Hello-
We've been testing Samba 2.0.7 in our environment for the past couple
of weeks, and have run into an odd interaction with one of our
applications. We use Wise InstallMaster 8.0 to push out application
packages to all of our NT clients (via SMS). For most of these
applications, the per-user parts live in the user's home directory on
a UNIX server -- this is so users can roam from machine to machine and
have their personal application settings/files follow them.
Unfortuntely, we've found that the Wise Installer packages do not work
when writing to a Samba share with NT ACL support turned on. The
initial install of the application always works OK. But subsequent
attempts to overwrite the previous installations fail as soon as the
installer hits the first file that lives on the Samba share. It
returns a "Access denied" message, and at that point the install
aborts. I've verified that it is not an issue with the UNIX
permissions on the files -- they check out OK. In fact, if I go in
and use Windows Explorer or DOS to delete the appropriate files, the
install works -- it's only when the installer attempts the
deletion/overwrite itself that it fails.
We're using security=domain on the Samba server. The Samba server
(and client) are both members of a resource domain. The account(s)
being used are in an account domain trusted by the resource domain.
Turning off NT ACL support makes the problem go away. I did some
network snoops of a failed install and it verifies that the problem is
related to the ACL support. Just before the installer returns the
error message, I can see the client do an NTTRANS_QUERY_SECURITY_DESC
call to the server and get a response. I think that somehow the
installer is attempting to intepret the security descriptor it gets
back and thinks that the user is not allowed to write to the file.
At first, I speculated it might be the lack of a mapping of the NT
Delete bit onto UNIX permissions, but adding a quick and dirty
implementation of this to Samba did not make a difference.
I've repeated the network trace with an NT server (where the install
succeeds) instead of a Samba server so that I could try to do some
comparisons. I've extracted out the information from the snoops into
a more readable format and done interpretation of the data where
appropriate. My speculation is that the installer is
looking at the SID associated with the Samba/UNIX account and
comparing it against the domain SID, and then rejecting permission,
but my understanding of how Samba functions in a domain environment is
limited. (BTW, chmoding the files to be world writable also works
around this problem)
I'm including the results below -- the portion of the snoop I worked
with contains an SMB_NTCREATE_ANDX call followed by the
QUERY_SECURITY_DESC call. (FYI, the domain/machine names aren't real
- I've substituted ones that should be more understandable to someone
outside of our organization). Note that this snoop was done with the
install of Samba I hacked to map the Delete bit, which is why it
appears in the ACLs in the response.
Hopefully someone can make sense of this situation. We'd REALLY like
to be able to use the NT ACL support to allow our users to modify
permissions on their files from NT, but we can't enable it if it
breaks our primary method of app distribution.
Sorry about the length -- I tried to interpret as much of the snoop as
I could. I preserved the byte ordering from the packet data except in
cases where I'm interpreting the permission masks. Hopefully I didn't
make any mistakes.. :-)
Thanks...
-Andrew Cherry
------------------------------------------------------------------------
*************************************************
* Windows NT 4.0 client <--> Samba 2.0.7 server *
*************************************************
Account Domain: ACCOUNT_DOM
Resource Domain: RESOURCE_DOM (trusts ACCOUNT_DOM)
Server Name: SAMBASERVER (Samba 2.0.7)
Using security=domain, workgroup=RESOURCE_DOM
Client is a member of domain RESOURCE_DOM
File is owned by UNIX user "bq376"
Domain account used on client is ACCOUNT_DOM\bq376
SMBntcreateX Request:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WordCount: 18
AndXCommand: ff
AndXReserved: 00
AndXOffset: 0000
Reserved: 00
NameLength: 1700
Flags: 00000000
RootDirectoryFid: 00000000
DesiredAccess: 00000200
AllocationSize: 0000000000000000
ExtFileAttributes: 00000000
ShareAccess: 07000000
CrateDisposition: 01000000
CreateOptions: 00000000
ImpersonationLevel: 02000000
SecurityFlags: 00
ByteCount 1800
Name:
5c 41 50 ........ .....\AP
50 53 5f 4e 54 5c 52 45 4d 45 44 59 5c 48 4f 4d PS_NT\RE MEDY\HOM
45 5c 41 52 00 E\AR.
