Help needed: failure to set posix ACL in s3fs

Using my master-devel branch, I've been testing creating a new group
policy object (from Windows 7 RSAT)

Attached is the log I get at level 10, with the failure to set the
default directory ACL (after successfully setting the file ACL, with
what appears to be the same values).

If someone who understands this code better than I could have a look, I
would most appreciate it, as this is the primary blocker before we can
think about enabling s3fs.

Thanks,

/data/samba-2/bin/smbd: pop_sec_ctx (0, 100) - sec_ctx_stack_ndx = 0
/data/samba-2/bin/smbd: lookup_name: Unix User\3000007 => domain=[Unix User], name=[3000007]
/data/samba-2/bin/smbd: lookup_name: flags = 0x073
/data/samba-2/bin/smbd: Finding user 3000007
/data/samba-2/bin/smbd: Trying _Get_Pwnam(), username as lowercase is 3000007
/data/samba-2/bin/smbd: Checking combinations of 0 uppercase letters in 3000007
/data/samba-2/bin/smbd: Get_Pwnam_internals didn't find user [3000007]!
/data/samba-2/bin/smbd: lookup_name_smbconf for 3000007 failed
/data/samba-2/bin/smbd: could not create token for 3000007
/data/samba-2/bin/smbd: print_canon_ace_list: dir ace - before valid
/data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0xb perms rwx
/data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
/data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
/data/samba-2/bin/smbd: print_canon_ace_list: file ace - return
/data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 uid 3000007 (3000007) SMB_ACL_USER ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 6. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 7. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x0 perms r-x
/data/samba-2/bin/smbd: canon_ace index 8. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x0 perms r-x
/data/samba-2/bin/smbd: print_canon_ace_list: dir ace - return
/data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 6. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0xb perms rwx
/data/samba-2/bin/smbd: canon_ace index 7. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 8. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
/data/samba-2/bin/smbd: canon_ace index 9. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
/data/samba-2/bin/smbd: push_sec_ctx(0, 100) : sec_ctx_stack_ndx = 1
/data/samba-2/bin/smbd: push_conn_ctx(22411) : conn_ctx_stack_ndx = 0
/data/samba-2/bin/smbd: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
/data/samba-2/bin/smbd: Security token: (NULL)
/data/samba-2/bin/smbd: UNIX token of user 0
/data/samba-2/bin/smbd: Primary group is 0 and contains 0 supplementary groups
/data/samba-2/bin/smbd: set_canon_ace_list: setting ACL:
/data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 uid 3000007 (3000007) SMB_ACL_USER ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 6. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 7. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x0 perms r-x
/data/samba-2/bin/smbd: canon_ace index 8. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x0 perms r-x
/data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 uid 3000007 (3000007) SMB_ACL_USER ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 6. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 7. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x0 perms r-x
/data/samba-2/bin/smbd: canon_ace index 8. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x0 perms r-x
/data/samba-2/bin/smbd: Calling acl_set_file: s4.obed.abartlet.net/Policies/{7D8C9D69-93CB-40AB-900E-F2AF57170730}, 0
/data/samba-2/bin/smbd: push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
/data/samba-2/bin/smbd: push_conn_ctx(22411) : conn_ctx_stack_ndx = 1
/data/samba-2/bin/smbd: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
/data/samba-2/bin/smbd: Security token: (NULL)
/data/samba-2/bin/smbd: UNIX token of user 0
/data/samba-2/bin/smbd: Primary group is 0 and contains 0 supplementary groups
/data/samba-2/bin/smbd: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
/data/samba-2/bin/smbd: pop_sec_ctx (0, 100) - sec_ctx_stack_ndx = 0
/data/samba-2/bin/smbd: push_sec_ctx(0, 100) : sec_ctx_stack_ndx = 1
/data/samba-2/bin/smbd: push_conn_ctx(22411) : conn_ctx_stack_ndx = 0
/data/samba-2/bin/smbd: setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
/data/samba-2/bin/smbd: Security token: (NULL)
/data/samba-2/bin/smbd: UNIX token of user 0
/data/samba-2/bin/smbd: Primary group is 0 and contains 0 supplementary groups
/data/samba-2/bin/smbd: set_canon_ace_list: setting ACL:
/data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 6. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0xb perms rwx
/data/samba-2/bin/smbd: canon_ace index 7. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 8. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
/data/samba-2/bin/smbd: canon_ace index 9. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
/data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER ace_flags = 0x0 perms rwx
/data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
/data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 6. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0xb perms rwx
/data/samba-2/bin/smbd: canon_ace index 7. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
/data/samba-2/bin/smbd: canon_ace index 8. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
/data/samba-2/bin/smbd: canon_ace index 9. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
/data/samba-2/bin/smbd: Calling acl_set_file: s4.obed.abartlet.net/Policies/{7D8C9D69-93CB-40AB-900E-F2AF57170730}, 1

/data/samba-2/bin/smbd: smb_acl_to_posix: ACL group:3000007:---
/data/samba-2/bin/smbd: user:3000007:rwx
/data/samba-2/bin/smbd: other::---
/data/samba-2/bin/smbd: group::---
/data/samba-2/bin/smbd: group:3000007:rwx
/data/samba-2/bin/smbd: group:3000005:rwx
/data/samba-2/bin/smbd: user::rwx
/data/samba-2/bin/smbd: group:3000066:rwx
/data/samba-2/bin/smbd: group:3000002:r-x
/data/samba-2/bin/smbd: group:3000067:r-x
/data/samba-2/bin/smbd: mask::rwx
/data/samba-2/bin/smbd:  is invalid for set (Invalid argument)
/data/samba-2/bin/smbd: set_canon_ace_list: sys_acl_set_file type directory default failed for file s4.obed.abartlet.net/Policies/{7D8C9D69-93CB-40AB-900E-F2AF57170730} (Invalid argument).
/data/samba-2/bin/smbd: pop_sec_ctx (0, 100) - sec_ctx_stack_ndx = 0
/data/samba-2/bin/smbd: set_nt_acl: failed to set default acl on directory s4.obed.abartlet.net/Policies/{7D8C9D69-93CB-40AB-900E-F2AF57170730} (Invalid argument).
/data/samba-2/bin/smbd: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] || at ../source3/smbd/smb2_setinfo.c:127
/data/samba-2/bin/smbd: smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_INVALID_PARAMETER] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:2180


