Bug 9481 - ACL on cn=partitions,cn=configuration is incorrect
Summary: ACL on cn=partitions,cn=configuration is incorrect
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.0rc6
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 9306
  Show dependency treegraph
 
Reported: 2012-12-08 11:39 UTC by Andrew Bartlett
Modified: 2013-01-28 19:15 UTC (History)
2 users (show)

See Also:


Attachments
PCAP format capture of the failed dcpromo (1.66 MB, application/vnd.tcpdump.pcap)
2012-12-08 11:39 UTC, Andrew Bartlett
no flags Details
Keytab for pcap of failure (1.23 KB, application/octet-stream)
2012-12-08 11:41 UTC, Andrew Bartlett
no flags Details
TRUNCATED pcap of success case (truncated a start of DsReplicaSync) (1.22 MB, application/vnd.tcpdump.pcap)
2012-12-08 11:42 UTC, Andrew Bartlett
no flags Details
Keytab for pcap of success (1.23 KB, application/octet-stream)
2012-12-08 11:43 UTC, Andrew Bartlett
no flags Details
Keytab for pcap of failure (1.23 KB, application/octet-stream)
2012-12-10 02:23 UTC, Andrew Bartlett
no flags Details
PCAP format capture of the failed dcpromo (473.34 KB, application/vnd.tcpdump.pcap)
2012-12-10 02:24 UTC, Andrew Bartlett
no flags Details
Patches for master (32.32 KB, patch)
2012-12-11 04:24 UTC, Stefan Metzmacher
no flags Details
Patches for v4-0-test (33.11 KB, patch)
2012-12-11 06:10 UTC, Stefan Metzmacher
obnox: review+
metze: review+
Details
Additional patches for v4-0-test (77.60 KB, patch)
2013-01-27 13:31 UTC, Stefan Metzmacher
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2012-12-08 11:39:49 UTC
Created attachment 8308 [details]
PCAP format capture of the failed dcpromo

wintest shows that joining Samba as an RODC fails, due to ACL issues. 

setting acl:search=false fixes this.
Comment 1 Andrew Bartlett 2012-12-08 11:41:19 UTC
Created attachment 8309 [details]
Keytab for pcap of failure
Comment 2 Andrew Bartlett 2012-12-08 11:42:48 UTC
Created attachment 8310 [details]
TRUNCATED pcap of success case (truncated a start of DsReplicaSync)

This trace is truncated at the start of the successful DRS replication due to size (otherwise > 20MB).
Comment 3 Andrew Bartlett 2012-12-08 11:43:24 UTC
Created attachment 8311 [details]
Keytab for pcap of success
Comment 4 Stefan Metzmacher 2012-12-09 18:45:39 UTC
I don't think this should be a blocker for a 4.0.0 release because of:
- https://bugzilla.samba.org/show_bug.cgi?id=9089
- it only happens with windows servers (which most likey wouldn't work
  because they can't replicate the SYSVOL share)
Comment 5 Stefan Metzmacher 2012-12-09 18:47:36 UTC
(In reply to comment #4)
> I don't think this should be a blocker for a 4.0.0 release because of:
> - https://bugzilla.samba.org/show_bug.cgi?id=9089
> - it only happens with windows servers (which most likey wouldn't work
>   because they can't replicate the SYSVOL share)

- Because the default functional level on provision is < 2008 and
  doesn't support RODCs
- It's easy to document that "acl:search=no" is a workarround
Comment 6 Andrew Bartlett 2012-12-09 21:56:19 UTC
What worries me more is not that RODC case specifically, but that we didn't expect this to break, and it breaks pretty early in the join process, so I fear something more fundamental may still be broken.
Comment 7 Andrew Bartlett 2012-12-10 02:22:20 UTC
Specifically, when connected as the new RODC, it cannot read this entry:

