824065 – cifs: Introduce code required for cifs idmap and ACL support

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 824065 - cifs: Introduce code required for cifs idmap and ACL support

Summary: cifs: Introduce code required for cifs idmap and ACL support

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	kernel
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sachin Prabhu
QA Contact:	Jian Li
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	822596 (view as bug list)
Depends On:
Blocks:	798385
TreeView+	depends on / blocked

Reported:	2012-05-22 16:34 UTC by Sachin Prabhu
Modified:	2018-11-29 21:23 UTC (History)
CC List:	7 users (show)
Fixed In Version:	kernel-2.6.32-298.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-02-21 06:14:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0496	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Linux 6 kernel update	2013-02-20 21:40:54 UTC

Description Sachin Prabhu 2012-05-22 16:34:05 UTC

Add support to the kernel module to allow Windows ACL.

Comment 1 Sachin Prabhu 2012-07-26 18:41:36 UTC

Backport of the following upstream patches

2fbc2f1729e785a7b2faf9d8d60926bb1ff62af0
cifs: Use mask of ACEs for SID Everyone to calculate all three permissions user, group, and other

b73b9a4ba753dfd7d304ee6ee4685b827524c533
[CIFS] Allow to set extended attribute cifs_acl (try #2)

4d79dba0e00749fa40de8ef13a9b85ce57a1603b
cifs: Add idmap key and related data structures and functions (try #17 repost)

9409ae58e0759d010b347e7b19ebc90ab5d4b98f
cifs: Invoke id mapping functions (try #17 repost)

c4aca0c09f80ca40dbcecb2370af9594fbe9051d
cifs: Change key name to cifs.idmap, misc. clean-up

383c55350fb4ab6bd08abfab82038ae0364f1f48
[CIFS] Fix endian error comparing authusers when cifsacl enabled

4f61258f6111e2afd56cf40989e5a43cba9e59c8
[CIFS] Follow on to cifsacl endian patch (__constant_cpu_to_le32 was required)

e22906c564c2f9c73ee4621ef3b93fe374539f00
cifs: Do not set cifs/ntfs acl using a file handle (try #4)

21fed0d5b763b94a7d1568c27d0cce892ab8d43e
cifs: Add data structures and functions for uid/gid to SID mapping (try #4)

a5ff376966c079bd2f078524eff11b0c63cc2507
cifs: Call id to SID mapping functions to change owner/group (try #4 repost)

7250170c9ed00f3b74b11b98afefab45020672dd
cifs: integer overflow in parse_dacl()

b0f8ef202ec7f07ba9bd93150d54ef4327851422
cifs: possible memory leak in xattr.

Comment 3 RHEL Program Management 2012-07-27 16:40:30 UTC

This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.

Comment 4 Jian Li 2012-08-01 06:03:39 UTC

windows acl and xattr test are needed.

Comment 5 Jarod Wilson 2012-08-16 21:22:30 UTC

Patch(es) available on kernel-2.6.32-298.el6

Comment 8 Sachin Prabhu 2012-09-27 18:27:26 UTC

*** Bug 822596 has been marked as a duplicate of this bug. ***

Comment 9 Jian Li 2013-01-24 10:18:12 UTC

Hi sachin, 

In my test, {s,g}etcifsacl works well, bug chown failed. 

[root@dhcp-8-128 test]# chown "TEST\Administrator" test
chown: changing ownership of `test': Input/output error

With tshark, the last two smb packet are: SET_PATH_INFO, smb server return STATUS_SUCCESS.

wireshark seems not able to parse these two packets.

Please give some suggestions.

Comment 10 IBM Bug Proxy 2013-01-24 12:40:37 UTC

------- Comment From shirishp.com 2013-01-24 12:33 EDT-------
(In reply to comment #12)
> Hi sachin,
>
> In my test, {s,g}etcifsacl works well, bug chown failed.
>
> [root@dhcp-8-128 test]# chown "TEST\Administrator" test
> chown: changing ownership of `test': Input/output error
>
> With tshark, the last two smb packet are: SET_PATH_INFO, smb server return
> STATUS_SUCCESS.
>
> wireshark seems not able to parse these two packets.
>
> Please give some suggestions.

IMO,  chown error/bug should be treated separately and not part of this feature request.

Comment 11 Sachin Prabhu 2013-01-25 16:18:17 UTC

Jian/Sirish,

I checked with the latest rawhide kernels and we get the same error message. 

The problem stems from the fact that the cifs client attemts to do a NT_SET_SECURITY TRANS command which fails with a STATUS_INVALID_OWNER. This is mapped to EIO which returns the invalid IO error.

When attempting to perform the same command when logged in as a user who is allowed to change ownership, we do not get any errors and the ownership for the file is accordingly changed.

The changes will have to be first made upstream before we backport it to RHEL 6. I agree with Sirish and recommend that we open a new bz for the chown problem and treat this bz only for get/set cifs acl.

