SMB can't view ACL if posix ID can't be mapped
When trying to add an "group" to an shared folder from Windows Explorer, user will have an error screen pop up, stating "An error occurred while applying security information to:".
"No Mapping between account names and security IDs was done"
The permissions are added, even if user quits out of the security settings menu. The
error is not on the folder itself (most times), but any file(s) that have an non-ephemeral group
ID will cause the error.
It turns out that a key piece of reproducing this problem is running across an ACL containing an ACE with a Unix UID that can not be mapped to a name. (i.e. a deleted user). That's a valid use case.
If the object is owned by a user or group that doesn't exist, STATUS_NONE_MAPPED is returned. If it contains an ACE specifying a user or group ID that doesn't exist, STATUS_INTERNAL_ERROR is returned, and the Security Information can't be viewed.
Steps to reproduce:
Add an ACE with a nonexistant id (e.g. chmod A+user:1337:full_set:fd:allow)
View the security settings from Windows
Security settings are visible, and the unmapped posix ID is mapped to a 'local' SID
Security settings can't be viewed
Updated by Gordon Ross over 2 years ago
We're seeing problem related to this at a customer. File properties security tab can't be displayed if ACLs have entries with uids that no longer have mappings. Packet capture shows us that the server responds with 0xc00000e5 (STATUS_INTERNAL_ERROR) to SEC_INFO request from the client. This can be easily reproduced by adding ACL entry with fake user ID to a file, just like this:
chmod A+user:26592:rwxpdDaARWcCos:fd----I:allow dtrace -s /usr/lib/smbsrv/dtrace/smbsrv.d -o /var/tmp/dtrace.out shows that this is where we fail: 0 <- smb_idmap_batch_destroy 0xffffff02510f0600 0 <- smb_acl_from_zfs 0x0 0 -> smb_sd_term 0xffffff0008fc39c0 0xffffff0250fed480 0xffffff0008fc3c40 0x0 0x70 0xfffffffff7940e 30 0 -> smb_sid_free 0x0 0xffffff0250fed480 0xffffff0008fc3c40 0x0 0x70 0xfffffffff7940e30 0 <- smb_sid_free 0x0 0 -> smb_sid_free 0x0 0xffffff0250fed480 0xffffff0008fc3c40 0x0 0x70 0xfffffffff7940e30 0 <- smb_sid_free 0x0 0 -> smb_acl_free 0x0 0xffffff0250fed480 0xffffff0008fc3c40 0x0 0x70 0xfffffffff7940e30 0 <- smb_acl_free 0x0 0 -> smb_acl_free 0x0 0xffffff0250fed480 0xffffff0008fc3c40 0x0 0x70 0xfffffffff7940e30 0 <- smb_acl_free 0x0 0 <- smb_sd_term 0x0 0 <- smb_sd_fromfs 0xc00000e5 <----- here 0 -> smb_fssd_term 0xffffff0008fc3930 0x28 0xffffff0008fc3c40 0x150 0x70 0xfffffffff7940e30 0 -> smb_fsacl_free 0xffffff026f426b60 0x28 0xffffff0008fc3c40 0x150 0x70 0xfffffffff7940e30 0 <- smb_fsacl_free 0xffffff029758a980 0 -> smb_fsacl_free 0x0 0xffffff026f426b60 0xffffff0008fc3c40 0xa 0x70 0xfffffffff7940e30 0 <- smb_fsacl_free 0xffffff029758a980 0 <- smb_fssd_term 0x0 0 <- smb_sd_read 0xc00000e5 0 <- smb2_qinfo_sec 0xc00000e5 0 -> smb2sr_put_error 0xffffff025d07cc78 0xc00000e5
Updated by Electric Monk over 2 years ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit 6a9f16736155acc477a23d23c677ba93631347dd Author: Matt Barden <email@example.com> Date: 2019-06-01T16:44:37.000Z 10996 SMB can't view ACL if posix ID can't be mapped Review by: Gordon Ross <firstname.lastname@example.org> Review by: Evan Layton <email@example.com> Approved by: Richard Lowe <firstname.lastname@example.org>