[Samba] Can't see or change ACLs on Windows
Stas
narezatel at gmail.com
Tue Oct 30 20:56:43 GMT 2007
Try to use other fs , ext3 for example ..maybe UFS implementation in
centos is broken ..
Look into kernel log , maybe you'll find some UFS errors ..
If you set ACL with setfacl can you see them in windows box after?
btw , better you open the new thread with those error message as a subject..
On 10/30/07, Eric Diven <eric.diven at edsiohio.com> wrote:
> Doug, thanks, here's a complete listing of the config file, and some
> logging, hopefully this will be illuminating to somebody.
>
> > Neither of these lines set the log level.
>
> Yes, I've been setting it in the init script. When I do ps -ef | grep
> smbd, I see that logging is enabled. I straightened out that problem
> (the one behind the monitor *sheepish grin*), and the logging works as
> it's supposed to.
>
> > Getting windows acl's is a multi step process.
>
> Tell me about it ;-)
>
> > You need a file system capable of supporting extended acl's. I
> believe you previously said you were using UFS file system. I haven't
> used UFS since 1987. Man Mount on linux doesn't suggest extended acl's
> are supported. Are they?
>
> Both Solaris and CentOS support them. Using fsetacl and fgetacl, I can
> set acls and see them on files in the FS
>
> > Once the file system is capable of supporting extended acl's, you need
> to mount the filesystem with the appropriate options. By default,
> considering the age of UFS, I would assume extended acl's aren't
> supported by default, if they are at all.
>
> Sun has been updating it, acl support is on by default. In fact, as
> near as I can tell, you can't turn it off. I'm under the impression
> that there are many flavors of UFS, not all of which are compatible.
>
> > Once the filesystem is mounted with the right options, then samba has
> to have been compiled with the correct options, which you've verified.
>
> It sure looks like it ;-)
>
> > After all that, samba has top be configured correctly to support acl's
> in windows. Samba can be configured to serve files in ms-dos mode, so
> it's not a given.
>
> The smb.conf manpage indicates that nt acl support = yes by default.
> Making it explicit doesn't seem to change the behavior.
>
> > Usually, if someone is asked to show the configuration, put out the
> entire conf file. There's been a lot of dribs and drabs, but much has
> been missing. First thing I do is run a copy thru testparm. Most of
> this thread has been like blind mans bluff.
>
> Usually I try to keep it to a minimum, because people frequently don't
> trim out the stuff when they reply. Result, a *lot* of extraneous crap.
> As more and more people don't trim, the signal to noise ratio quickly
> approaches zero. As requested, I've put the whole thing in. I've been
> using testparm throughout this project, and I've included its output
> too, since it strips comments and stuff that's included by default.
>
> > Just so you know - a lot of people are using acl's in samba.
>
> I don't doubt it. How I'd love to join them, and I appreciate
> everybody's help.
>
> > Regards, Doug
>
> Below, there's also a dump of the level 10 logging from trying to add an
> entry to the ACL. This covers adding an element to the ACL, but not the
> issue of seeing them, I'm guessing the issues may be related. To cut to
> the chase, the fatal looking line appears to be the one 3 timestamps
> from the bottom:
>
> [2007/10/30 14:16:53, 3]
> smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
> convert_canon_ace_to_posix_perms: Too many ACE entries for file
> foo.txt to convert to posix perms.
>
> This looks suspiciously like it's not actually trying to set the
> security as an ACL. If it were, I'd expect that it wouldn't be trying
> to squeeze everything into posix perms.
>
> ~Eric
>
>
> The complete config file:
>
> bash-3.00# cat /usr/local/samba/lib/smb.conf
> # This is the main Samba configuration file. You should read the
> # smb.conf(5) manual page in order to understand the options listed
> # here. Samba has a huge number of configurable options (perhaps too
> # many!) most of which are not shown in this example
> #
> # Any line which starts with a ; (semi-colon) or a # (hash)
> # is a comment and is ignored. In this example we will use a #
> # for commentry and a ; for parts of the config file that you
> # may wish to enable
> #
> # NOTE: Whenever you modify this file you should run the command
> "testparm"
> # to check that you have not made any basic syntactic errors.
> #
> #======================= Global Settings
> =====================================
> [global]
>
> # workgroup = NT-Domain-Name or Workgroup-Name
> workgroup = W2K3TEST
> realm = W2K3TEST.LOCAL
> preferred master = no
> server string = croesus running samba
> security = ADS
> encrypt passwords = yes
> winbind separator = +
> winbind use default domain = no
> winbind enum users = no
> winbind enum groups = no
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> # if you want to automatically load your printer list rather
> # than setting them up individually then you'll need this
> printcap name = /etc/printcap
> load printers = yes
>
> # this tells Samba to use a separate log file for each machine
> # that connects
> log file = /var/log/samba/log.%m
>
> # Put a capping on the size of the log files (in Kb).
> max log size = 5000
>
> # Most people will find that this option gives better performance.
> # See speed.txt and the manual pages for details
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> #============================ Share Definitions
> ==============================
>
> [afiles]
> nt acl support = yes
> admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
> path = /honda/afiles
> writeable = yes
> inherit owner = yes
> inherit permissions = yes
> inherit acls = yes
>
> [stastest]
> path = /honda/stastest
> admin users = W2K3TEST+administrator, @W2K3TEST+admins
> writeable = yes
>
> [ericshare]
> path = /ericshare
> writeable = yes
>
> [chrisshare]
> path = /chrisshare
> writeable = yes
>
> # NOTE: If you have a BSD-style print system there is no need to
> # specifically define each individual printer
> [printers]
> comment = All Printers
> path = /var/spool/samba
> browseable = no
> # Set public = yes to allow user 'guest account' to print
> guest ok = no
> writable = no
> printable = yes
>
> After it gets wrung through testparm:
>
> bash-3.00# /usr/local/samba/bin/testparm
> Load smb config files from /usr/local/samba/lib/smb.conf
> Processing section "[afiles]"
> Processing section "[stastest]"
> Processing section "[ericshare]"
> Processing section "[chrisshare]"
> Processing section "[printers]"
> Loaded services file OK.
