Bug 199725

Summary: Unable to retrieve ACL from Windows 2016 share - error "Operation not supported"
Product: File System Reporter: whh
Component: CIFSAssignee: fs_cifs (fs_cifs)
Status: RESOLVED CODE_FIX    
Severity: blocking CC: lsahlber, shirishpargaonkar
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.13 Subsystem:
Regression: No Bisected commit-id:
Attachments: tcp trace of the SMB session
patch to fix check for minimum security descriptor size during response to get info
patch to fix check for minimum security descriptor size during response to get info

Description whh 2018-05-14 19:45:37 UTC
I have Windows 2016 share that is mounted to Linux (kernel version 4.13), using CIFS version 3.0. However, I can not get ACL on the files in the share.

The code is fairly basic:

  char buf[65536];
  ret = getxattr(argv[1], "system.cifs_acl", buf, 65536);
  printf("getxattr: ret = %d, err = %s\n", ret, strerror(errno));

And I always get this error:

root@cdm-node-hy4bn4-j6h2q52:~# ./xattr /tmp/windowsmount/source/regular.txt
getxattr: ret = -1, err = Operation not supported

Using vers=2.0 also fails.

Using vers=1.0 succeeds.
Comment 1 whh 2018-05-14 22:45:42 UTC
Created attachment 275979 [details]
tcp trace of the SMB session
Comment 2 Shirish Pargaonkar 2018-05-15 02:52:01 UTC
What are the mount options?
Comment 3 whh 2018-05-15 13:46:38 UTC
Fairly basic:

mount -t cifs -o vers=3.0,user=xxx,password=yyy //server/share /mymountdir
Comment 4 whh 2018-05-15 13:48:52 UTC
From the tcp trace, it looks the protocol exchange seems to be ok, Windows side returns ACL correctly in the response, but somehow kernel returns error to getxattr() caller.
Comment 5 Shirish Pargaonkar 2018-05-21 10:34:02 UTC
No issues with 4.12 and SMB vers 3.0

$ ./acl /mnt/ssp/file1
getxattr: rc: 164, err: Success
Comment 6 whh 2018-05-21 14:57:30 UTC
We have noticed this happens to small acl, so can you try reduce the acl size to minimum?
Comment 7 Shirish Pargaonkar 2018-05-22 10:34:05 UTC
Building 4.17, should be able to test and debug once it is done and installed.
I have Windows 10 to test against, will check whether the problem manifests against SMB3 on that Windows 10 box.
Comment 8 Shirish Pargaonkar 2018-05-23 10:07:40 UTC
I am down to basic minimum acl size of 120 (only R permission).
Not sure how to go reduce acl size than that...
Comment 9 Shirish Pargaonkar 2018-05-23 10:33:17 UTC
This is the security descriptor of size 120

REVISION:0x1
CONTROL:0x9404
OWNER:S-1-5-21-3154474055-481044923-3729397801-1002
GROUP:S-1-5-21-3154474055-481044923-3729397801-513
ACL:S-1-5-21-3154474055-481044923-3729397801-1002:ALLOWED/0x0/R


If you use getcifsacl or smbcacls on this file, do they succeed?

e.g.

getcifsacl <file_name_on_mounted_share>
or
smbcacls //<server_name_or_ip>/<share_name> <file_name> -U <user_name>

$ smbcacls //192.168.1.67/sspshare1 file1 -U shirish
Enter shirish's password: 
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:DESKTOP-6EQAVAF\shirish
GROUP:DESKTOP-6EQAVAF\None
ACL:DESKTOP-6EQAVAF\shirish:ALLOWED/0x0/R
Comment 10 Shirish Pargaonkar 2018-05-24 10:39:07 UTC
No errors on 4.17 rc3

 ~/acl /mnt/ssp/file1
getxattr: rc: 104, err: Success


I compared wireshark trace and the only difference (12 bytes) is because
of additional subauthorities in owner in the security descriptor which should
not be cause of the problem.

Not sure how to recreate the problem...
Comment 11 whh 2018-05-27 00:52:45 UTC
# mount -t cifs -o "vers=3.0,user=xxx,password=yyy" //10.0.28.166/share /tmp/mount

# getcifsacl /tmp/mount/smb_test.txt
WARNING: unable to initialize idmapping plugin: /etc/cifs-utils/idmap-plugin: cannot open shared object file: No such file or directory
getxattr error: 95
REVISION:0x0
CONTROL:0x0

Can you try smaller ACL size? In my earlier trace, the ACL size is 92 bytes.
Comment 12 Shirish Pargaonkar 2018-05-29 10:19:02 UTC
Not sure how to, down to basic ACE, will need to figure out a way to
reduce subauthorities....
Comment 13 Shirish Pargaonkar 2018-05-29 10:48:21 UTC
I changed owner to Local (S-1-5-19) which has no subauthorities and so
ACL size is down to 88 and I see the error...

~/acl /mnt/ssp/file1
getxattr: rc: -1, err: Operation not supported

Working on resolving this...
Comment 14 Shirish Pargaonkar 2018-05-30 12:15:17 UTC
Created attachment 276271 [details]
patch to fix check for minimum security descriptor size during response to get info
Comment 15 Shirish Pargaonkar 2018-06-03 20:13:41 UTC
Created attachment 276305 [details]
patch to fix check for minimum security descriptor size during response to get info
Comment 16 Shirish Pargaonkar 2018-06-04 11:50:41 UTC
Posted the patch to cifs mailing list.
Comment 17 Ronnie Sahlberg 2019-06-19 05:24:19 UTC
This has been checked in a while back as :

commit ee25c6dd7b05113783ce1f4fab6b30fc00d29b8d
Author: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Date:   Mon Jun 4 06:46:22 2018 -0500

    cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class
    
    Validate_buf () function checks for an expected minimum sized response
    passed to query_info() function.
    For security information, the size of a security descriptor can be
    smaller (one subauthority, no ACEs) than the size of the structure
    that defines FileInfoClass of FileAllInformation.
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199725
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
    Reviewed-by: Noah Morrison <noah.morrison@rubrik.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>