[abartlet@obed git]$ sudo ../prefix/bin/ldbsearch -H ../prefix/private/sam.ldb -s base -b cn=partitions,cn=configuration,dc=s4,dc=howto,dc=abartlet,dc=net
# record 1
dn: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net
objectClass: top
objectClass: crossRefContainer
cn: Partitions
instanceType: 4
whenCreated: 20121210015718.0Z
uSNCreated: 1937
showInAdvancedViewOnly: TRUE
name: Partitions
objectGUID: b624aa42-a6dd-4f3c-a383-c960a4cedb5d
systemFlags: -2147483648
objectCategory: CN=Cross-Ref-Container,CN=Schema,CN=Configuration,DC=s4,DC=how
 to,DC=abartlet,DC=net
msDS-Behavior-Version: 3
fSMORoleOwner: CN=NTDS Settings,CN=OBED,CN=Servers,CN=Default-First-Site-Name,
 CN=Sites,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net
whenChanged: 20121210015722.0Z
uSNChanged: 3593
distinguishedName: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,D
 C=net

Over LDAP, the trace shows in wintest-fail-3.pcap that msDS-Behavior-Version is not returned to the client.
Comment 8 Andrew Bartlett 2012-12-10 02:23:12 UTC
Created attachment 8316 [details]
Keytab for pcap of failure
Comment 9 Andrew Bartlett 2012-12-10 02:24:15 UTC
Created attachment 8317 [details]
PCAP format capture of the failed dcpromo

The key packet is #1722.  This is where the traces diverge.
Comment 10 Andrew Bartlett 2012-12-10 02:38:31 UTC
Reproduced with local tools:

[abartlet@obed git]$ sudo ../prefix/bin/ldbsearch -H ldap://192.168.122.3 -s base -b CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net --machine-pass
# record 1
dn: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net

# returned 1 records
# 1 entries
# 0 referrals

This account (the DC!) surely should be able read the entry!

Packet capture shows the (empty) returned entry.

This shows this is a more serious issue than 'just' RODC support.
Comment 11 Andrew Bartlett 2012-12-10 05:59:05 UTC
Compare Samba vs Windows:


[abartlet@obed git]$ sudo ../prefix/bin/ldbsearch -H ../prefix/private/sam.ldb -s base -b cn=partitions,cn=configuration,dc=s4,dc=howto,dc=abartlet,dc=net ntsecuritydescriptor
# record 1
dn: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net
nTSecurityDescriptor: O:EAG:EAD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;CIID;
 RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)

# returned 1 records
# 1 entries
# 0 referrals
[abartlet@obed git]$ sudo ../prefix/bin/ldbsearch -H ../prefix/private/sam.ldb -s base -b cn=partitions,cn=configuration,dc=s4,dc=howto,dc=abartlet,dc=net ntsecuritydescriptor --show-binary
# record 1
dn: CN=Partitions,CN=Configuration,DC=s4,DC=howto,DC=abartlet,DC=net
nTSecurityDescriptor:     NDR: struct security_descriptor
        revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
        type                     : 0x8407 (33799)
               1: SEC_DESC_OWNER_DEFAULTED 
               1: SEC_DESC_GROUP_DEFAULTED 
               1: SEC_DESC_DACL_PRESENT    
               0: SEC_DESC_DACL_DEFAULTED  
               0: SEC_DESC_SACL_PRESENT    
               0: SEC_DESC_SACL_DEFAULTED  
               0: SEC_DESC_DACL_TRUSTED    
               0: SEC_DESC_SERVER_SECURITY 
               0: SEC_DESC_DACL_AUTO_INHERIT_REQ
               0: SEC_DESC_SACL_AUTO_INHERIT_REQ
               1: SEC_DESC_DACL_AUTO_INHERITED
               0: SEC_DESC_SACL_AUTO_INHERITED
               0: SEC_DESC_DACL_PROTECTED  
               0: SEC_DESC_SACL_PROTECTED  
               0: SEC_DESC_RM_CONTROL_VALID
               1: SEC_DESC_SELF_RELATIVE   
        owner_sid                : *
            owner_sid                : S-1-5-21-1224390137-1145867798-1928467562-519
        group_sid                : *
            group_sid                : S-1-5-21-1224390137-1145867798-1928467562-519
        sacl                     : NULL
        dacl                     : *
            dacl: struct security_acl
                revision                 : SECURITY_ACL_REVISION_ADS (4)
                size                     : 0x0064 (100)
                num_aces                 : 0x00000003 (3)
                aces: ARRAY(3)
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0014 (20)
                        access_mask              : 0x000f01ff (983551)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-18
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x12 (18)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               1: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               1: SEC_ACE_FLAG_INHERITED_ACE
                            0x02: SEC_ACE_FLAG_VALID_INHERIT (2)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0024 (36)
                        access_mask              : 0x000f01ff (983551)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-21-1224390137-1145867798-1928467562-519
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x12 (18)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               1: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               1: SEC_ACE_FLAG_INHERITED_ACE
                            0x02: SEC_ACE_FLAG_VALID_INHERIT (2)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0024 (36)
                        access_mask              : 0x000f01bd (983485)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-21-1224390137-1145867798-1928467562-512


