[Samba] ACLs fail in 3.0.23d

Jens Nissen jens.nissen at gmx.net
Mon Jan 29 15:06:53 GMT 2007 

Thanks for your fast reply!

I forgot to mention: I am using ext3.
# mount | grep export
/dev/hda4 on /export type ext3 (acl,user_xattr)

One question: how does Samba find out, that ACLs are activated?
Does it use the /proc filesystem? This would cause trouble, see the
following:

# cat /proc/mounts | grep export
/dev/hda4 /export ext3 rw 0 0

The latter information (which results from /etc/fstab) is not conformant
with the result from above "mount"-query!! I am remounting my /export -
filesystem right before starting smbd and my SAMBA share (export/shared)
resides in /export!

Jan Engelhardt wrote:
> On Jan 29 2007 12:45, Jens Nissen wrote:
>> Whenever I try to read or modify ACLs from my Windows 2000 PDC, my Samba
>> Domain Member Server (Security = ADS) does not allow setting ACLs, nor
>> does it display the existing ACLs.
> 
> Does it at least enforce them?

What does "enforce" mean?

> 
>> (A) Strange thing - a bug in smbd??: even though smbd is dynamically
>> linked to libacl and libattr (I checked this with ldd), "smbd -b | grep
>> acl" is empty. Can someone please confirm this?!
> 
> Use grep -i.

Stupid me!

# /bin/smbd -b | grep -i acl
   HAVE_SYS_ACL_H
   HAVE_POSIX_ACLS

But I am missing something like --WITH-ACL:

# /bin/smbd -b | grep -i WITH
   WITH_UTMP
 --with Options:
   WITH_ADS
   WITH_CIFSMOUNT
   WITH_QUOTAS
   WITH_SENDFILE
   WITH_SMBMOUNT
   WITH_UTMP
   WITH_WINBIND
   TIME_WITH_SYS_TIME
   WITH_ADS
   WITH_CIFSMOUNT
   WITH_QUOTAS
   WITH_SENDFILE
   WITH_SMBMOUNT
   WITH_WINBIND

> 
>> [2007/01/29 12:23:17, 3]
>> smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
>>  convert_canon_ace_to_posix_perms: Too many ACE entries for file
>> acl2.test to convert to posix perms.
> 
> Filesystems limit the number of ACLs. For XFS, I think it is 25 entries.
> 
>> [2007/01/29 12:23:17, 3] smbd/posix_acls.c:set_nt_acl(3269)
>>  set_nt_acl: failed to convert file acl to posix permissions for file
>> acl2.test.
> 
> 	-`J'

I'm not exceeding limits, I think:

# getfacl /export/shared/acl.test
getfacl: Removing leading '/' from absolute path names
# file: export/shared/acl.test
# owner: root
# group: root
user::rw-
user:Schnuffi:r-x
user:CANDEO\134administrator:r-x
user:CANDEO\134vx778:r-x
group::r--
mask::r-x
other::r--

More information about the samba mailing list