SMBntcreateX Response:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WordCount: 22
AndXCommand: ff
AndXReserved: 00
AndXOffset: 0000
OplockLevel: 00
Fid: 0311
CreateAction: 01000000
CreationTime: 001e7e2d a36dbf01
LastAccessTime: 009f8654 a910c001
LastWriteTime: 001e7e2d a36dbf01
ChangeTime: 001e7e2d a36dbf01
ExtFileAttributes: 80000000
AllocationSize: 2300000000000000
EndOfFile: 2300000000000000
FileType: 0000
DeviceState: 0000
Directory: 00
ByteCount: 0000 .
NT_TRANSACT_QUERY_SECURITY_DESC (Request)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WordCount: 13
MaxSetupCount: 00
Reserved: 0000
TotalParameterCount: 08000000
TotalDataCount: 00000000
MaxParameterCount: 04000000
MaxDataCount: 00f00000
ParameterCount: 08000000
ParameterOffset: 4c000000
DataCount: 00000000
DataOffset: 00000000
SetupCount: 00
Function: 0600
Buffer: 0b
Setup: 0000
ByteCount: 0000
Parameters:
Fid: 0311
Reserved: 0000
SecurityInformation: 07000000
NT_TRANSACT_QUERY_SECURITY_DESC (Response)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WordCount: 12
Reserved[3]: 000000
TotalParameterCount: 04000000
TotalDataCount: b0000000
ParameterCount: 04000000
ParameterOffset: 4a000000
ParameterDisplacement: 00000000
DataCount: b0000000
DataOffset: 4e000000
DataDisplacement: 00000000
SetupCount: 00
ByteCount: b700
Pad1: 000000
Parameters: b0000000
Data:
-------------------------------------------------
Revision: 0100
Type: 0480
OwnerSidOffset: 14000000
GroupSidOffset: 30000000
SaclOffset: 00000000
DaclOffset: 4c000000
=======OwnerSid:
RevNum: 01
NumAuths: 05
IdAuth[6] 00 00 00 00 00 05
SubAuths:
15000000
b2c2c621
aa524883
808585c7
ba070000
S-1-5-21-566674098-2202555050-3347416448-1978
(SAMBASERVER\bq376)
=======GroupSid:
RevNum: 01
NumAuths: 05
IdAuth[6]: 00 00 00 00 00 05
SubAuths: 15000000
b2c2c621
aa524883
808585c7
1f0a0000
S-1-5-21-566674098-2202555050-3347416448-2591
(SAMBASERVER\d0900795)
=======Dacl:
Revision: 0300
Size: 6400
NumAces: 03000000
Aces[3]:
======================================== Type: 00
Flags: 02
Size: 2400
Mask: 9f011300
0x0013019F == 0000 0000 0001 0011 0000 0001 1001 1111
FILE_READ_DATA 0000 0000 0000 0000 0000 0000 0000 0001
FILE_WRITE_DATA 0000 0000 0000 0000 0000 0000 0000 0010
FILE_APPEND 0000 0000 0000 0000 0000 0000 0000 0100
FILE_READ_EA 0000 0000 0000 0000 0000 0000 0000 1000
FILE_WRITE_EA 0000 0000 0000 0000 0000 0000 0001 0000
FILE_READ_ATTRIBUTES 0000 0000 0000 0000 0000 0000 1000 0000
FILE_WRITE_ATTRIBUTES 0000 0000 0000 0000 0000 0001 0000 0000
DELETE_ACCESS 0000 0000 0000 0001 0000 0000 0000 0000
READ_CONTROL_ACCESS 0000 0000 0000 0010 0000 0000 0000 0000
SYNCHRONIZE_ACCESS 0000 0000 0001 0000 0000 0000 0000 0000
Sid:
RevNum: 01
NumAuths: 05
IdAuth[6]: 00 00 00 00 00 05
SubAuths: 15000000
b2c2c621
aa524883
808585c7
ba000000
Sid is: S-1-5-21-566674098-2202555050-3347416448-1978
(SAMBASERVER\bq376 -- user)
-----------------------------------------