# returned 1 records
# 1 entries
# 0 referrals


[abartlet@jesse samba]$ bin/ldbsearch -H ldap://192.168.122.24 -Uadministrator%penguin12# -s base -b cn=partitions,CN=Configuration,DC=2008R2,DC=HOWTO,DC=ABARTLET,DC=NET ntsecuritydescriptor
# record 1
dn: cn=partitions,CN=Configuration,DC=2008R2,DC=HOWTO,DC=ABARTLET,DC=NET
nTSecurityDescriptor: O:EAG:EAD:AI(A;;LCLORC;;;AU)(OA;;RP;e48d0154-bcf8-11d1-8
 702-00c04fb96050;;AU)(OA;;RP;d31a8757-2447-4545-8081-3bb610cacbf2;;AU)(OA;;RP
 ;66171887-8f3c-11d0-afda-00c04fd930c9;;AU)(OA;;RP;032160bf-9824-11d1-aec0-000
 0f80367c1;;AU)(OA;;RP;789ee1eb-8c8e-4e4c-8cec-79b31b7617b5;;AU)(OA;;RP;5706ae
 af-b940-4fb2-bcfc-5268683ad9fe;;AU)(A;;RPWPCRCCLCLORCWOWDSW;;;EA)(A;;RPWPCRCC
 DCLCLORCWOWDSDDTSW;;;SY)(A;;CC;;;ED)(OA;CIIO;WP;3df793df-9858-4417-a701-735a1
 ecebf74;bf967a8d-0de6-11d0-a285-00aa003049e2;BA)(A;CIID;RPWPCRCCDCLCLORCWOWDS
 DDTSW;;;EA)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;DA)S:AI(AU;CISA;WPCRCCDCWOWDSDDT;
 ;;WD)

