC.NET\Domain Users
ACL:GVCC.NET\heinz_sgv:ALLOWED/0x0/RW
ACL:GVCC.NET\Domain Users:ALLOWED/0x0/
ACL:Everyone:ALLOWED/0x0/


after a chmod g+r x.txt all works fine:
# chmod g+r x.txt 
# ls -l x.txt
-rw-r----- 1 heinz_sgv domusers 0 2010-02-15 10:33 x.txt
# smbcacls //localhost/samba -k kerberos/x.txt
REVISION:1
CONTROL:0x9004
OWNER:GVCC.NET\heinz_sgv
GROUP:GVCC.NET\Domain Users
ACL:GVCC.NET\heinz_sgv:ALLOWED/0x0/RW
ACL:GVCC.NET\Domain Users:ALLOWED/0x0/R
ACL:Everyone:ALLOWED/0x0/

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: heinz_sgv@GVCC.NET
Comment 1 Volker Lendecke 2010-02-16 09:23:15 UTC
Please upload debug level 10 logs of smbd for both cases.

Thanks,

Volker
Comment 2 heinz hoelzl 2010-02-16 10:53:55 UTC
Created attachment 5356 [details]
log.smbd for smbcacls using username%password

log.smbd for smbcacls using username%password

in this case all works fine
Comment 3 heinz hoelzl 2010-02-16 10:57:06 UTC
Created attachment 5357 [details]
log.smbd for smbcacls using a kerberos principal

log.smbd for smbcacls using a kerberos principal
the principal is also heinz_sgv, the same user as the owner of the file.
in this case:

# smbcacls //localhost/samba -k kerberos/x.txt
Failed to open \kerberos\x.txt: NT_STATUS_ACCESS_DENIED

# ll /samba/kerberos/x.txt 
-rw------- 1 heinz_sgv domusers 6 2010-02-16 12:57 /samba/kerberos/x.txt
Comment 4 Volker Lendecke 2010-02-16 16:33:47 UTC
Created attachment 5358 [details]
Proposed patch

Can you try the attached patch? I don't have an appropriate setup around right now, so I have not tested it at all. So it might immediately crash (or so), but I'd give it a good chance that it fixes your problem.

Please tell me about your testing results!

Thanks,

Volker
Comment 5 heinz hoelzl 2010-02-17 02:09:34 UTC
thanx! now it works fine, i testet it from linux with smbcacls and from windows xp

# ll /samba/kerberos/x.txt 
-rw------- 1 heinz_sgv domusers 6 2010-02-16 12:57 /samba/kerberos/x.txt

# smbcacls //localhost/samba -k kerberos/x.txt
REVISION:1
CONTROL:0x9004
OWNER:GVCC.NET\heinz_sgv
GROUP:GVCC.NET\Domain Users
ACL:GVCC.NET\heinz_sgv:ALLOWED/0x0/RW
ACL:GVCC.NET\Domain Users:ALLOWED/0x0/
ACL:Everyone:ALLOWED/0x0/
Comment 6 Volker Lendecke 2010-02-17 04:48:48 UTC
Comment on attachment 5358 [details]
Proposed patch

Jeremy, please ack this for 3.5.1 and re-assign to Karolin if appropriate.

Thanks,

Volker
Comment 7 Volker Lendecke 2010-02-17 04:50:01 UTC
Heinz: Thanks for testing. Pushed to master, will be in 3.5.1 latest, maybe in 3.5.0.

Volker
Comment 8 Jeremy Allison 2010-02-17 10:14:26 UTC
Comment on attachment 5358 [details]
Proposed patch

Clever fix - nice work !
Comment 9 Jeremy Allison 2010-02-17 10:15:31 UTC
Reopen to assign to Karolin for inclusion in 3.5.0rc1 or 3.5.1.
Comment 10 Volker Lendecke 2010-02-17 10:16:24 UTC
Karolin, please pull whenever you see appropriate, I think this should be in latest 3.5.1.

Thanks,

Volker
Comment 11 Karolin Seeger 2010-02-17 10:44:20 UTC
Pushed to v3-5-test. Will be included in 3.5.0rc3.
Closing out bug report.

Thanks!