Windows Backup Error on Vista

Kotaro Kawamura k-kawamura at wm.jp.nec.com
Mon Feb 5 05:07:25 GMT 2007 

Hello all,

I got an error from Windows Vista Client when I made backup 
operation with Windows Backup for files on Samba share.
I found that the problem described below occurs when it creates
 a temporally folder.
I inform you cause and also suggest a resolution.

Note: The posix acl is not able to use on my Samba server environment
 so I couldn't implement posix acl as a resolution.

The error code on Windows Vista Client is 0x800700B7.

Log message on Samba server.

    convert_canon_ace_to_posix_perms: Too many ACE entries for file
    "file name" convert to posix perms.

When I looked up Samba (3.0.23d) source, it seems not able to process 
following case of more than 4 ACEs at the environment of without using
 POSIX ALC.

------------------------------------------
As far as I know Samba has been implemented to merge ACEs for identical SIDs.
Therefore "too many ACE entries" error occurs because different SIDs are not 
able to merge though Windows Vista Client sends following 4 ACEs.

The ACE list sent from Windows Vista Client when the error occurred.

	canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms ---
	canon_ace index 1. Type = allow SID = S-1-5-21-2576099160-2903971284-2093301635-513 gid 500 SMB_ACL_GROUP_OBJ perms ---
	canon_ace index 2. Type = allow SID = S-1-3-0 uid 1213 SMB_ACL_USER_OBJ perms rwx
	canon_ace index 3. Type = allow SID = S-1-5-21-2576099160-2903971284-2093301635-3967 uid 1213 SMB_ACL_USER perms rwx

------------------------------------------

Note: In case of earlier than Windows2003, 4 ACEs are sent 
when ACE is added as CREATOR OWNER performing File Menu's 
[Properties] -> [Security], it doesn't occur error because SID
 of CREATOR OWNER's ACE is transformed to connected user's SID
 (as index 0) and 3 ACEs are created after merged them.

	canon_ace index 0. Type = allow SID = S-1-5-21-2576099160-2903971284-2093301635-3967 uid 1213 SMB_ACL_USER_OBJ perms rwx
	canon_ace index 1. Type = allow SID = S-1-5-21-2576099160-2903971284-2093301635-3967 uid 1213 SMB_ACL_USER perms rwx
	canon_ace index 2. Type = allow SID = S-1-5-21-2576099160-2903971284-2093301635-512 gid 500 SMB_ACL_GROUP_OBJ perms r-x
	canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms r--

After merged them.

	canon_ace index 0. Type = allow SID = S-1-5-21-2576099160-2903971284-2093301635-3967 uid 1213 SMB_ACL_USER_OBJ perms rwx
	canon_ace index 1. Type = allow SID = S-1-5-21-2576099160-2903971284-2093301635-512 gid 500 SMB_ACL_GROUP_OBJ perms r-x
	canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER perms r--

I'd like to suggest you to take which resolutions as describe below to improve the problem.

 (1) Ignore both of SID of S-1-3-0 (CREATOR OWNER) and ACE of S-1-3-1 (CREATOR GROUP).

 (2) Transform from S-1-3-0 (CREATOR OWNER) SID to connected user's SID and merge them. 
     Transform from S-1-3-1 (CREATOR OWNER) SID to connected user's primary group and merge them.

You can take which (1) or (2) described above and implement the code of judging 
"CREATOR OWNER", "CREATOR GROUP" in the function create_canon_ace_lists() of 
smbd/posix_acls.c (see below) to solve it.

I suggest you should take (1) as a resolution because both "CREATOR OWNER" and
 "CREATOR GROUP" are not able to map to the posix permission.

==================================================
	} else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Owner)) {
		current_ace->owner_type = UID_ACE;
		current_ace->unix_ug.uid = pst->st_uid;
		current_ace->type = SMB_ACL_USER_OBJ;

		/*
		 * The Creator Owner entry only specifies inheritable permissions,
		 * never access permissions. WinNT doesn't always set the ACE to
		 *INHERIT_ONLY, though.
		 */

		if (nt4_compatible_acls())
			psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
	} else if (sid_equal(&current_ace->trustee, &global_sid_Creator_Group)) {
		current_ace->owner_type = GID_ACE;
		current_ace->unix_ug.gid = pst->st_gid;
		current_ace->type = SMB_ACL_GROUP_OBJ;

		/*
		 * The Creator Group entry only specifies inheritable permissions,
		 * never access permissions. WinNT doesn't always set the ACE to
		 *INHERIT_ONLY, though.
		 */
		if (nt4_compatible_acls())
			psa->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
==================================================

Best regards,

K. Kawamura

More information about the samba-technical mailing list