# returned 1 records
# 1 entries
# 0 referrals
[abartlet@jesse samba]$ bin/ldbsearch -H ldap://192.168.122.24 -Uadministrator%penguin12# -s base -b cn=partitions,CN=Configuration,DC=2008R2,DC=HOWTO,DC=ABARTLET,DC=NET ntsecuritydescriptor --show-binary
# record 1
dn: cn=partitions,CN=Configuration,DC=2008R2,DC=HOWTO,DC=ABARTLET,DC=NET
nTSecurityDescriptor:     NDR: struct security_descriptor
        revision                 : SECURITY_DESCRIPTOR_REVISION_1 (1)
        type                     : 0x8c14 (35860)
               0: SEC_DESC_OWNER_DEFAULTED 
               0: SEC_DESC_GROUP_DEFAULTED 
               1: SEC_DESC_DACL_PRESENT    
               0: SEC_DESC_DACL_DEFAULTED  
               1: SEC_DESC_SACL_PRESENT    
               0: SEC_DESC_SACL_DEFAULTED  
               0: SEC_DESC_DACL_TRUSTED    
               0: SEC_DESC_SERVER_SECURITY 
               0: SEC_DESC_DACL_AUTO_INHERIT_REQ
               0: SEC_DESC_SACL_AUTO_INHERIT_REQ
               1: SEC_DESC_DACL_AUTO_INHERITED
               1: SEC_DESC_SACL_AUTO_INHERITED
               0: SEC_DESC_DACL_PROTECTED  
               0: SEC_DESC_SACL_PROTECTED  
               0: SEC_DESC_RM_CONTROL_VALID
               1: SEC_DESC_SELF_RELATIVE   
        owner_sid                : *
            owner_sid                : S-1-5-21-3666733363-4032383065-1918016110-519
        group_sid                : *
            group_sid                : S-1-5-21-3666733363-4032383065-1918016110-519
        sacl                     : *
            sacl: struct security_acl
                revision                 : SECURITY_ACL_REVISION_ADS (4)
                size                     : 0x001c (28)
                num_aces                 : 0x00000001 (1)
                aces: ARRAY(1)
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_SYSTEM_AUDIT (2)
                        flags                    : 0x42 (66)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               1: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x02: SEC_ACE_FLAG_VALID_INHERIT (2)
                               1: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0014 (20)
                        access_mask              : 0x000d0163 (852323)
                        object                   : union security_ace_object_ctr(case 2)
                        trustee                  : S-1-1-0
        dacl                     : *
            dacl: struct security_acl
                revision                 : SECURITY_ACL_REVISION_ADS (4)
                size                     : 0x01dc (476)
                num_aces                 : 0x0000000d (13)
                aces: ARRAY(13)
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0014 (20)
                        access_mask              : 0x00020084 (131204)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-11
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0028 (40)
                        access_mask              : 0x00000010 (16)
                        object                   : union security_ace_object_ctr(case 5)
                        object: struct security_ace_object
                            flags                    : 0x00000001 (1)
                                   1: SEC_ACE_OBJECT_TYPE_PRESENT
                                   0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                            type                     : union security_ace_object_type(case 1)
                            type                     : e48d0154-bcf8-11d1-8702-00c04fb96050
                            inherited_type           : union security_ace_object_inherited_type(case 0)
                        trustee                  : S-1-5-11
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0028 (40)
                        access_mask              : 0x00000010 (16)
                        object                   : union security_ace_object_ctr(case 5)
                        object: struct security_ace_object
                            flags                    : 0x00000001 (1)
                                   1: SEC_ACE_OBJECT_TYPE_PRESENT
                                   0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                            type                     : union security_ace_object_type(case 1)
                            type                     : d31a8757-2447-4545-8081-3bb610cacbf2
                            inherited_type           : union security_ace_object_inherited_type(case 0)
                        trustee                  : S-1-5-11
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0028 (40)
                        access_mask              : 0x00000010 (16)
                        object                   : union security_ace_object_ctr(case 5)
                        object: struct security_ace_object
                            flags                    : 0x00000001 (1)
                                   1: SEC_ACE_OBJECT_TYPE_PRESENT
                                   0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                            type                     : union security_ace_object_type(case 1)
                            type                     : 66171887-8f3c-11d0-afda-00c04fd930c9
                            inherited_type           : union security_ace_object_inherited_type(case 0)
                        trustee                  : S-1-5-11
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0028 (40)
                        access_mask              : 0x00000010 (16)
                        object                   : union security_ace_object_ctr(case 5)
                        object: struct security_ace_object
                            flags                    : 0x00000001 (1)
                                   1: SEC_ACE_OBJECT_TYPE_PRESENT
                                   0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                            type                     : union security_ace_object_type(case 1)
                            type                     : 032160bf-9824-11d1-aec0-0000f80367c1
                            inherited_type           : union security_ace_object_inherited_type(case 0)
                        trustee                  : S-1-5-11
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0028 (40)
                        access_mask              : 0x00000010 (16)
                        object                   : union security_ace_object_ctr(case 5)
                        object: struct security_ace_object
                            flags                    : 0x00000001 (1)
                                   1: SEC_ACE_OBJECT_TYPE_PRESENT
                                   0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                            type                     : union security_ace_object_type(case 1)
                            type                     : 789ee1eb-8c8e-4e4c-8cec-79b31b7617b5
                            inherited_type           : union security_ace_object_inherited_type(case 0)
                        trustee                  : S-1-5-11
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0028 (40)
                        access_mask              : 0x00000010 (16)
                        object                   : union security_ace_object_ctr(case 5)
                        object: struct security_ace_object
                            flags                    : 0x00000001 (1)
                                   1: SEC_ACE_OBJECT_TYPE_PRESENT
                                   0: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                            type                     : union security_ace_object_type(case 1)
                            type                     : 5706aeaf-b940-4fb2-bcfc-5268683ad9fe
                            inherited_type           : union security_ace_object_inherited_type(case 0)
                        trustee                  : S-1-5-11
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0024 (36)
                        access_mask              : 0x000e01bd (917949)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-21-3666733363-4032383065-1918016110-519
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0014 (20)
                        access_mask              : 0x000f01ff (983551)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-18
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x00 (0)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               0: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0014 (20)
                        access_mask              : 0x00000001 (1)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-9
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT (5)
                        flags                    : 0x0a (10)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               1: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               1: SEC_ACE_FLAG_INHERIT_ONLY
                               0: SEC_ACE_FLAG_INHERITED_ACE
                            0x0a: SEC_ACE_FLAG_VALID_INHERIT (10)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x003c (60)
                        access_mask              : 0x00000020 (32)
                        object                   : union security_ace_object_ctr(case 5)
                        object: struct security_ace_object
                            flags                    : 0x00000003 (3)
                                   1: SEC_ACE_OBJECT_TYPE_PRESENT
                                   1: SEC_ACE_INHERITED_OBJECT_TYPE_PRESENT
                            type                     : union security_ace_object_type(case 1)
                            type                     : 3df793df-9858-4417-a701-735a1ecebf74
                            inherited_type           : union security_ace_object_inherited_type(case 2)
                            inherited_type           : bf967a8d-0de6-11d0-a285-00aa003049e2
                        trustee                  : S-1-5-32-544
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x12 (18)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               1: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               1: SEC_ACE_FLAG_INHERITED_ACE
                            0x02: SEC_ACE_FLAG_VALID_INHERIT (2)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0024 (36)
                        access_mask              : 0x000f01ff (983551)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-21-3666733363-4032383065-1918016110-519
                    aces: struct security_ace
                        type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
                        flags                    : 0x12 (18)
                               0: SEC_ACE_FLAG_OBJECT_INHERIT
                               1: SEC_ACE_FLAG_CONTAINER_INHERIT
                               0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
                               0: SEC_ACE_FLAG_INHERIT_ONLY
                               1: SEC_ACE_FLAG_INHERITED_ACE
                            0x02: SEC_ACE_FLAG_VALID_INHERIT (2)
                               0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
                               0: SEC_ACE_FLAG_FAILED_ACCESS
                        size                     : 0x0024 (36)
                        access_mask              : 0x000f01bd (983485)
                        object                   : union security_ace_object_ctr(case 0)
                        trustee                  : S-1-5-21-3666733363-4032383065-1918016110-512


