[Samba] CIFS/ACLs

eric roseme eroseme at emonster.rose.hp.com
Wed Jun 1 17:43:27 GMT 2005 

For the "no buffer space", verify that you have increased nfile and 
nproc (see Admin Guid pg 258 
[http://www.docs.hp.com/en/B8725-90074/B8725-90074.pdf]).  You need 
1.2MB memory per client at connect time, in addition to whatever else 
your system needs.

For ACLs, verify that you are using JFS (VxFS) 3.3 or later, and layout 4:

rmonster->bdf
Filesystem          kbytes    used   avail %used Mounted on
/dev/vg00/lvol3    2097152   77264 2004120    4% /
/dev/vg00/lvol1    1014648   28336  884840    3% /stand
/dev/vg00/lvol8    5242880  182064 5021776    3% /var
/dev/vg00/lvol7    5242880 1147952 4063024   22% /usr
/dev/vg00/lvol6    2097152  228432 1854184   11% /tmp
/dev/vg00/lvol5    5242880  505264 4700864   10% /opt
/dev/vg00/lvol4    5242880   18008 5184112    0% /home
rmonster->fstyp -v /dev/vg00/lvol4
vxfs
version: 4
f_bsize: 8192
f_frsize: 8192
f_blocks: 655360
f_bfree: 653109
f_bavail: 648263
f_files: 155616
f_ffree: 163264
f_favail: 163264
f_fsid: 1073741828
f_basetype: vxfs
f_namemax: 254
f_magic: a501fcf5
f_featurebits: 0
f_flag: 16
f_fsindex: 5
f_size: 655360
rmonster->

The symptoms that you describe are common for a file system that is not 
POSIX ACL enabled.  Also, the Windows Explorer security screen will be 
adding windows groups to the ACL, but you have mapped those with "net 
groupmap" to your POSIX groups, which display on the getacl.  See below 
(edited for brevity).

rmonster->getacl jardin.mpg
# file: motocross.mpg
# owner: SNSLATC+eroseme
# group: SNSLATC+Domain Users
user::rwx
group::r--
group:vamps:rwx
group:scoobs:r-x
class:rwx
other:r--
rmonster->net groupmap list
vampires (S-1-5-21-1681019172-2179928069-728536373-1122) -> vamps
Domain Users (S-1-5-21-1681019172-2179928069-728536373-513) -> -1
scoobies (S-1-5-21-1681019172-2179928069-728536373-1121) -> scoobs
Users (S-1-5-32-545) -> -1
rmonster->wbinfo -g
BUILTIN+Users
SNSLATC+Domain Admins
SNSLATC+Domain Users
SNSLATC+Domain Guests
SNSLATC+scoobies
SNSLATC+vampires
SNSLATC+demons
SNSLATC+mars
SNSLATC+neptune
rmonster->

If this does not help, email me off-list.

Eric Roseme
Hewlett-Packard

Thilo Rees, Continum wrote:

> Hi,
> 
> I am using CIFS 2.01.01 on HPUX11V2. CIFS is running in ADS 
> security-mode. Winbind is used to map the userers from the W2K3-Domain 
> (german) to an tdb-file. The user mapping works fine, but I have 
> problems with the ACLS: setting the ACLS to a file or folder from 
> windows leads in "access denied". I'm the owner of the object and have 
> full access. The really crazy thing is, that it works sometimes, but 
> later the ACLs are gone (showing standard permissions) and I can't 
> modify them (Access denied). "getacls" form Unix side displays the 
> formerly configured ACLS ....
> The logfile (loglevel=2) shows:
> 
> log.smbd:
> open_sockets_smbd: accept: No buffer space available
> 
> <host>.log
> [2005/05/30 11:22:29, 1] smbd/service.c:make_connection_snum(648)
> 192.168.200.11 (192.168.200.11) connect to service tmp initially as user 
> FRHAWIN\Administrator (uid=10000, gid=10000) (pid 9429)
> [2005/05/30 11:29:37, 1] smbd/service.c:close_cnum(835)
> 192.168.200.11 (192.168.200.11) closed connection to service tmp
> [2005/05/30 11:30:17, 2] smbd/server.c:main(893)
> Changed root to /
> [2005/05/30 11:30:17, 2] smbd/sesssetup.c:setup_new_vc_session(608)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close 
> all old resources.
> [2005/05/30 11:30:19, 1] smbd/service.c:make_connection_snum(648)
> 192.168.200.11 (192.168.200.11) connect to service tmp initially as user 
> FRHAWIN\Administrator (uid=10000, gid=10000) (pid 9553)
> [2005/05/30 11:30:36, 2] smbd/posix_acls.c:set_canon_ace_list(2422)
> set_canon_ace_list: sys_acl_set_file type file failed for file ACLStest 
> (Invalid argument).
> 
> my smb.conf is simple:
> 
> [global]
>       display charset = UTF-8
>       workgroup = FRHAWIN
>       realm = YYYYY.YYYYY.YYY
>       netbios name = FSERV0
>       server string = CIFS_HP_UX
>       security = ADS
>       password server = xxxx.xxxxx.xxxx.xxx
>       log level = 2
>       log file = /var/opt/samba/log.%m
>       max log size = 1000
>       host msdfs = Yes
>       idmap uid = 10000-20000
>       idmap gid = 10000-20000
>       winbind use default domain = Yes
> 
> [tmp]
>       comment = Temporary file space
>       path = /tmp
>       read only = No
> 
> Any suggestions?
> 
> Regards: Thilo
> 
>

More information about the samba mailing list