cifs-utils: setcifsacl receives STATUS_INVALID_SECURITY_DESCR reply from custom CIFS implementation

Paul van Schayck polleke at
Mon Jun 26 13:04:11 UTC 2017

Dear samba-technical,

If this list is inappropriate for this question then please redirect
me to a better one.

I'm working with a HDS HNAS (Hitachi NAS) which has its own
implementation of the CIFS protocol. Mounting, and interactions all go
fine using linux-cifs and related tools.

However, when sending a `setcifsacl -a ACE /dir` the response is
"main: setxattr error: Input/output error". Upon further digging using
tcpdump/wireshark it became clear that the HNAS is responding with


Setting the same ACE using a Windows client did work. So further
examining of the request being sent showed that the only difference
between the Windows client and setcifsacl was the addition of a lot of
padding zero bytes at the end of the security descriptor.

Examining the code of setcifsacl.c and the request more it seems like
the request was not properly trimmed down to the number of aces being
sent. More buffer was allocated that the number of aces being sent. So
I made the attached patch to trim down the request. This fixes some of
the problems with setcifsacl, but for example breaks deleting aces. I
also think it's most likely an ugly fix, and the problem needs to be
solved elsewhere most likely.

So my question is if someone can point me at the correct way to fix
this in setcifsacl, or help me fix it properly. If necessary I can
provide tcpdump's of Windows and Linux clients performing the request.


Paul van Schayck

diff --git a/setcifsacl.c b/setcifsacl.c
index 7eeeaa6..4ada3c8 100644
--- a/setcifsacl.c
+++ b/setcifsacl.c
@@ -761,6 +761,20 @@ setacl_action(struct cifs_ntsd *pntsd, struct
cifs_ntsd **npntsd,
        return rc;

+trim_request(ssize_t bufsize, struct cifs_ntsd *npntsd) {
+       int i, len = 0;
+       char *a = (char *) npntsd;
+       for( i = 0; i < bufsize; i++) {
+               if ( a[i] != 0 )
+                       len = i;
+       }
+       return (ssize_t) len + 2;
 static void
 setcifsacl_usage(const char *prog)
@@ -902,7 +916,7 @@ cifsacl:
        if (rc)
                goto setcifsacl_action_ret;

-       attrlen = setxattr(filename, ATTRNAME, ntsdptr, bufsize, 0);
+       attrlen = setxattr(filename, ATTRNAME, ntsdptr,
trim_request(bufsize, ntsdptr), 0);
        if (attrlen == -1) {
                printf("%s: setxattr error: %s\n", __func__, strerror(errno));
                goto setcifsacl_facenum_ret;

More information about the samba-technical mailing list