# returned 1 records
# 1 entries
# 0 referrals


Clearly we have the wrong ACL, which is the root cause of the issues here.
Comment 12 Stefan Metzmacher 2012-12-11 04:24:41 UTC
Created attachment 8336 [details]
Patches for master
Comment 13 Stefan Metzmacher 2012-12-11 06:10:53 UTC
Created attachment 8337 [details]
Patches for v4-0-test
Comment 14 Michael Adam 2012-12-11 07:58:45 UTC
Comment on attachment 8337 [details]
Patches for v4-0-test

ACK
Comment 15 Michael Adam 2012-12-11 08:01:02 UTC
==> Karolin for 4.0
Comment 16 Karolin Seeger 2012-12-11 08:04:27 UTC
Pushed to autobuild-v4-0-test.
Comment 17 Karolin Seeger 2012-12-11 10:51:59 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks a lot!
Comment 18 Stefan Metzmacher 2012-12-11 13:44:33 UTC
We need to add some magic to the samba_upgradeprovision script,
so that it can fix the nTSecurityDescriptor values from older provisions.
We should be able to fix this for 4.0.1.

I workaround is the "acl:search = no" option in the [global] section of the smb.conf, in case someone hits problems with upgrades from older releases.
Comment 19 Stefan Metzmacher 2013-01-27 13:31:19 UTC
Created attachment 8498 [details]
Additional patches for v4-0-test
Comment 20 Karolin Seeger 2013-01-28 10:19:54 UTC
Pushed additional changes to autobuild-v4-0-test.
Comment 21 Karolin Seeger 2013-01-28 19:15:18 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!