Sebastian Hetze
2004-Feb-28 18:30 UTC
[Samba] Possible bug with ACL handling after NT user migration
Hi * I encounter severe problems with changing ACL settings in Samba 3.0.2a after migrating users from NT PDC to LDAP-SAM. I did not find anything about this in the mailing list yet. However, I have no idea (if) what I am doing wrong here. Although I can hardly believe that I am the first one to trigger that bug, it looks like a problem with the sid_to_gid routine. So please take a look at that: After migrating users from NT4 to samba you get lots of RIDs that do not match the rid algorithm. As one such user, prefereably one with an odd RID, create a new file on some samba share with Linux ACL enabled. Now open the Properties->Security->??? dialog (Eigenschaften->Sicherheit->Berechtigungen in German) and change anything. Add write permission to everyone, for example. Now take a look at that file in the Linux filesystem, specially the ACL on that file. The owner has lost write permission and some group has got full access instead. The GID of this (possible not even existing) group is exactly the result of the RID algorithm calculation. My brief investigations indicate that the function create_canon_ace_lists() from posix_acls.c calls both sid_to_gid() and sid_to_uid() in turn with the same SID just to try if it matches in one case or the other. Unfortunately, sid_to_gid() falls back to algorithmic mapping and in the case shown above it succeeds to calculate a gid out of the migrated users RID. Turning off algorithmic rid caluculation in general would solve the problem. However, I doubt that this is the correct solution at this time. For example, I would like to keep this algorithmic thing for automatic creation of new (machine) accounts. One possible solution might be, to use the algorithmic rid base to open a window of free RIDs for NT user migration. This could possibly be done by checking the return value of pdb_group_rid_to_gid to be a non negative value before assigning the gid (just a quick shot). Before I start coding and further testing I would like to get you involved. First of all, I would like you to either confirm the bug or help me blind man to find the misconfiguration on my side. Best regards, Sebastian
Andrew Bartlett
2004-Feb-29 06:30 UTC
[Samba] Possible bug with ACL handling after NT user migration
On Sun, 2004-02-29 at 05:28, Sebastian Hetze wrote:> Hi * > > I encounter severe problems with changing ACL settings in Samba > 3.0.2a after migrating users from NT PDC to LDAP-SAM. > > I did not find anything about this in the mailing list yet. > However, I have no idea (if) what I am doing wrong here. > Although I can hardly believe that I am the first one to trigger > that bug, it looks like a problem with the sid_to_gid routine. > So please take a look at that: > > After migrating users from NT4 to samba you get lots of RIDs that > do not match the rid algorithm.The code is designed such that it should look for a matching name in the SAM -> posix account to establish the mapping, before resorting to the algorithmic mapping.> As one such user, prefereably one > with an odd RID, create a new file on some samba share with Linux > ACL enabled. Now open the Properties->Security->??? dialog > (Eigenschaften->Sicherheit->Berechtigungen in German) > and change anything. Add write permission to everyone, for example. > Now take a look at that file in the Linux filesystem, specially > the ACL on that file. The owner has lost write permission and > some group has got full access instead. > The GID of this (possible not even existing) group is exactly > the result of the RID algorithm calculation.OUCH.> My brief investigations indicate that the function > create_canon_ace_lists() from posix_acls.c calls both sid_to_gid() > and sid_to_uid() in turn with the same SID just to try if it matches > in one case or the other. Unfortunately, sid_to_gid() falls back to > algorithmic mapping and in the case shown above it succeeds to > calculate a gid out of the migrated users RID. > > Turning off algorithmic rid caluculation in general would solve > the problem. However, I doubt that this is the correct solution > at this time. For example, I would like to keep this algorithmic > thing for automatic creation of new (machine) accounts.I still think you should use the algorithmic rid base, but we need to make these functions 'fail' for users in that range.> One possible solution might be, to use the algorithmic rid base to > open a window of free RIDs for NT user migration. This could possibly > be done by checking the return value of pdb_group_rid_to_gid to be > a non negative value before assigning the gid (just a quick shot).We should allow these functions to fail, yes.> Before I start coding and further testing I would like to get you > involved. First of all, I would like you to either confirm the > bug or help me blind man to find the misconfiguration on my side.Sounds like a genuine bug to me. What we needed was the full idmap, but in the meantime, we should have a sid_to_id() routine, that tries both systems for an 'exact' match, before it guesses. Please write this up in bugzilla, so we don't loose it. This is a serious issue, as you have noted. Andrew Bartlett -- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.samba.org/archive/samba/attachments/20040229/3a1bbffc/attachment.bin