> 'winbind separator = +' might cause problems with group membership.
> Server role: ROLE_DOMAIN_MEMBER
> Press enter to see a dump of your service definitions
>
> [global]
> workgroup = W2K3TEST
> realm = W2K3TEST.LOCAL
> server string = croesus running samba
> security = ADS
> log file = /var/log/samba/log.%m
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> printcap name = /etc/printcap
> preferred master = No
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind separator = +
>
> [afiles]
> path = /honda/afiles
> admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
> read only = No
> inherit permissions = Yes
> inherit acls = Yes
> inherit owner = Yes
>
> [stastest]
> path = /honda/stastest
> admin users = W2K3TEST+administrator, @W2K3TEST+admins
> read only = No
>
> [ericshare]
> path = /ericshare
> read only = No
>
> [chrisshare]
> path = /chrisshare
> read only = No
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> printable = Yes
> browseable = No
>
> I got the logging straightened out on the Solaris machine, here's what
> happens when I try to add a user to the ACL. W2K3TEST+areaders is the
> entry I'm trying to add:
>
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:set_nt_acl(3089)
> set_nt_acl: called for file foo.txt
> [2007/10/30 14:16:53, 5] smbd/posix_acls.c:unpack_nt_owners(921)
> unpack_nt_owners: validating owner_sids.
> [2007/10/30 14:16:53, 5] smbd/posix_acls.c:unpack_nt_owners(964)
> unpack_nt_owners: owner_sids validated.
> [2007/10/30 14:16:53, 3]
> passdb/lookup_sid.c:fetch_sid_from_uid_cache(918)
> fetch sid from uid cache 10003 ->
> S-1-5-21-365335231-1557355366-1421764157-1644
> [2007/10/30 14:16:53, 3]
> passdb/lookup_sid.c:fetch_sid_from_gid_cache(995)
> fetch sid from gid cache 10006 ->
> S-1-5-21-365335231-1557355366-1421764157-513
> [2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_uid_from_cache(938)
> fetch uid from cache 10003 ->
> S-1-5-21-365335231-1557355366-1421764157-1644
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
> create_canon_ace_lists: adding file ACL:
> canon_ace index 0. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
> (W2K3TEST+bobadmin) SMB_ACL_USER perms rw-
> [2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
> fetch gid from cache 10003 ->
> S-1-5-21-365335231-1557355366-1421764157-1119
> [2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
> fetch gid from cache 10003 ->
> S-1-5-21-365335231-1557355366-1421764157-1119
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
> create_canon_ace_lists: adding file ACL:
> canon_ace index 0. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
> (W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
> [2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
> fetch gid from cache 10006 ->
> S-1-5-21-365335231-1557355366-1421764157-513
> [2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
> fetch gid from cache 10006 ->
> S-1-5-21-365335231-1557355366-1421764157-513
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
> create_canon_ace_lists: adding file ACL:
> canon_ace index 0. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
> users) SMB_ACL_GROUP perms rw-
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
> create_canon_ace_lists: adding file ACL:
> canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> perms rw-
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
> print_canon_ace_list: file ace - before merge
> canon_ace index 0. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
> (W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
> canon_ace index 1. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
> (W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
> canon_ace index 2. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
> users) SMB_ACL_GROUP_OBJ perms rw-
> canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> perms rw-
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
> print_canon_ace_list: dir ace - before merge
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
> print_canon_ace_list: file ace - before deny
> canon_ace index 0. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
> (W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
> canon_ace index 1. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
> (W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
> canon_ace index 2. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
> users) SMB_ACL_GROUP_OBJ perms rw-
> canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> perms rw-
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
> print_canon_ace_list: dir ace - before deny
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
> print_canon_ace_list: file ace - before valid
> canon_ace index 0. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
> (W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
> canon_ace index 1. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
> (W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
> canon_ace index 2. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
> users) SMB_ACL_GROUP_OBJ perms rw-
> canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> perms rw-
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
> print_canon_ace_list: dir ace - before valid
> [2007/10/30 14:16:53, 3] smbd/dosmode.c:unix_mode(147)
> unix_mode(foo.txt) returning 0744
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
> print_canon_ace_list: file ace - return
> canon_ace index 0. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
> (W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
> canon_ace index 1. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
> (W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
> canon_ace index 2. Type = allow SID =
> S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
> users) SMB_ACL_GROUP_OBJ perms rw-
> canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
> perms rw-
> [2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
> print_canon_ace_list: dir ace - return
> [2007/10/30 14:16:53, 3]
> smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
> convert_canon_ace_to_posix_perms: Too many ACE entries for file
> foo.txt to convert to posix perms.
> [2007/10/30 14:16:53, 3] smbd/posix_acls.c:set_nt_acl(3269)
> set_nt_acl: failed to convert file acl to posix permissions for file
> foo.txt.
> [2007/10/30 14:16:53, 3] smbd/error.c:error_packet(146)
> error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
> NT_STATUS_ACCESS_DENIED
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list