[Samba] Samba 3.0.20 acls not working anymore and problem with winbindd_idmap.tdb

Sabine Jordan emaleth77 at gmx.net
Mon Dec 12 08:59:26 GMT 2005

Hi Folks,

I am experiencing some problems with samba 3.0.20 which I can not solve
on my own. We have updated from samba 3.0.10 to samba 3.0.20, but I am
not sure when the problems started.

We had a problem with idmap - I had hoped to solve - before. Whenever
we rebooted the server, all of the ACLs got jumbled up. I thought that
our winbindd_idmap.tdb somehow got broken. I re-created it, but still
the problem persists. We use winbindd to get all the Groups and Users
from Active Directory, and we have 2 samba-servers joined to the same
domain. Now I have found out that this could be the cause of the
problem I have with my idmap. Is it a good idea to change winbindd
configuration to windbindd with an NSS/LDAP backend-based idmap
facility? How can I change form local tdb to ldap-tbs without using my
user and group assignsments? I can not afford to loose all or mess up
all the ALCs on the first server. I think this is a bigger issue and
needs to be thought over carefully.

But now to the other problem I have on the second and smaller
samba-server. I have had some trouble concerning access rights where
users were trying to save a file on a share getting "File exits" error
messages. (But the file did not exist before!) After another attempt to
save the same file the operation was successfull. I could not trace the
problem after examining the acls with getfacl on the server. Everything
seemed to be alright.

Here's the global-section of my smb.conf:

# Global parameters
        workgroup = DTMS
        netbios name = MAX
        security = domain
        password server = skynet, orion, *
        server string = MAX rate one Fileserver
        domain master = no
        os level = 2
        unix extensions = Yes
        encrypt passwords = yes
        interfaces = eth0

        log level = 2
        log file = /var/log/samba/%m
        max log size = 2048
        syslog = 0

        acl check permissions = yes
       #seems to change nothing...

        name resolve order = lmhosts hosts bcast
        wins support = no
        wins server =

#       ********************************************************
#       winbind section
#       ********************************************************
        winbind uid = 10000-20000
        winbind gid = 10000-20000
        template shell = /bin/bash
        template homedir = /distributed/samba-freigaben/user/%U
        template shell = /bin/false
        nt acl support = yes
        winbind separator = +
        veto files = /*.eml/*.nws/riched20.dll/*.{*}/
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        obey pam restrictions = yes

Removing and resetting the acls with setfacl as well as rebooting the
machine did not help either. I have tried to view the ACLS via mapped
Share through windows, but I don't even see the ACLs there. I only see
the local unix-rights (user and owner-group)

I have tried to view and change ACLS for a file named glossar.htm with
the following rights:

max:~ # ls -la /distributed/samba-freigaben/marketing/glossar.htm
-rwxrwxrwx+ 1 jordans Marketing_ges 26190 Apr 11  2001

max:~ # getfacl /distributed/samba-freigaben/marketing/glossar.htm
# file: distributed/samba-freigaben/marketing/glossar.htm
# owner: jordans
# group: Marketing_ges

Here's the configuration for the share marketing where the file
glossar.htm can be found:

        comment = Marketing
        path = /distributed/samba-freigaben/marketing
        nt acl support = no
        writeable = yes
        browsable = yes
        valid users = @ntadmins @RO_Technik @RO_Management
@RO_marketing_intern @marketing_extern
        admin users = @ntadmins

        comment = Adminshare marketing
        copy = marketing
        nt acl support = yes
        browsable = no
        admin users = @DTMS+Domänen-Admins DTMS+WenkP DTMS+JordanS
        valid users = @DTMS+Domänen-Admins DTMS+WenkP DTMS+JordanS

I have mapped the Adminshare, that I can see nt acls... But I don't see
the ACLs, I just see the owner (JordanS) and group (Marketing_ges), as
well as root/Max.

Here are the IDs for this user and group:

max:~ # getent passwd |grep 10002
max:~ # getent group |grep

When I try to change permissions via file properties/security tab I get
an Windows "Access Denied" - message... I have turned on Samba log
(loglevel10) and here are some extracts from the messages I get.

  jordans opened file glossar.htm read=No write=No (numopen=3)
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)
  Transaction 4546 of length 76
[2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900)
  switch message SMBtrans2 (pid 23879) conn 0x837b740
[2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0
[2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2760)
  call_trans2qfilepathinfo: TRANSACT2_QFILEINFO: level = 1006
[2005/12/09 10:13:16, 3] smbd/trans2.c:call_trans2qfilepathinfo(2871)
  call_trans2qfilepathinfo glossar.htm (fnum = 10498) level=1006 call=7
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)
  Transaction 4547 of length 300
[2005/12/09 10:13:16, 3] smbd/process.c:switch_message(900)
  switch message SMBnttrans (pid 23879) conn 0x837b740
[2005/12/09 10:13:16, 3] smbd/sec_ctx.c:set_sec_ctx(288)
  setting sec ctx (0, 10028) - sec_ctx_stack_ndx = 0
[2005/12/09 10:13:16, 3]
  call_nt_transact_set_security_desc: file = glossar.htm, sent
[2005/12/09 10:13:16, 3]
  fetch sid from uid cache 10002 ->
[2005/12/09 10:13:16, 3]
  fetch sid from gid cache 10044 ->
[2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
  fetch uid from cache 10002 ->
[2005/12/09 10:13:16, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253)
  fetch gid from cache 10044 ->
[2005/12/09 10:13:16, 3] smbd/dosmode.c:unix_mode(121)
  unix_mode(glossar.htm) returning 0744
[2005/12/09 10:13:16, 3]
  convert_canon_ace_to_posix_perms: Too many ACE entries for file
glossar.htm to convert to posix perms.
[2005/12/09 10:13:16, 3] smbd/posix_acls.c:set_nt_acl(3257)
  set_nt_acl: failed to convert file acl to posix permissions for file
[2005/12/09 10:13:16, 3] smbd/error.c:error_packet(147)
  error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
[2005/12/09 10:13:16, 3] smbd/process.c:process_smb(1114)

We use SuSE Linux 9.1 (i586) and kernel Linux max 2.4.25 with
acl-support (also compiled for samba).

Any ideas? It would be great if someone could offe me help.

Thanks in advance,

Sabine Jordan 

10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse für Mail, Message, More +++

More information about the samba mailing list