Hi, all, we run smbcacls tool from linux machine to set file permissions on windows server. here is our environment: Linux machine: Ubuntu 14.04 LTS, kernel version 3.13.0-112-generic Samba version: 4.3.11 Windows machine: Windows server 2012 the cmd we run is something like following: /usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' '//win_server/testshare' 'TestFolder\Test.txt' -S 'REVISION:1','ACL:win_server\Administrator:DENIED/0/0x100116','ACL:win_server\Administrator:ALLOWED/0/0x1200a9','ACL:Domain\Administrator:ALLOWED/16/FULL' The smbcacls cmd worked before till recently. Due to the recent Windows patch which disables SMB v1, we have to add the following line into the [global] section in smb.conf file on Linux machine so that the smbcacls can talk to the Windows server otherwise it gets error NT_STATUS_CONNECTION_RESET: client max protocol = SMB3 with this option added, the smbcacls cmd ran into error NT_STATUS_NETWORK_NAME_DELETED. but if we just run smbcacls cmd to get ACLs, like /usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' '//win_server/testshare' 'TestFolder\Test.txt' it works without any problem, and does return all ACL entries. if we remove this "client max protocol == SMB3" option from smb.conf file and turn on the SMBv1 on Windows server side, the exactly same smbcacls cmd for setting permission works as before. I have spent many hours googling and reading documents, but could not find anything related or helpful. Any suggestion or comment will be extremely helpful! Thank you! Best Andy
Jeremy Allison
2017-Jun-08 16:37 UTC
[Samba] smbcacls got error NT_STATUS_NETWORK_NAME_DELETED
On Thu, Jun 08, 2017 at 09:23:50AM -0700, Andy Qian via samba wrote:> Hi, all, > > we run smbcacls tool from linux machine to set file permissions on > windows server. > > here is our environment: > > > Linux machine: Ubuntu 14.04 LTS, kernel version 3.13.0-112-generic > > Samba version: 4.3.11 > > Windows machine: Windows server 2012 > > > the cmd we run is something like following: > > /usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' > '//win_server/testshare' 'TestFolder\Test.txt' -S 'REVISION:1','ACL:win_server\Administrator:DENIED/0/0x100116','ACL:win_server\Administrator:ALLOWED/0/0x1200a9','ACL:Domain\Administrator:ALLOWED/16/FULL' > > The smbcacls cmd worked before till recently. Due to the recent > Windows patch which disables SMB v1, we have to add the following > line into the [global] section in smb.conf file on Linux machine so > that the smbcacls can talk to the Windows server otherwise it gets > error NT_STATUS_CONNECTION_RESET: > > client max protocol = SMB3 > > with this option added, the smbcacls cmd ran into error > NT_STATUS_NETWORK_NAME_DELETED. > > but if we just run smbcacls cmd to get ACLs, like > > /usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' > '//win_server/testshare' 'TestFolder\Test.txt' > > it works without any problem, and does return all ACL entries. > > > if we remove this "client max protocol == SMB3" option from smb.conf > file and turn on the SMBv1 on Windows server side, the exactly same > smbcacls cmd for setting permission works as before. > > > I have spent many hours googling and reading documents, but could > not find anything related or helpful. Any suggestion or comment will > be extremely helpful!Can you log a bug so we can track this, and then upload a debug level 10 log from the client smbcacls command failing so we can take a look ? Thanks, Jeremy.