Sachin Prabhu

Comment 13 Jian Li 2013-01-28 09:25:31 UTC

Test details:
(add, modify, delete replace ACEs)

[root@hp-xw4600-01 test]# ls -l
total 1
-rwx------. 1 root                       RHTS-ENG-NAY+domain users 48 Jan 24 03:11 desktop.ini
----------. 1 RHTS-ENG-NAY+root          RHTS-ENG-NAY+domain users  4 Jan 28 02:13 test
drwx------. 1 RHTS-ENG-NAY+administrator RHTS-ENG-NAY+domain users  0 Jan 24 02:43 testdir
[root@hp-xw4600-01 test]# grep "/mnt/test" /proc/mounts
//ibm-x3250m4-03/cifs/ /mnt/test cifs rw,relatime,sec=ntlmi,cache=loose,unc=\\ibm-x3250m4-03\cifs,username=administrator,uid=
0,noforceuid,gid=0,noforcegid,addr=10.66.86.144,file_mode=0755,dir_mode=0755,nounix,serverino,cifsacl,rsize=16384,wsize=16408
,actimeo=1 0 0
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8404
OWNER:RHTS-ENG-NAY\root
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/I/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/I/FULL
ACL:BUILTIN\Administrators:ALLOWED/I/FULL
ACL:BUILTIN\Users:ALLOWED/I/READ
[root@hp-xw4600-01 test]# getcifsacl testdir
REVISION:0x1
CONTROL:0x8404
OWNER:RHTS-ENG-NAY\Administrator
GROUP:RHTS-ENG-NAY\Domain Users
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI/FULL
ACL:BUILTIN\Users:ALLOWED/OI|CI/READ
ACL:BUILTIN\Users:ALLOWED/CI/0x4
ACL:BUILTIN\Users:ALLOWED/CI/0x2
ACL:BUILTIN\Administrators:ALLOWED/0x0/FULL
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/I/FULL
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO|I/FULL
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/OI|CI|IO|I/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Administrators:ALLOWED/OI|CI|I/FULL
ACL:BUILTIN\Users:ALLOWED/OI|CI|I/READ
ACL:BUILTIN\Users:ALLOWED/CI|I/0x4
ACL:BUILTIN\Users:ALLOWED/CI|I/0x2
ACL:CREATOR OWNER:ALLOWED/OI|CI|IO|I/
[root@hp-xw4600-01 test]# setcifsacl -a "ACL:RHTS-ENG-NAY\root:ALLOWED/I/FULL" test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\root
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/I/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/I/FULL
ACL:BUILTIN\Administrators:ALLOWED/I/FULL
ACL:BUILTIN\Users:ALLOWED/I/READ
ACL:RHTS-ENG-NAY\root:ALLOWED/I/FULL
[root@hp-xw4600-01 test]# setcifsacl -D "ACL:RHTS-ENG-NAY\root:ALLOWED/I/FULL" test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\root
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/I/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/I/FULL
ACL:BUILTIN\Administrators:ALLOWED/I/FULL
ACL:BUILTIN\Users:ALLOWED/I/READ
[root@hp-xw4600-01 test]# setcifsacl -M "ACL:RHTS-ENG-NAY\root:ALLOWED/I/READ" test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\root
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/I/FULL
ACL:NT AUTHORITY\SYSTEM:ALLOWED/I/FULL
ACL:BUILTIN\Administrators:ALLOWED/I/FULL
ACL:BUILTIN\Users:ALLOWED/I/READ
ACL:RHTS-ENG-NAY\root:ALLOWED/I/READ
[root@hp-xw4600-01 test]# setcifsacl -S "ACL:RHTS-ENG-NAY\Administrator:ALLOWED/I/FULL" test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\administrator
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\administrator:ALLOWED/I/FULL

Comment 14 Jian Li 2013-01-28 09:36:40 UTC

Test detail about id/sid translation:

[root@hp-xw4600-01 test]# chmod 755 test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\Administrator
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/0x0/FULL
ACL:RHTS-ENG-NAY\Domain Users:ALLOWED/0x0/0x1f01b9
ACL:Everyone:ALLOWED/0x0/0x1f01b9
[root@hp-xw4600-01 test]# chmod 700 test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\Administrator
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/0x0/FULL
ACL:RHTS-ENG-NAY\Domain Users:ALLOWED/0x0/0x120088
ACL:Everyone:ALLOWED/0x0/0x120088
[root@hp-xw4600-01 test]# chmod 755 test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\Administrator
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/0x0/FULL
ACL:RHTS-ENG-NAY\Domain Users:ALLOWED/0x0/0x1f01b9
ACL:Everyone:ALLOWED/0x0/0x1f01b9
[root@hp-xw4600-01 test]# chown RHTS-ENG-NAY+root test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\root
GROUP:RHTS-ENG-NAY\Domain Users
ACL:RHTS-ENG-NAY\Administrator:ALLOWED/0x0/FULL
ACL:RHTS-ENG-NAY\Domain Users:ALLOWED/0x0/0x1f01b9
ACL:Everyone:ALLOWED/0x0/0x1f01b9
[root@hp-xw4600-01 test]# ls -l test
-r-xr-xr-x. 1 RHTS-ENG-NAY+root RHTS-ENG-NAY+domain users 4 Jan 28 02:13 test

Comment 15 Jian Li 2013-01-28 09:41:38 UTC

[root@hp-xw4600-01 test]# chown ":RHTS-ENG-NAY+domain admins" test
[root@hp-xw4600-01 test]# getcifsacl test
REVISION:0x1
CONTROL:0x8004
OWNER:RHTS-ENG-NAY\root
GROUP:RHTS-ENG-NAY\domain admins
ACL:RHTS-ENG-NAY\administrator:ALLOWED/0x0/FULL
ACL:RHTS-ENG-NAY\Domain Users:ALLOWED/0x0/0x1f01b9
ACL:Everyone:ALLOWED/0x0/0x1f01b9

Comment 17 errata-xmlrpc 2013-02-21 06:14:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0496.html

Comment 18 IBM Bug Proxy 2013-02-21 17:41:11 UTC

------- Comment From sglass.com 2013-02-21 17:22 EDT-------
Shipped in RHEL 6.4 GA 2/21/2013

Note You need to log in before you can comment on or make changes to this bug.