--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

On Wed, 2012-05-09 at 08:00 +1000, Andrew Bartlett wrote:
I've been looking at this carefully, the the key is that the
SMB_ACL_GROUP entry for S-1-5-21-4177067393-1453636373-93818737-512 gid
3000007 (3000007) is duplicated in the directory case.

This is because of an interaction with:

commit a5038ace24559bb02eec8262d3af5b5e78634d16
Author: Jeremy Allison <[hidden email]>
Date:   Fri Sep 2 11:58:56 2011 -0700

    Part 2 of bugfix for bug #7509 - smb_acl_to_posix: ACL is invalid
for set (Invalid argument)
   
    Only map CREATOR_OWNER/CREATOR_GROUP to ACL_USER_OBJ/ACL_GROUP_OBJ
in
    a default(directory) ACL set.

When used with the IDMAP_BOTH supporting code, I need to (effectively)
revert the above, otherwise I cannot force an object to be ACL_GROUP_OBJ
(instead, it becomes ACL_GROUP, and becomes duplicated).

I would very much appreciate some assistance with this, as this code is
not only security-critical, it is also incredibly complex.
Additionally, as the patch in question works without my changes (but
gives a wrong posix ACL), and was added only recently for a bug, I
assume reverting it isn't the correct answer.

The issue is that when we then fill in the ACL_GROUP_OBJ, we get this:

> /data/samba-2/bin/smbd: print_canon_ace_list: dir ace - before valid
> /data/samba-2/bin/smbd: canon_ace index 0. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-512 gid 3000007 (3000007) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 1. Type = allow SID = S-1-5-21-4177067393-1453636373-93818737-519 gid 3000005 (3000005) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 2. Type = allow SID = S-1-3-0 uid 3000007 (3000007) SMB_ACL_USER_OBJ ace_flags = 0xb perms rwx
> /data/samba-2/bin/smbd: canon_ace index 3. Type = allow SID = S-1-5-18 gid 3000066 (3000066) SMB_ACL_GROUP ace_flags = 0x3 perms rwx
> /data/samba-2/bin/smbd: canon_ace index 4. Type = allow SID = S-1-5-11 gid 3000002 (3000002) SMB_ACL_GROUP ace_flags = 0x3 perms r-x
> /data/samba-2/bin/smbd: canon_ace index 5. Type = allow SID = S-1-5-9 gid 3000067 (3000067) SMB_ACL_GROUP ace_flags = 0x3 perms r-x

turned into:

when ends up giving this (with duplicate group:3000007 entries):

The almost-identical file ACL is not impacted by the change I identified
above, so so works perfectly.

This also seems to trigger some very complex code that tries to make a
user token for the group (domain admins, 3000007) to see if it is a
member of the other groups.

Finally, when we get all this sorted, we need to work out what to do
with a 'group' that is Creator Owner.  Currently we only map a uid
permission for that group.

Thanks,

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

On Wed, 2012-05-09 at 12:30 +1000, Andrew Bartlett wrote: Actually, it was just a typo.  See attached :-)

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

On Wed, May 09, 2012 at 12:30:00PM +1000, Andrew Bartlett wrote:
>
> I would very much appreciate some assistance with this, as this code is
> not only security-critical, it is also incredibly complex.
> Additionally, as the patch in question works without my changes (but
> gives a wrong posix ACL), and was added only recently for a bug, I
> assume reverting it isn't the correct answer.

Yes, reverting this certainly isn't the right answer :-).

I'll try and take a look later this week.

Jeremy.

On Wed, May 09, 2012 at 12:36:56AM -0700, Jeremy Allison wrote:
Oh, doh! You already got to it !

Thanks,

Jeremy.

On Wed, May 09, 2012 at 03:01:01PM +1000, Andrew Bartlett wrote:
>
> Actually, it was just a typo.  See attached :-)

Thanks a *LOT* for catching that. I've pushed to autobuild
and I'll make sure it gets fixed for all released branches
that use it.

Cheers,

        Jeremy.

On Wed, May 09, 2012 at 12:44:13AM -0700, Jeremy Allison wrote:
> On Wed, May 09, 2012 at 03:01:01PM +1000, Andrew Bartlett wrote:
> >
> > Actually, it was just a typo.  See attached :-)
>
> Thanks a *LOT* for catching that. I've pushed to autobuild
> and I'll make sure it gets fixed for all released branches
> that use it.

Ok, turns out that particular change wasn't pushed
to any release branches as part of a bug fix.

The flaw came from commit 4452082002cb222cc8f1d92fbeebda79061f6e8f
which wasn't part of the bug #7509 patches. Phew !

Thanks for the fix Andrew !

Jeremy.

On 09/05/12 10:25, Jeremy Allison wrote:
Hi
I'm not sure this has anything to do with my problem of permissions and
ACL's set on the DC not being understood by Windows.

I set a folder 0750, and anyone, group member or not can enter. I set a
file 0660 and group members get "Access is denied".

Note, I'm setting the permissions on Linux not in Windows.

Should s3fs understand the posix permisiions and ownership already set?

Cheers,
Steve