Type: 00
Flags: 02
Size: 2000
Mask: 89001300
0x00130089 == 0000 0000 0001 0011 0000 0000 1000 1001
FILE_READ_DATA 0000 0000 0000 0000 0000 0000 0000 0001
FILE_READ_EA 0000 0000 0000 0000 0000 0000 0000 1000
FILE_READ_ATTRIBUTES 0000 0000 0000 0000 0000 0000 1000 0000
DELETE_ACCESS 0000 0000 0000 0001 0000 0000 0000 0000
READ_CONTROL_ACCESS 0000 0000 0000 0010 0000 0000 0000 0000
SYNCHRONIZE_ACCESS 0000 0000 0001 0000 0000 0000 0000 0000
Sid:
RevNum: 01
NumAuths: 05
IdAuth[6]: 00 00 00 00 00 05
SubAuths: 15000000
b2c2c621
aa524883
808585c7
1f0a0000
Sid is: S-1-5-21-566674098-2202555050-3347416448-2591
(SAMBASERVER\d0900795 -- group)
-----------------------------------------
Type: 00
Flags: 02
Size: 1400
Mask: 89001300
0x00130089 = 0000 0000 0001 0011 0000 0000 1000 1001
FILE_READ_DATA 0000 0000 0000 0000 0000 0000 0000 0001
FILE_READ_EA 0000 0000 0000 0000 0000 0000 0000 1000
FILE_READ_ATTRIBUTES 0000 0000 0000 0000 0000 0000 1000 0000
DELETE_ACCESS 0000 0000 0000 0001 0000 0000 0000 0000
READ_CONTROL_ACCESS 0000 0000 0000 0010 0000 0000 0000 0000
SYNCHRONIZE_ACCESS 0000 0000 0001 0000 0000 0000 0000 0000
Sid:
RevNum: 01
NumAuths: 01
IdAuth[6]: 00 00 00 00 00 01
SubAuths: 00000000
Sid is: S-1-1-0
(Everyone -- world)
========================================
****************************************************
* Windows NT 4.0 client <--> Windows NT 4.0 server *
****************************************************
Account Domain: ACCOUNT_DOM
Resource Domain: RESOURCE_DOM (trusts ACCOUNT_DOM)
Server Name: NTSERVER (NT 4.0)
Server is a member of domain RESOURCE_DOM (it's a BDC for that domain)
Client is a member of domain RESOURCE_DOM
File is owned by NT user ACCOUNT_DOM\bq376
Domain account used on client is ACCOUNT_DOM\bq376
SMBntcreateX request:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WordCount: 18
AndXCommand: ff
AndXReserved: 00
AndXOffset: 0000
Reserved: 00
NameLength: 2e00
Flags: 00000000
RootDirectoryFid: 00000000
DesiredAccess: 00000200
AllocationSize: 0000000000000000
ExtFileAttributes: 00000000
ShareAccess: 07000000
CrateDisposition: 01000000
CreateOptions: 00000000
ImpersonationLevel: 02000000
SecurityFlags: 00
ByteCount 3100
Name:
79 5c 00 ..............y\.
41 00 50 00 50 00 53 00 5f 00 4e 00 54 00 5c 00 A.P.P.S. _.N.T.\.
52 00 45 00 4d 00 45 00 44 00 59 00 5c 00 48 00 R.E.M.E. D.Y.\.H.
4f 00 4d 00 45 00 5c 00 41 00 52 00 00 00 O.M.E.\. A.R...
SMBntcreateX response:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WordCount: 22
AndXCommand: ff
AndXReserved: 00
AndXOffset: 6700
OplockLevel: 00
Fid: 0760
CreateAction: 01000000
CreationTime: e87906a0 6110c001
LastAccessTime: da243b22 a410c001
LastWriteTime: 001e7e2d a36dbf01
ChangeTime: c4304b46 b110c001
ExtFileAttributes: 80000000
AllocationSize: 2800000000000000
EndOfFile: 2300000000000000
FileType: 0000
DeviceState: 0000
Directory: 00
ByteCount: 0000 .
