[Samba] ACLs revisited

Tue Jun 29 12:52:18 GMT 2004

Hi all,

My appologies if this has been addressed before, but I've been searching
the list archives and can only find people reporting having the problem,
not a solution.  I have found a solution for my own situation and I
thought I'd share it in case it can help anyone else.

BACKGROUND
==========
I'm running Samba 3 on Fedora Core 2.  I've kept the machine up to date
with "yum", at first installing Samba 3.0.3 that yum picks up, then
recompiling myself using the source RPM for 3.0.4 on samba.org.  The
machine is setup as a PDC.

All my Samba shares are in the folder /samba which is an ext3 partition
mounted with "rw,acl" flags.  FC2 comes as standard with a 2.6 kernel
that supports ACLs on ext3 partitions.

THE PROBLEM
===========
Using setfacl and getfacl from the shell I was able to set and retrieve
ACLs on files and folders.  These changes were visible over the Samba
shares.

However, if I tried and make changes from a remote client I got no error
messages, but the changes were not actually written to disk.  The end
result is that although I seemed to be able to add ACL entries, when I
tried to check them afterwards they had disappeared.

At first I thought it might have been something to do with the client I
was using, a Windows 2000 SP4 machine, but an XP Pro SP1 machine showed
the same behaviour and if I tried to set the ACLs from a shell on the
server itself using "smbcacls -U administrator -a
ACL:DOMAIN\\username:ALLOWED/0/FULL //localhost/share a.txt" I got no
errors, but the change was not made.  Checking afterwards with "smbcacls
-U administrator //localhost/share a.txt" showed the permissions had not
changed.

THE SOLUTION
============
This was embarrasingly simple in the end.  After checking some logs I
found the following line:

[2004/06/29 13:05:52, 0] passdb/pdb_smbpasswd.c:build_sam_account(1183)
  build_sam_account: smbpasswd database is corrupt!  username test-xp$
with uid 512 is not in unix passwd database!

Luckily there were only a few test users and machines on the system at
the time, so I was able to "mv /etc/samba/smbpasswd
/etc/samba/smbpasswd.corrupt" and add the users again.

Straight away it started to work.  It would appear that during a test
backup/restore something ended up out of sync between the smbpasswd and
passwd files.

If this has not solved your problem, I would recommend making sure that
in smb.conf you have a line reading "log file = /var/log/samba/%m.log",
then try and use smbcacls from the linux machine itself to change your
ACLs, then look through /var/log/samba/<machine-name>.log for the
information.  That way you'll have the minimum of irrelevant information
in the logfile when you're hunting through it for clues.

I hope this helps someone,

Mark Lidstone
IT and Network Support Administrator

BMT SeaTech Ltd
Grove House, Meridians Cross, 7 Ocean Way
Ocean Village, Southampton.  SO14 3TJ. UK
Tel: +44 (0)23 8063 5122         
Fax: +44 (0)23 8063 5144

E-Mail:  mailto:mark.lidstone at bmtseatech.co.uk
Website: www.bmtseatech.co.uk
========================================================================
==
Confidentiality Notice and Disclaimer: 
The contents of this e-mail and any attachments are intended only for
the
use of the e-mail addressee(s) shown. If you are not that person, or one
of those persons, you are not allowed to take any action based upon it
or
to copy it, forward, distribute or disclose the contents of it and you
should please delete it from your system. BMT SeaTech Limited does not
accept liability for any errors or omissions in the context of this
e-mail
or its attachments which arise as a result of Internet transmission, nor
accept liability for statements which are those of the author and not
clearly made on behalf of BMT SeaTech Limited.
========================================================================
==