9521 – Samba4 changes uid to gid in POSIX ACL

Bug 9521 - Samba4 changes uid to gid in POSIX ACL

Summary: Samba4 changes uid to gid in POSIX ACL

Status:	RESOLVED INVALID

Alias:	None

Product:	Samba 4.0
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.0.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-12-24 10:39 UTC by frederik.vogelsang
Modified:	2012-12-25 11:52 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description frederik.vogelsang 2012-12-24 10:39:03 UTC

I have created a test AD user with samba-tool. The uid 3000029 was assigned automatically to that user, and the user is a member of the "Domain Users" group (gid 100). On the server the user has an empty home directory and the ACL is set as follows:

> smbserver test # pwd
> /home/TESTDOMAIN/test
> smbserver test # ls
> smbserver test # getfacl .
> # file: .
> # owner: 3000029
> # group: users
> user::rwx
> user:3000029:rwx
> group::r-x
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:3000029:rwx
> default:group::r-x
> default:mask::rwx
> default:other::r-x
> smbserver test # getfattr .
> smbserver test #

Now when the user creates a folder in the directory through a Samba client (tested both Windows 7 and Linux), the ACL of the new folder gets messed up:

> smbserver test # ls -l
> drwxrwxr-x+ 2 3000029 users 4096 24. Dez 11:02 New Folder
> smbserver test # getfacl New\ Folder
> # file: New Folder
> # owner: 3000029
> # group: users
> user::rwx
> group::r-x
> group:users:r-x
> group:3000029:rwx
> mask::rwx
> other::r-x
> default:user::rwx
> default:user:3000029:rwx
> default:group::r-x
> default:group:users:r-x
> default:group:3000029:rwx
> default:mask::rwx
> default:other::r-x
> smbserver test # getfattr New\ Folder
> # file: New Folder
> user.DOSATTRIB
> smbserver test #

What looks particularily strange are these two entries in the ACL of "New Folder":
> group:3000029:rwx
> default:group:3000029:rwx

There is no group with gid 3000029 on the system, neither locally, nor in the Active Directory. This is the relevant entry from idmap.ldb:

> dn: CN=S-1-5-21-1013383079-493621684-2636636510-1110
> cn: S-1-5-21-1013383079-493621684-2636636510-1110
> objectClass: sidMap
> objectSid: S-1-5-21-1013383079-493621684-2636636510-1110
> type: ID_TYPE_BOTH
> xidNumber: 3000029
> distinguishedName: CN=S-1-5-21-1013383079-493621684-2636636510-1110

The objectSid is the SID of user "test". This means that the POSIX ACL *should* contain these lines:

> user:3000029:rwx
> default:user:3000029:rwx

Server Setup:
- Samba 4 as standalone AD DC
- Server FS: ext4 with extended attributes

Comment 1 Stefan Metzmacher 2012-12-25 11:52:21 UTC

(In reply to comment #0)
> I have created a test AD user with samba-tool. The uid 3000029 was assigned
> automatically to that user, and the user is a member of the "Domain Users"
> group (gid 100). On the server the user has an empty home directory and the ACL
> is set as follows:
> 
> > smbserver test # pwd
> > /home/TESTDOMAIN/test
> > smbserver test # ls
> > smbserver test # getfacl .
> > # file: .
> > # owner: 3000029
> > # group: users
> > user::rwx
> > user:3000029:rwx
> > group::r-x
> > mask::rwx
> > other::r-x
> > default:user::rwx
> > default:user:3000029:rwx
> > default:group::r-x
> > default:mask::rwx
> > default:other::r-x
> > smbserver test # getfattr .
> > smbserver test #
> 
> Now when the user creates a folder in the directory through a Samba client
> (tested both Windows 7 and Linux), the ACL of the new folder gets messed up:
> 
> > smbserver test # ls -l
> > drwxrwxr-x+ 2 3000029 users 4096 24. Dez 11:02 New Folder
> > smbserver test # getfacl New\ Folder
> > # file: New Folder
> > # owner: 3000029
> > # group: users
> > user::rwx
> > group::r-x
> > group:users:r-x
> > group:3000029:rwx
> > mask::rwx
> > other::r-x
> > default:user::rwx
> > default:user:3000029:rwx
> > default:group::r-x
> > default:group:users:r-x
> > default:group:3000029:rwx
> > default:mask::rwx
> > default:other::r-x
> > smbserver test # getfattr New\ Folder
> > # file: New Folder
> > user.DOSATTRIB
> > smbserver test #
> 
> What looks particularily strange are these two entries in the ACL of "New
> Folder":
> > group:3000029:rwx
> > default:group:3000029:rwx
> 
> There is no group with gid 3000029 on the system, neither locally, nor in the
> Active Directory. This is the relevant entry from idmap.ldb:
> 
> > dn: CN=S-1-5-21-1013383079-493621684-2636636510-1110
> > cn: S-1-5-21-1013383079-493621684-2636636510-1110
> > objectClass: sidMap
> > objectSid: S-1-5-21-1013383079-493621684-2636636510-1110
> > type: ID_TYPE_BOTH
> > xidNumber: 3000029
> > distinguishedName: CN=S-1-5-21-1013383079-493621684-2636636510-1110
> 
> The objectSid is the SID of user "test". This means that the POSIX ACL *should*
> contain these lines:
> 
> > user:3000029:rwx
> > default:user:3000029:rwx

No, the idmap entry is type: ID_TYPE_BOTH, which means
the sid can be represented as a unix user and group.

As samba adds the gid 3000029 to the users unix token, the kernel
will still grant access.

ID_TYPE_BOTH is needed in order to support sIDHistory feature of Active Directory, where a user account can get a new objectSid and keeps its old
sids in the sIDHistory attribute. All sids from the sIDHistory will be
added to the users NTTOKEN (a list of sids). As can be only one uid in a unix token, we need to map all uids to gids.

ID_TYPE_BOTH is also needed to support group being the owner of files and directories, e.g. Builtin\Administrators are a very common owner of files and directories.