I was wondering if anyone knows if there are any plans to fix Bug #1139 (reproduced below) in version 3.0.3. I haven't tried 3.0.3pre1 yet, but from what I read of the changes it doesn't look like this bug has been addressed. Is there some other work around? This bug is quite annoying as some of our users/administrators would like to use Windows to modify ACLs and we recently migrated SIDs from NT4. I've tried setting the Algorithmic mapping base higher but this doesn't seem to help. Any help would be appreciated. Brandon Turner MSC Computer Operations BUG #1139: ---------------------------------------------------------------- How to reproduce that bug: After migrating users from NT4 to samba you get lots of RIDs that do not match the rid algorithm. As one such user, prefereably one with an odd RID, create a new file on some samba share with Linux ACL enabled. Now open the Properties->Security->??? dialog (Eigenschaften->Sicherheit->Berechtigungen in German) and change anything. Add write permission to everyone, for example. Now take a look at that file in the Linux filesystem, specially the ACL on that file. The owner has lost write permission and some group has got full access instead. The GID of this (possible not even existing) group is exactly the result of the RID algorithm calculation. What is happening?: My brief investigations indicate that the function create_canon_ace_lists() from posix_acls.c calls both sid_to_gid() and sid_to_uid() in turn with the same SID just to try if it matches in one case or the other. Unfortunately, sid_to_gid() falls back to algorithmic mapping and in the case shown above it succeeds to calculate a gid out of the migrated users RID.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brandon Turner wrote: | I was wondering if anyone knows if there are any plans | to fix Bug #1139 (reproduced below) in version 3.0.3. I | haven't tried 3.0.3pre1 yet, but from what I read of | the changes it doesn't look like this bug has been | addressed. We'll do out best. The bug report sounds strange though. And we'll probably need to get some more information you at some point. cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAY2QzIR7qMdg1EfYRAstHAKDXQQLsVhpZjBx419SBABjitsP8MgCeLpRH WHLsRLKhJx7zjK+WN5VtWZ8=6Q1L -----END PGP SIGNATURE-----
There was a thread from Feb 28 to Feb 29 between Sebastian and Andrew that discussed this in more detail. Basically, it seems that Samba uses algorithmic mapping even when an entry in LDAP indicates that a given SID is associated with an existing UID. Normally people don't experience this bug if they built their user databases from scratch, but if they migrated from NT keeping the old NT SIDs they begin to have correct SIDs and UIDs that don't follow the samba's algorithmic mapping. So it seems when someone trys to use the Windows ACL editor to change the ACLs on a file, Samba changes the Linux ACLs based upon the algorithmic mapping of SID->UID instead of looking the SID up in LDAP first. Hope that makes a little sense. Brandon -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Thursday, March 25, 2004 4:59 PM To: Brandon Turner Cc: samba@lists.samba.org Subject: Re: [Samba] Any plans to fix Bug 1139 in 3.0.3? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brandon Turner wrote: | I was wondering if anyone knows if there are any plans | to fix Bug #1139 (reproduced below) in version 3.0.3. I | haven't tried 3.0.3pre1 yet, but from what I read of | the changes it doesn't look like this bug has been | addressed. We'll do out best. The bug report sounds strange though. And we'll probably need to get some more information you at some point. cheers, jerry - ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAY2QzIR7qMdg1EfYRAstHAKDXQQLsVhpZjBx419SBABjitsP8MgCeLpRH WHLsRLKhJx7zjK+WN5VtWZ8=6Q1L -----END PGP SIGNATURE-----