Bug 199725

Summary:	Unable to retrieve ACL from Windows 2016 share - error "Operation not supported"
Product:	File System	Reporter:	whh
Component:	CIFS	Assignee:	fs_cifs (fs_cifs)
Status:	RESOLVED CODE_FIX
Severity:	blocking	CC:	lsahlber, shirishpargaonkar
Priority:	P1
Hardware:	All
OS:	Linux
Kernel Version:	4.13	Subsystem:
Regression:	No	Bisected commit-id:
Attachments:	tcp trace of the SMB session patch to fix check for minimum security descriptor size during response to get info patch to fix check for minimum security descriptor size during response to get info

Description whh 2018-05-14 19:45:37 UTC

I have Windows 2016 share that is mounted to Linux (kernel version 4.13), using CIFS version 3.0. However, I can not get ACL on the files in the share.

The code is fairly basic:

  char buf[65536];
  ret = getxattr(argv[1], "system.cifs_acl", buf, 65536);
  printf("getxattr: ret = %d, err = %s\n", ret, strerror(errno));

And I always get this error:

root@cdm-node-hy4bn4-j6h2q52:~# ./xattr /tmp/windowsmount/source/regular.txt
getxattr: ret = -1, err = Operation not supported

Using vers=2.0 also fails.

Using vers=1.0 succeeds.

Comment 1 whh 2018-05-14 22:45:42 UTC

Created attachment 275979 [details]
tcp trace of the SMB session

Comment 2 Shirish Pargaonkar 2018-05-15 02:52:01 UTC

What are the mount options?

Comment 3 whh 2018-05-15 13:46:38 UTC

Fairly basic:

mount -t cifs -o vers=3.0,user=xxx,password=yyy //server/share /mymountdir

Comment 4 whh 2018-05-15 13:48:52 UTC

From the tcp trace, it looks the protocol exchange seems to be ok, Windows side returns ACL correctly in the response, but somehow kernel returns error to getxattr() caller.

Comment 5 Shirish Pargaonkar 2018-05-21 10:34:02 UTC

No issues with 4.12 and SMB vers 3.0

$ ./acl /mnt/ssp/file1
getxattr: rc: 164, err: Success

Comment 6 whh 2018-05-21 14:57:30 UTC

We have noticed this happens to small acl, so can you try reduce the acl size to minimum?

Comment 7 Shirish Pargaonkar 2018-05-22 10:34:05 UTC

Building 4.17, should be able to test and debug once it is done and installed.
I have Windows 10 to test against, will check whether the problem manifests against SMB3 on that Windows 10 box.

Comment 8 Shirish Pargaonkar 2018-05-23 10:07:40 UTC

I am down to basic minimum acl size of 120 (only R permission).
Not sure how to go reduce acl size than that...

Comment 9 Shirish Pargaonkar 2018-05-23 10:33:17 UTC

This is the security descriptor of size 120

REVISION:0x1
CONTROL:0x9404
OWNER:S-1-5-21-3154474055-481044923-3729397801-1002
GROUP:S-1-5-21-3154474055-481044923-3729397801-513
ACL:S-1-5-21-3154474055-481044923-3729397801-1002:ALLOWED/0x0/R


If you use getcifsacl or smbcacls on this file, do they succeed?

e.g.

getcifsacl <file_name_on_mounted_share>
or
smbcacls //<server_name_or_ip>/<share_name> <file_name> -U <user_name>

$ smbcacls //192.168.1.67/sspshare1 file1 -U shirish
Enter shirish's password: 
REVISION:1
CONTROL:SR|PD|DI|DP
OWNER:DESKTOP-6EQAVAF\shirish
GROUP:DESKTOP-6EQAVAF\None
ACL:DESKTOP-6EQAVAF\shirish:ALLOWED/0x0/R

Comment 10 Shirish Pargaonkar 2018-05-24 10:39:07 UTC

No errors on 4.17 rc3

 ~/acl /mnt/ssp/file1
getxattr: rc: 104, err: Success


I compared wireshark trace and the only difference (12 bytes) is because
of additional subauthorities in owner in the security descriptor which should
not be cause of the problem.

Not sure how to recreate the problem...

Comment 11 whh 2018-05-27 00:52:45 UTC

# mount -t cifs -o "vers=3.0,user=xxx,password=yyy" //10.0.28.166/share /tmp/mount

# getcifsacl /tmp/mount/smb_test.txt
WARNING: unable to initialize idmapping plugin: /etc/cifs-utils/idmap-plugin: cannot open shared object file: No such file or directory
getxattr error: 95
REVISION:0x0
CONTROL:0x0

Can you try smaller ACL size? In my earlier trace, the ACL size is 92 bytes.

Comment 12 Shirish Pargaonkar 2018-05-29 10:19:02 UTC

Not sure how to, down to basic ACE, will need to figure out a way to
reduce subauthorities....

Comment 13 Shirish Pargaonkar 2018-05-29 10:48:21 UTC

I changed owner to Local (S-1-5-19) which has no subauthorities and so
ACL size is down to 88 and I see the error...

~/acl /mnt/ssp/file1
getxattr: rc: -1, err: Operation not supported

Working on resolving this...

Comment 14 Shirish Pargaonkar 2018-05-30 12:15:17 UTC

Created attachment 276271 [details]
patch to fix check for minimum security descriptor size during response to get info

Comment 15 Shirish Pargaonkar 2018-06-03 20:13:41 UTC

Created attachment 276305 [details]
patch to fix check for minimum security descriptor size during response to get info

Comment 16 Shirish Pargaonkar 2018-06-04 11:50:41 UTC

Posted the patch to cifs mailing list.

Comment 17 Ronnie Sahlberg 2019-06-19 05:24:19 UTC

This has been checked in a while back as :

commit ee25c6dd7b05113783ce1f4fab6b30fc00d29b8d
Author: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Date:   Mon Jun 4 06:46:22 2018 -0500

    cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class
    
    Validate_buf () function checks for an expected minimum sized response
    passed to query_info() function.
    For security information, the size of a security descriptor can be
    smaller (one subauthority, no ACEs) than the size of the structure
    that defines FileInfoClass of FileAllInformation.
    
    Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199725
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
    Reviewed-by: Noah Morrison <noah.morrison@rubrik.com>
    Signed-off-by: Steve French <stfrench@microsoft.com>