search for: get_nt_acl_intern

...When adding the validate_nt_acl_blob() function in [PATCH 06/12] vfs_acl_common: move the ACL blob validation to a helper function this makes some of the existing function names in debug statements incorrect. Eg. validate_nt_acl_blob() has debug statements: 688 DEBUG(10, ("get_nt_acl_internal: ACL blob revision " 689 "mismatch (%u) for file %s\n", 690 (unsigned int)hash_type, 691 smb_fname->base_name)); 692 TALLOC_FREE(psd_blob); 693 return NT_STATUS_...

On Fri, Aug 26, 2016 at 06:33:26PM +0200, Ralph Böhme via samba wrote: > On Thu, Aug 25, 2016 at 12:14:00PM -0700, Jeremy Allison wrote: > > On Wed, Aug 24, 2016 at 04:06:42PM +0200, Ralph Böhme via samba wrote: > > > > > > Yeah, as much as I'd like to avoid adding a new option, I guess we > > > have to do something about it, my latest take on this is >

...E_TYPE_ACCESS_ALLOWED, > -- > 2.7.4 > > > From 55d74651c664d210a55b6833dee575dc1b101271 Mon Sep 17 00:00:00 2001 > From: Ralph Boehme <slow at samba.org> > Date: Tue, 23 Aug 2016 13:08:12 +0200 > Subject: [PATCH 02/13] vfs_acl_common: rename psd to psd_blob in > get_nt_acl_internal() > > This makes it explicit where the SD is originating from. No change in > behaviour. > > This just paves the way for a later change that will simplify the whole > logic and talloc hierarchy, therefor this also strictly renames the > occurences after the out label. >...

On Fri, Aug 26, 2016 at 04:03:49PM -0700, Jeremy Allison wrote: > On Fri, Aug 26, 2016 at 02:46:19PM -0700, Jeremy Allison via samba wrote: > > On Fri, Aug 26, 2016 at 06:44:05PM +0200, Ralph Böhme wrote: > > > > > > Cheerio! > > > -slow > > > > Still reviewing this - but a few things that will need changing: > > > > When adding the

...thru setfacl to edit > the POSIX ACLS directly rather than adding thru smbcacls/samba-tool ntacl. > > 2) Later samba configured with AUTORID with base range as the RID idmap > range. > > 3) Now when customer try to access the share they get "access denied " and > the get_nt_acl_internal() gives the underlying file system SD with > legacy_uid_sid conversion. those sid does not match the user sids. > > Attached the debug level 10 log for more information on this issue. > > > Note: > > The idmap range for RID: > > idmap config <DOMAIN> : range =...

...smbcacls/samba-tool >>> ntacl. >>> >>> 2) Later samba configured with AUTORID with base range as the RID idmap >>> range. >>> >>> 3) Now when customer try to access the share they get "access denied " >>> and >>> the get_nt_acl_internal() gives the underlying file system SD with >>> legacy_uid_sid conversion. those sid does not match the user sids. >>> >>> Attached the debug level 10 log for more information on this issue. >>> >>> >>> Note: >>> >>> The idmap...

...t; the POSIX ACLS directly rather than adding thru smbcacls/samba-tool ntacl. >> >> 2) Later samba configured with AUTORID with base range as the RID idmap >> range. >> >> 3) Now when customer try to access the share they get "access denied " and >> the get_nt_acl_internal() gives the underlying file system SD with >> legacy_uid_sid conversion. those sid does not match the user sids. >> >> Attached the debug level 10 log for more information on this issue. >> >> >> Note: >> >> The idmap range for RID: >> >&gt...

...s/samba-tool ntacl. > > 2) Later samba configured with AUTORID with base range as > the RID idmap > range. > > 3) Now when customer try to access the share they get > "access denied " and > the get_nt_acl_internal() gives the underlying file system > SD with > legacy_uid_sid conversion. those sid does not match the > user sids. > > Attached the debug level 10 log for more information on > this issue. > > > No...

Hi, I have installed a virtual testing network consisting of one samba4 PDC (latest git master) and one Windows XP Pro SP3 (fully updated)machine. I have successfully provisioned an AD Domain and joined the XP machine to it. When I run the gpmc on the XP Pro machine and select: Forest: <domain name> -> Domains -> <domain name> -> Group Policy Objects -> Default Domain

...al/samba/var/locks/sysvol/ mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:107) parse_acl_blob: ndr_pull_xattr_NTACL failed: Buffer Size Error validate_nt_acl_blob: parse_acl_blob returned NT_STATUS_BUFFER_TOO_SMALL get_nt_acl_internal: ACL validation for [/usr/local/samba/var/locks/sysvol/ n-client.ninja.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine] failed set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. delete_lock_ref_count for file /usr/local/samba/var/locks/sysvol/ n-client.ninja.org.u...

On 2016-01-10 at 17:58 +0000, Rowland penny wrote: > On 10/01/16 17:05, Partha Sarathi wrote: > > > > > This could have a lot to do with the fact that idmap_rid & > > > idmap_autorid calculate the uids differently i.e if you have RID > > > '2025000', autorid would calculate this as '1102500000' , rid > > > would calculate this as

...sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine > ndr_pull_error(11): Pull bytes 2 (../librpc/ndr/ndr_basic.c:107) > parse_acl_blob: ndr_pull_xattr_NTACL failed: Buffer Size Error > validate_nt_acl_blob: parse_acl_blob returned NT_STATUS_BUFFER_TOO_SMALL > get_nt_acl_internal: ACL validation for > [/usr/local/samba/var/locks/sysvol/mydomain.org.uk/Policies/{11111111-2222-3333-4444-555555555555}/Machine] > failed > set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_BUFFER_TOO_SMALL. > delete_lock_ref_count for file > /usr/local/samba/var/locks/sysvol/myd...

...D backend can not support it. > > - People lose access to their files since the permissions are > for different IDs (that previously belonged to their name/sid). > ==> Thie is the ACCESS DENIED you saw. > Yeah this is true when we by mistake modifies POSIX acls directly then get_nt_acl_internal try to construct the SD by deriving SIDs for every UID on the POSIX list. other wise it will never get into to that path. > - People may be granted access to files they should not have > access to (files created by previous holders of their new ID). > > - If people create new file...