Can't set ACL on Samba

Albe k3rmit at libero.it
Tue Nov 29 00:16:19 GMT 2005


Hi everybody,

sorry for replicating this here, but it seems nobody was able to  
answer me on the samba list.

i'm getting mad configuring samba to join an ADS, resolve domain  
users and groups and set ACLs via windows explorer on a share mounted  
with POSIX ACL and extended attributes.

At the point where i am, i've managed to get Samba join correctly the  
domain with idmap_rid backend working fine.

I can correctly set (add, remove, modify) file acls and extended  
attributes via bash, but when i try to simply add a user permission  
on a file or directory via the windows explorer security settings i  
get in the log (level 3):

[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBntcreateX (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
   unix_mode(WINDOWSRegDefrag.dat) returning 0744
[2005/11/17 23:12:22, 2] smbd/open.c:open_file(372)
   albe opened file WINDOWSRegDefrag.dat read=No write=No (numopen=1)
[2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
   Transaction 9 of length 244
[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBnttrans (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/ 
nttrans.c:call_nt_transact_set_security_desc(2081)
   call_nt_transact_set_security_desc: file = WINDOWSRegDefrag.dat,  
sent 0x4
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache 
(158)
   fetch sid from uid cache 11334 ->  
S-1-5-21-2707684321-3739850521-1540700870-1334
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache 
(232)
   fetch sid from gid cache 10512 ->  
S-1-5-21-2707684321-3739850521-1540700870-512
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
   fetch uid from cache 11334 ->  
S-1-5-21-2707684321-3739850521-1540700870-1334
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
   fetch uid from cache 11369 ->  
S-1-5-21-2707684321-3739850521-1540700870-1369
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253)
   fetch gid from cache 10512 ->  
S-1-5-21-2707684321-3739850521-1540700870-512
[2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
   unix_mode(WINDOWSRegDefrag.dat) returning 0744
[2005/11/17 23:12:22, 3] smbd/ 
posix_acls.c:convert_canon_ace_to_posix_perms(2585)
   convert_canon_ace_to_posix_perms: Too many ACE entries for file  
WINDOWSRegDefrag.dat to convert to posix perms.
[2005/11/17 23:12:22, 3] smbd/posix_acls.c:set_nt_acl(3265)
   set_nt_acl: failed to convert file acl to posix permissions for  
file WINDOWSRegDefrag.dat.
[2005/11/17 23:12:22, 3] smbd/error.c:error_packet(147)
   error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)  
NT_STATUS_ACCESS_DENIED
[2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
   Transaction 10 of length 45
[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBclose (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/reply.c:reply_close(3247)
   close fd=-1 fnum=11974 (numopen=1)
[2005/11/17 23:12:22, 2] smbd/close.c:close_normal_file(270)
   AGBSOFT\albe closed file WINDOWSRegDefrag.dat (numopen=0)

I can correctly set file permission of the classical posix elements  
via windows explorer: user, group and others. Users authentication  
for the share and file security works fine.


My smb.conf

[global]
         workgroup = AGBSOFT
         realm = AGBSOFT.CH
         server string = CVS Server
         security = ADS
         client schannel = No
         allow trusted domains = No
         password server = agbsoft-nt1.agbsoft.ch
         log level = 3
         log file = /var/log/samba/%m.log
         max log size = 0
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         load printers = No
         os level = 18
         preferred master = No
         domain master = No
         wins server = 10.100.0.2
         idmap backend = idmap_rid:AGBSOFT=10000-200000000
         idmap uid = 10000-200000000
         idmap gid = 10000-200000000
         template shell = /bin/bash
         winbind use default domain = Yes
         winbind nested groups = Yes

[prova]
         comment = prova
         path = /home/ftp
         valid users = "@AGBSOFT\Domain Admins"
         read only = No

My samba 3.0.20b is compiled with ads and acl support (verified).  
Kernel is a 2.6.14.2, compiled with acl and extended attributes for  
used filesystems.
The system is running a slackware 10.2. I had to rebuild from source  
attr, acl, libattr, libacl to have compiling with acl support.

Here is my mount:

/dev/hda1 on / type reiserfs (rw,acl,user_xattr)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)


What i'm i doing wrong?

Thanks in advance for any help.

I remain at disposal for any further information.



Alberto






More information about the samba-technical mailing list