Ralph Böhme
2017-Jun-08 16:43 UTC
[Samba] smbcacls got error NT_STATUS_NETWORK_NAME_DELETED
Hi Andy, On Thu, Jun 08, 2017 at 09:23:50AM -0700, Andy Qian via samba wrote:> The smbcacls cmd worked before till recently. Due to the recent Windows > patch which disables SMB v1, we have to add the following line into the > [global] section in smb.conf file on Linux machine so that the smbcacls can > talk to the Windows server otherwise it gets error > NT_STATUS_CONNECTION_RESET: > > client max protocol = SMB3 > > with this option added, the smbcacls cmd ran into error > NT_STATUS_NETWORK_NAME_DELETED.it's a bug in smbcacls. For some reason, when using protocol level > 1 it issues create calls on an invalid, just closed IPC tree connect, instead of the still connected share. Just ran into this today (but have seen it earlier) when passing -m smb3 on the command line. Shouldn't be too hard to fix this, just didn't have the time. Can you file a bug so we can keep track of this? Cheerio! -slow
Thank you very much for the reply. I will file a bug for this. Best Andy On 06/08/2017 09:37 AM, Jeremy Allison wrote:> On Thu, Jun 08, 2017 at 09:23:50AM -0700, Andy Qian via samba wrote: >> Hi, all, >> >> we run smbcacls tool from linux machine to set file permissions on >> windows server. >> >> here is our environment: >> >> >> Linux machine: Ubuntu 14.04 LTS, kernel version 3.13.0-112-generic >> >> Samba version: 4.3.11 >> >> Windows machine: Windows server 2012 >> >> >> the cmd we run is something like following: >> >> /usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' >> '//win_server/testshare' 'TestFolder\Test.txt' -S 'REVISION:1','ACL:win_server\Administrator:DENIED/0/0x100116','ACL:win_server\Administrator:ALLOWED/0/0x1200a9','ACL:Domain\Administrator:ALLOWED/16/FULL' >> >> The smbcacls cmd worked before till recently. Due to the recent >> Windows patch which disables SMB v1, we have to add the following >> line into the [global] section in smb.conf file on Linux machine so >> that the smbcacls can talk to the Windows server otherwise it gets >> error NT_STATUS_CONNECTION_RESET: >> >> client max protocol = SMB3 >> >> with this option added, the smbcacls cmd ran into error >> NT_STATUS_NETWORK_NAME_DELETED. >> >> but if we just run smbcacls cmd to get ACLs, like >> >> /usr/bin/smbcacls -U 'Domain\Administrator'%'pwd' >> '//win_server/testshare' 'TestFolder\Test.txt' >> >> it works without any problem, and does return all ACL entries. >> >> >> if we remove this "client max protocol == SMB3" option from smb.conf >> file and turn on the SMBv1 on Windows server side, the exactly same >> smbcacls cmd for setting permission works as before. >> >> >> I have spent many hours googling and reading documents, but could >> not find anything related or helpful. Any suggestion or comment will >> be extremely helpful! > Can you log a bug so we can track this, and then upload > a debug level 10 log from the client smbcacls command > failing so we can take a look ? > > Thanks, > > Jeremy.
Jeremy Allison
2017-Jun-08 21:40 UTC
[Samba] smbcacls got error NT_STATUS_NETWORK_NAME_DELETED
On Thu, Jun 08, 2017 at 06:43:34PM +0200, Ralph Böhme via samba wrote:> Hi Andy, > > On Thu, Jun 08, 2017 at 09:23:50AM -0700, Andy Qian via samba wrote: > > The smbcacls cmd worked before till recently. Due to the recent Windows > > patch which disables SMB v1, we have to add the following line into the > > [global] section in smb.conf file on Linux machine so that the smbcacls can > > talk to the Windows server otherwise it gets error > > NT_STATUS_CONNECTION_RESET: > > > > client max protocol = SMB3 > > > > with this option added, the smbcacls cmd ran into error > > NT_STATUS_NETWORK_NAME_DELETED. > > it's a bug in smbcacls. For some reason, when using protocol level > 1 it issues > create calls on an invalid, just closed IPC tree connect, instead of the still > connected share. > > Just ran into this today (but have seen it earlier) when passing -m smb3 on the > command line. Shouldn't be too hard to fix this, just didn't have the time.Just tried but couldn't reproduce this against an smbd server running master. Ralph, do you have a reproducer ?