NT_TRANSACT_QUERY_SECURITY_DESC (Request)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WordCount: 13
MaxSetupCount: 00
Reserved: 0000
TotalParameterCount: 08000000
TotalDataCount: 00000000
MaxParameterCount: 04000000
MaxDataCount: 00f00000
ParameterCount: 08000000
ParameterOffset: 4c000000
DataCount: 00000000
DataOffset: 00000000
SetupCount: 00
Function: 0600
Buffer: 0b
Setup: 0000
ByteCount: 0000
Parameters:
-----------
Fid: 0760
Reserved: 0000
SecurityInformation: 07000000
NT_TRANSACT_QUERY_SECURITY_DESC (Response)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-WordCount: 12
Reserved[3]: 000000
TotalParameterCount: 04000000
TotalDataCount: 9c000000
ParameterCount: 04000000
ParameterOffset: 48000000
ParameterDisplacement: 00000000
DataCount: 9c000000
DataOffset: 4c000000
DataDisplacement: 00000000
SetupCount: 00
ByteCount: a100
Pad1: 0b
Parameters: 00000000
Data:
-------------------------------------------------
Revision: 0100
Type: 0480
OwnerSidOffset: 14000000
GroupSidOffset: 30000000
SaclOffset: 00000000
DaclOffset: 4c000000
=======OwnerSid:
RevNum: 01
NumAuths: 05
IdAuth[6] 00 00 00 00 00 05
SubAuths: 15000000
4d5dc06f
04370f22
e16f0015
683a0000
Sid is: S-1-5-21-1874877773-571422468-352350177-14952
(ACCOUNT_DOM\bq376)
=======GroupSid:
RevNum: 01
NumAuths: 05
IdAuth[6]: 00 00 00 00 00 05
SubAuths: 15000000
4d5dc06f
04370f22
e16f0015
01020000
Sid is: S-1-5-21-1874877773-571422468-352350177-513
(ACCOUNT_DOM\Domain Users)
=======Dacl:
Revision: 0200
Size: 5000
NumAces: 02000000
Aces[2]:
======================================== Type: 00
Flags: 00
Size: 2400
Mask: bf011300
0x001301BF == 0000 0000 0001 0011 0000 0001 1011 1111
FILE_READ_DATA 0000 0000 0000 0000 0000 0000 0000 0001
FILE_WRITE_DATA 0000 0000 0000 0000 0000 0000 0000 0010
FILE_APPEND 0000 0000 0000 0000 0000 0000 0000 0100
FILE_READ_EA 0000 0000 0000 0000 0000 0000 0000 1000
FILE_WRITE_EA 0000 0000 0000 0000 0000 0000 0001 0000
FILE_EXECUTE 0000 0000 0000 0000 0000 0000 0010 0000
FILE_READ_ATTRIBUTES 0000 0000 0000 0000 0000 0000 1000 0000
FILE_WRITE_ATTRIBUTES 0000 0000 0000 0000 0000 0001 0000 0000
DELETE_ACCESS 0000 0000 0000 0001 0000 0000 0000 0000
READ_CONTROL_ACCESS 0000 0000 0000 0010 0000 0000 0000 0000
SYNCHRONIZE_ACCESS 0000 0000 0001 0000 0000 0000 0000 0000
Sid:
RevNum: 01
NumAuths: 05
IdAuth[6]: 00 00 00 00 00 05
SubAuths: 15000000
4d5dc06f
04370f22
e16f0015
683a0000
Sid is: S-1-5-21-1874877773-571422468-352350177-14952
(ACCOUNT_DOM\bq376)
-----------------------------------------
Type: 00
Flags: 00
Size: 2400
Mask: ff011f00
0x001F01FF == 0000 0000 0001 1111 0000 0001 1111 1111
FILE_READ_DATA 0000 0000 0000 0000 0000 0000 0000 0001
FILE_WRITE_DATA 0000 0000 0000 0000 0000 0000 0000 0010
FILE_APPEND 0000 0000 0000 0000 0000 0000 0000 0100
FILE_READ_EA 0000 0000 0000 0000 0000 0000 0000 1000
FILE_WRITE_EA 0000 0000 0000 0000 0000 0000 0001 0000
FILE_EXECUTE 0000 0000 0000 0000 0000 0000 0010 0000
FILE_DELETE_CHILD 0000 0000 0000 0000 0000 0000 0100 0000
FILE_READ_ATTRIBUTES 0000 0000 0000 0000 0000 0000 1000 0000
FILE_WRITE_ATTRIBUTES 0000 0000 0000 0000 0000 0001 0000 0000
DELETE_ACCESS 0000 0000 0000 0001 0000 0000 0000 0000
READ_CONTROL_ACCESS 0000 0000 0000 0010 0000 0000 0000 0000
WRITE_DAC_ACCESS 0000 0000 0000 0100 0000 0000 0000 0000
WRITE_OWNER_ACCESS 0000 0000 0000 1000 0000 0000 0000 0000
SYNCHRONIZE_ACCESS 0000 0000 0001 0000 0000 0000 0000 0000
Sid:
RevNum: 01
NumAuths: 05
IdAuth[6]: 00 00 00 00 00 05
SubAuths: 15000000
dd74061d
1953515c
98340878
00020000
S-1-5-21-486962397-1548833561-2013738136-512
(RESOURCE_DOM\Domain Admins)
=========================================