Setting 'system.nt_sec_desc.*+' manually causes reorder of ACL's and Security Descriptor CONTROL flag

[szaqal83]

Creating dir on Win2k8R2 like this:

smbclient_mkdir($state, $share, 0700);

without setting system.nt_sec_desc.*+ results smbcacls output:

REVISION:1 CONTROL:SR|DI|DP OWNER:BUILTIN\Administrators GROUP:PUW\Domain Users ACL:BUILTIN\Administrators:ALLOWED/I/FULL ACL:CREATOR OWNER:ALLOWED/OI|CI|IO|I/FULL ACL:PUW\Gr_Administratorzy_Merkury:ALLOWED/OI|CI|I/FULL ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|IO|I/FULL

but when I'm setting system.nt_sec_desc.*+ manually:

`$acls = array(
'ACL:BUILTIN\Administrators:ALLOWED/16/FULL',
'ACL:CREATOR OWNER:ALLOWED/27/FULL',
'ACL:PUW\Gr_Administratorzy_Merkury:ALLOWED/19/FULL',
'ACL:NT AUTHORITY\SYSTEM:ALLOWED/19/FULL',
'ACL:BUILTIN\Administrators:ALLOWED/27/FULL'
);

smbclient_mkdir($state, $share, 0700);

smbclient_setxattr($state, $share, 'system.nt_sec_desc.*+', implode(',', $acls));`

smbcacls outputs:
REVISION:1 CONTROL:SR|DP OWNER:BUILTIN\Administrators GROUP:PUW\Domain Users ACL:CREATOR OWNER:ALLOWED/OI|CI|IO|I/FULL ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL ACL:BUILTIN\Administrators:ALLOWED/I/FULL ACL:BUILTIN\Administrators:ALLOWED/OI|CI|IO|I/FULL ACL:PUW\Gr_Administratorzy_Merkury:ALLOWED/OI|CI|I/FULL

CONTROL flag lost DI, and ALC's are in different order, changeing order of ACL's in array doesn't take any effect. First and second share permissions look the same in Windows 10. Creating subdir in second share causes Windows alert about permissions order.

[eduardok]

Please check if the behaviour is the same when running the command line utility smbclient:
smbclient //yourserver/sharename -U domain\\username
Then use mkdir and chmod.

[szaqal83]

chmod doesn't work in my case because:
chmod 0777 ctest
results
Server doesn't support UNIX CIFS calls.
some similar issue , issue, issue were reported do smbcacls samba-tool, after any call of smbcacls with -a | -M | -D (add, change, delete), Inheritance flag DI is lost, before ACL modifications smbcacls shows: CONTROL:SR|DI|DP (numeric 0x8404), after calling smbcacls with -a | -M | -D (even if no real ACL modification is made - fake user ACL add) shows: CONTROL:SR|DP (numeric 0x8004) - SEC_DESC_DACL_AUTO_INHERITED flag 0x0400 is lost.

Checked od Debian 10.1 (smbcacls 4.9.5) Ubuntu 20.04 (smbcacls 4.11.6) from those systems I've been setting ACL for remote share od Win2012r2, I've even tried to change ACL on Win10 share, and got exact same results so I think it's not a Win2012r2 or libsmbclient-php issue but some samba related problem.

[eduardok]

Is that share the user's profile one? Or just some generic share?

[szaqal83]

My main test case Was changing ACLs for AD user home dir, but it also occures on generic shares, as I've mentioned before even smbcacls causes this behaviour, so I think it is a deeper problem, not your lib ;)

[kratzersmz]

Hi,
any news on this?

greets

[eduardok]

@kratzersmz , just to make it clear, since this issue is already observed on libsmbclient itself, we won't take any action, unless one of you / @szaqal83 have a way to clearly reproduce it (e.g. provide me all the commands), then I could try to help.
Also, what Samba (libsmbclient) version are you guys on? What distribution (curious) ?

[szaqal83]

I'm using Debian 10 (64bit), PHP 8.0.1, libsmbclient 4.9.5.

Steps to reproduce:

1. Create a simple share on Win10 or Win2012r2
2. Ensure that Inheritance is Enabled if not enable (in share Security->Advanced properties)
   
3. Check ACL example using smbcacls or similar tool: smbcacls //x.x.x.x/home /test -U user -W XYZ -m SMB2 (there should be DI in CONTROL:SR|DI|DP)
   
4. Than using PHP script, get and set share ACL's without any mods:
   $acls = smbclient_getxattr($state, $share, 'system.nt_sec_desc.*+'); smbclient_setxattr($state, $share, 'system.nt_sec_desc.*+', $acls);
5. One again check ACL's using smbcacls, result:
   
   DI lost!