Project

General

Profile

Bug #10996

SMB can't view ACL if posix ID can't be mapped

Added by Gordon Ross 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
2019-05-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage

Description

When trying to add an "group" to an shared folder from Windows Explorer, user will have an error screen pop up, stating "An error occurred while applying security information to:".

"No Mapping between account names and security IDs was done"

The permissions are added, even if user quits out of the security settings menu. The
error is not on the folder itself (most times), but any file(s) that have an non-ephemeral group
ID will cause the error.

It turns out that a key piece of reproducing this problem is running across an ACL containing an ACE with a Unix UID that can not be mapped to a name. (i.e. a deleted user). That's a valid use case.

If the object is owned by a user or group that doesn't exist, STATUS_NONE_MAPPED is returned. If it contains an ACE specifying a user or group ID that doesn't exist, STATUS_INTERNAL_ERROR is returned, and the Security Information can't be viewed.

Steps to reproduce:

Add an ACE with a nonexistant id (e.g. chmod A+user:1337:full_set:fd:allow)
View the security settings from Windows

Expected Results:

Security settings are visible, and the unmapped posix ID is mapped to a 'local' SID

Actual Results:

Security settings can't be viewed

History

#1

Updated by Gordon Ross 5 months ago

  • Description updated (diff)
  • Status changed from New to In Progress
#2

Updated by Gordon Ross 5 months ago

We're seeing problem related to this at a customer. File properties security tab can't be displayed if ACLs have entries with uids that no longer have mappings. Packet capture shows us that the server responds with 0xc00000e5 (STATUS_INTERNAL_ERROR) to SEC_INFO request from the client. This can be easily reproduced by adding ACL entry with fake user ID to a file, just like this:

chmod A+user:26592:rwxpdDaARWcCos:fd----I:allow
dtrace -s /usr/lib/smbsrv/dtrace/smbsrv.d -o /var/tmp/dtrace.out shows that this is where we fail:

  0                <- smb_idmap_batch_destroy   0xffffff02510f0600
  0              <- smb_acl_from_zfs            0x0
  0              -> smb_sd_term                 0xffffff0008fc39c0      0xffffff0250fed480      0xffffff0008fc3c40      0x0     0x70    0xfffffffff7940e
30
  0                -> smb_sid_free              0x0     0xffffff0250fed480      0xffffff0008fc3c40      0x0     0x70    0xfffffffff7940e30
  0                <- smb_sid_free              0x0
  0                -> smb_sid_free              0x0     0xffffff0250fed480      0xffffff0008fc3c40      0x0     0x70    0xfffffffff7940e30
  0                <- smb_sid_free              0x0
  0                -> smb_acl_free              0x0     0xffffff0250fed480      0xffffff0008fc3c40      0x0     0x70    0xfffffffff7940e30
  0                <- smb_acl_free              0x0
  0                -> smb_acl_free              0x0     0xffffff0250fed480      0xffffff0008fc3c40      0x0     0x70    0xfffffffff7940e30
  0                <- smb_acl_free              0x0
  0              <- smb_sd_term                 0x0
  0            <- smb_sd_fromfs                 0xc00000e5 <----- here
  0            -> smb_fssd_term                 0xffffff0008fc3930      0x28    0xffffff0008fc3c40      0x150   0x70    0xfffffffff7940e30
  0              -> smb_fsacl_free              0xffffff026f426b60      0x28    0xffffff0008fc3c40      0x150   0x70    0xfffffffff7940e30
  0              <- smb_fsacl_free              0xffffff029758a980
  0              -> smb_fsacl_free              0x0     0xffffff026f426b60      0xffffff0008fc3c40      0xa     0x70    0xfffffffff7940e30
  0              <- smb_fsacl_free              0xffffff029758a980
  0            <- smb_fssd_term                 0x0
  0          <- smb_sd_read                     0xc00000e5
  0        <- smb2_qinfo_sec                    0xc00000e5
  0        -> smb2sr_put_error                  0xffffff025d07cc78      0xc00000e5
#3

Updated by Gordon Ross 5 months ago

After an LDAP lookup fails, getpwuid returns with errno set to EINPROGRESS
(apparently by accident). That causes confusion in calling code.
The various NSS functions under nss_lookup don't set errno correctly.

#4

Updated by Electric Monk 5 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 6a9f16736155acc477a23d23c677ba93631347dd

commit  6a9f16736155acc477a23d23c677ba93631347dd
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2019-06-01T16:44:37.000Z

    10996 SMB can't view ACL if posix ID can't be mapped
    Review by: Gordon Ross <gordon.ross@nexenta.com>
    Review by: Evan Layton <evan.layton@nexenta.com>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Also available in: Atom PDF