Too many ACE entries for file (Samba 4.0.6)

Sowmya Manjanatha sowmyam1 at gmail.com
Wed Aug 14 14:32:18 MDT 2013 

We are having trouble changing permissions to a file from a Windows 7
server.  We are running stock samba 4.0.6 version.  The client can mount
fine and then write a file fine but can't change permissions subsequently.
The permissions on the server for that file is set to 777.  The permissions
on the directory is set to 755.  The sticky bit '+t' is also set for the
directory.

After debugging through 4.0.6 samba and changing this line in posix_acls.c
(see attached diff), I was able to change the permissions.

However, I am skeptical as to why this might have worked. Any ideas and
what could be the source of the problem or is this really a bug?

>>>> output from samba logs (loglevel 10)

  set_canon_ace_list: setting ACL:
  canon_ace index 0. Type = allow SID = S-1-22-2-0 gid 0 (root)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
  canon_ace index 1. Type = allow SID = S-1-22-1-0 uid 0 (root)
SMB_ACL_USER ace_flags = 0x0 perms rwx
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x3 perms r-x
  canon_ace index 3. Type = allow SID = S-1-22-1-0 uid 0 (root)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
  canon_ace index 4. Type = allow SID = S-1-22-2-0 gid 0 (root)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2013/08/14 11:06:10.800699, 10, pid=1193, effective(0, 0), real(0, 0),
class=acls] ../source3/smbd/posix_acls.c:2939(set_canon_ace_list)
  canon_ace index 0. Type = allow SID = S-1-22-2-0 gid 0 (root)
SMB_ACL_GROUP ace_flags = 0x0 perms rwx
[2013/08/14 11:06:10.800742, 10, pid=1193, effective(0, 0), real(0, 0),
class=acls] ../source3/smbd/posix_acls.c:2939(set_canon_ace_list)
  canon_ace index 1. Type = allow SID = S-1-22-1-0 uid 0 (root)
SMB_ACL_USER ace_flags = 0x0 perms rwx
[2013/08/14 11:06:10.800797, 10, pid=1193, effective(0, 0), real(0, 0),
class=acls] ../source3/smbd/posix_acls.c:2939(set_canon_ace_list)
  canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
ace_flags = 0x3 perms r-x
[2013/08/14 11:06:10.800833, 10, pid=1193, effective(0, 0), real(0, 0),
class=acls] ../source3/smbd/posix_acls.c:2939(set_canon_ace_list)
  canon_ace index 3. Type = allow SID = S-1-22-1-0 uid 0 (root)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2013/08/14 11:06:10.800877, 10, pid=1193, effective(0, 0), real(0, 0),
class=acls] ../source3/smbd/posix_acls.c:2939(set_canon_ace_list)
  canon_ace index 4. Type = allow SID = S-1-22-2-0 gid 0 (root)
SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2013/08/14 11:06:10.800930,  5, pid=1193, effective(0, 0), real(0, 0),
class=acls] ../source3/smbd/posix_acls.c:2979(set_canon_ace_list)
  set_canon_ace_list: acl group control on and current user in file
data/file.txt primary group.
[2013/08/14 11:06:10.800956, 10, pid=1193, effective(0, 0), real(0, 0)]
../source3/modules/vfs_posixacl.c:92(posixacl_sys_acl_set_file)
  Calling acl_set_file: data/file.txt, 0
[2013/08/14 11:06:10.800984, 10, pid=1193, effective(0, 0), real(0, 0)]
../source3/modules/vfs_posixacl.c:111(posixacl_sys_acl_set_file)
  acl_set_file failed: Operation not supported
[2013/08/14 11:06:10.801029,  2, pid=1193, effective(0, 0), real(0, 0),
class=acls] ../source3/smbd/posix_acls.c:3015(set_canon_ace_list)
  set_canon_ace_list: sys_acl_set_file type file failed for file
data/file.txt (Operation not supported).
[2013/08/14 11:06:10.801060,  3, pid=1193, effective(0, 0), real(0, 0),
class=acls]
../source3/smbd/posix_acls.c:3100(convert_canon_ace_to_posix_perms)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file
data/file.txt to convert to posix perms.
[2013/08/14 11:06:10.801085,  3, pid=1193, effective(0, 0), real(0, 0),
class=acls] ../source3/smbd/posix_acls.c:4125(set_nt_acl)
  set_nt_acl: failed to convert file acl to posix permissions for file
data/file.txt.



>>> smb.conf file below:

[global]
   workgroup = HCP-Workgroup
   strict sync = yes
   server string = HCP Archive
   load printers = no
   disable spoolss = yes
   printcap name = /dev/null


      # Create a samba daemon that only listens on one network IP.
   # List the namespace directories corresponding to this network
      bind interfaces only = yes
   interfaces = 172.20.55.204
   pid directory   = /var/run/samba/_hcp_system_
   ncalrpc dir     = /var/run/samba/_hcp_system_/ncalrpc
   lock directory  = /var/cache/samba/_hcp_system_
   private dir     = /var/cache/samba/_hcp_system_
   log file        = /var/log/samba/log.smbd._hcp_system_
   log level       = 10

   fake oplocks = yes

   security = user
   map to guest = Bad User

   usershare max shares = 10

[myshare]
   path=/fs/ten1/ns1
   writable = yes
   browsable = yes
   hide dot files = yes
   # This is set to no for the oddball attack where someone makes a
   # symlink outside of /RIS/exports
   wide links = yes
   delete readonly = yes

   guest ok = yes
   guest only = yes
   force create mode = 0
   force directory mode = 0
   force user = U0
   force group = G0
   case sensitive = yes
   preserve case = yes
   short preserve case = yes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-4.0.6-hds-map-windows-ace.patch
Type: application/octet-stream
Size: 568 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130814/034e2a0c/attachment.obj>

More information about the samba-technical mailing list