[Samba] Can't set ACL on Samba

Albe k3rmit at libero.it
Thu Nov 17 22:45:16 GMT 2005 

Hi everybody,

i'm getting mad configuring samba to join an ADS, resolve domain  
users and groups and set ACLs via windows explorer on a share mounted  
with POSIX ACL and extended attributes.

At the point where i am, i've managed to get Samba join correctly the  
domain with idmap_rid backend working fine.

I can correctly set (add, remove, modify) file acls and extended  
attributes via bash, but when i try to simply add a user permission  
on a file or directory via the windows explorer security settings i  
get in the log (level 3):

[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBntcreateX (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
   unix_mode(WINDOWSRegDefrag.dat) returning 0744
[2005/11/17 23:12:22, 2] smbd/open.c:open_file(372)
   albe opened file WINDOWSRegDefrag.dat read=No write=No (numopen=1)
[2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
   Transaction 9 of length 244
[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBnttrans (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/ 
nttrans.c:call_nt_transact_set_security_desc(2081)
   call_nt_transact_set_security_desc: file = WINDOWSRegDefrag.dat,  
sent 0x4
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache 
(158)
   fetch sid from uid cache 11334 ->  
S-1-5-21-2707684321-3739850521-1540700870-1334
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache 
(232)
   fetch sid from gid cache 10512 ->  
S-1-5-21-2707684321-3739850521-1540700870-512
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
   fetch uid from cache 11334 ->  
S-1-5-21-2707684321-3739850521-1540700870-1334
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
   fetch uid from cache 11369 ->  
S-1-5-21-2707684321-3739850521-1540700870-1369
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253)
   fetch gid from cache 10512 ->  
S-1-5-21-2707684321-3739850521-1540700870-512
[2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
   unix_mode(WINDOWSRegDefrag.dat) returning 0744
[2005/11/17 23:12:22, 3] smbd/ 
posix_acls.c:convert_canon_ace_to_posix_perms(2585)
   convert_canon_ace_to_posix_perms: Too many ACE entries for file  
WINDOWSRegDefrag.dat to convert to posix perms.
[2005/11/17 23:12:22, 3] smbd/posix_acls.c:set_nt_acl(3265)
   set_nt_acl: failed to convert file acl to posix permissions for  
file WINDOWSRegDefrag.dat.
[2005/11/17 23:12:22, 3] smbd/error.c:error_packet(147)
   error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)  
NT_STATUS_ACCESS_DENIED
[2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
   Transaction 10 of length 45
[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBclose (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/reply.c:reply_close(3247)
   close fd=-1 fnum=11974 (numopen=1)
[2005/11/17 23:12:22, 2] smbd/close.c:close_normal_file(270)
   AGBSOFT\albe closed file WINDOWSRegDefrag.dat (numopen=0)

I can correctly set file permission of the classical posix elements:  
user, group and others.


My smb.conf

[global]
         workgroup = AGBSOFT
         realm = AGBSOFT.CH
         server string = CVS Server
         security = ADS
         client schannel = No
         allow trusted domains = No
         password server = agbsoft-nt1.agbsoft.ch
         log level = 3
         log file = /var/log/samba/%m.log
         max log size = 0
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         load printers = No
         os level = 18
         preferred master = No
         domain master = No
         wins server = 10.100.0.2
         idmap backend = idmap_rid:AGBSOFT=10000-200000000
         idmap uid = 10000-200000000
         idmap gid = 10000-200000000
         template shell = /bin/bash
         winbind use default domain = Yes
         winbind nested groups = Yes

[prova]
         comment = prova
         path = /home/ftp
         valid users = "@AGBSOFT\Domain Admins"
         read only = No

My samba 3.0.20b is compiled with ads and acl support. Kernel is a  
2.6.14.2, compiled with acl and extended attributes for used  
filesystems.
The system is running a slackware 10.2. I had to rebuild from source  
attr, acl, libattr, libacl to have compiling with acl support.

What i'm i doing wrong?

Thanks in advance for any help.

I remain at disposal for any further information.



Alberto

More information about the samba mailing list