[Samba] Problem with ACLs "Too many ACE entries for file to convert
to posix perms."
Eric Diven
eric.diven at edsiohio.com
Tue Oct 30 22:11:32 GMT 2007
At the suggestion of Stas, I'm starting a new thread on this one. This
pretty much covers where I'm at right now:
Doug, thanks, here's a complete listing of the config file, and some
logging, hopefully this will be illuminating to somebody.
> Neither of these lines set the log level.
Yes, I've been setting it in the init script. When I do ps -ef | grep
smbd, I see that logging is enabled. I straightened out that problem
(the one behind the monitor *sheepish grin*), and the logging works as
it's supposed to.
> Getting windows acl's is a multi step process.
Tell me about it ;-)
> You need a file system capable of supporting extended acl's. I
believe you previously said you were using UFS file system. I haven't
used UFS since 1987. Man Mount on linux doesn't suggest extended acl's
are supported. Are they?
Both Solaris and CentOS support them. Using fsetacl and fgetacl, I can
set acls and see them on files in the FS
> Once the file system is capable of supporting extended acl's, you need
to mount the filesystem with the appropriate options. By default,
considering the age of UFS, I would assume extended acl's aren't
supported by default, if they are at all.
Sun has been updating it, acl support is on by default. In fact, as
near as I can tell, you can't turn it off. I'm under the impression
that there are many flavors of UFS, not all of which are compatible.
> Once the filesystem is mounted with the right options, then samba has
to have been compiled with the correct options, which you've verified.
It sure looks like it ;-)
> After all that, samba has top be configured correctly to support acl's
in windows. Samba can be configured to serve files in ms-dos mode, so
it's not a given.
The smb.conf manpage indicates that nt acl support = yes by default.
Making it explicit doesn't seem to change the behavior.
> Usually, if someone is asked to show the configuration, put out the
entire conf file. There's been a lot of dribs and drabs, but much has
been missing. First thing I do is run a copy thru testparm. Most of
this thread has been like blind mans bluff.
Usually I try to keep it to a minimum, because people frequently don't
trim out the stuff when they reply. Result, a *lot* of extraneous crap.
As more and more people don't trim, the signal to noise ratio quickly
approaches zero. As requested, I've put the whole thing in. I've been
using testparm throughout this project, and I've included its output
too, since it strips comments and stuff that's included by default.
> Just so you know - a lot of people are using acl's in samba.
I don't doubt it. How I'd love to join them, and I appreciate
everybody's help.
> Regards, Doug
Below, there's also a dump of the level 10 logging from trying to add an
entry to the ACL. This covers adding an element to the ACL, but not the
issue of seeing them, I'm guessing the issues may be related. To cut to
the chase, the fatal looking line appears to be the one 3 timestamps
from the bottom:
[2007/10/30 14:16:53, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
convert_canon_ace_to_posix_perms: Too many ACE entries for file
foo.txt to convert to posix perms.
This looks suspiciously like it's not actually trying to set the
security as an ACL. If it were, I'd expect that it wouldn't be trying
to squeeze everything into posix perms.
~Eric
The complete config file:
bash-3.00# cat /usr/local/samba/lib/smb.conf # This is the main Samba
configuration file. You should read the # smb.conf(5) manual page in
order to understand the options listed # here. Samba has a huge number
of configurable options (perhaps too # many!) most of which are not
shown in this example # # Any line which starts with a ; (semi-colon) or
a # (hash) # is a comment and is ignored. In this example we will use a
# # for commentry and a ; for parts of the config file that you # may
wish to enable # # NOTE: Whenever you modify this file you should run
the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings
=====================================
[global]
# workgroup = NT-Domain-Name or Workgroup-Name
workgroup = W2K3TEST
realm = W2K3TEST.LOCAL
preferred master = no
server string = croesus running samba
security = ADS
encrypt passwords = yes
winbind separator = +
winbind use default domain = no
winbind enum users = no
winbind enum groups = no
idmap uid = 10000-20000
idmap gid = 10000-20000
# if you want to automatically load your printer list rather # than
setting them up individually then you'll need this
printcap name = /etc/printcap
load printers = yes
# this tells Samba to use a separate log file for each machine # that
connects
log file = /var/log/samba/log.%m
# Put a capping on the size of the log files (in Kb).
max log size = 5000
# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#============================ Share Definitions
==============================
[afiles]
nt acl support = yes
admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
path = /honda/afiles
writeable = yes
inherit owner = yes
inherit permissions = yes
inherit acls = yes
[stastest]
path = /honda/stastest
admin users = W2K3TEST+administrator, @W2K3TEST+admins
writeable = yes
[ericshare]
path = /ericshare
writeable = yes
[chrisshare]
path = /chrisshare
writeable = yes
# NOTE: If you have a BSD-style print system there is no need to #
specifically define each individual printer [printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writable = no
printable = yes
After it gets wrung through testparm:
bash-3.00# /usr/local/samba/bin/testparm Load smb config files from
/usr/local/samba/lib/smb.conf Processing section "[afiles]"
Processing section "[stastest]"
Processing section "[ericshare]"
Processing section "[chrisshare]"
Processing section "[printers]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions
[global]
workgroup = W2K3TEST
realm = W2K3TEST.LOCAL
server string = croesus running samba
security = ADS
log file = /var/log/samba/log.%m
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = /etc/printcap
preferred master = No
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = +
[afiles]
path = /honda/afiles
admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
read only = No
inherit permissions = Yes
inherit acls = Yes
inherit owner = Yes
[stastest]
path = /honda/stastest
admin users = W2K3TEST+administrator, @W2K3TEST+admins
read only = No
[ericshare]
path = /ericshare
read only = No
[chrisshare]
path = /chrisshare
read only = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
I got the logging straightened out on the Solaris machine, here's what
happens when I try to add a user to the ACL. W2K3TEST+areaders is the
entry I'm trying to add:
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:set_nt_acl(3089)
set_nt_acl: called for file foo.txt
[2007/10/30 14:16:53, 5] smbd/posix_acls.c:unpack_nt_owners(921)
unpack_nt_owners: validating owner_sids.
[2007/10/30 14:16:53, 5] smbd/posix_acls.c:unpack_nt_owners(964)
unpack_nt_owners: owner_sids validated.
[2007/10/30 14:16:53, 3]
passdb/lookup_sid.c:fetch_sid_from_uid_cache(918)
fetch sid from uid cache 10003 ->
S-1-5-21-365335231-1557355366-1421764157-1644
[2007/10/30 14:16:53, 3]
passdb/lookup_sid.c:fetch_sid_from_gid_cache(995)
fetch sid from gid cache 10006 ->
S-1-5-21-365335231-1557355366-1421764157-513
[2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_uid_from_cache(938)
fetch uid from cache 10003 ->
S-1-5-21-365335231-1557355366-1421764157-1644
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
create_canon_ace_lists: adding file ACL:
canon_ace index 0. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER perms rw- [2007/10/30 14:16:53, 3]
passdb/lookup_sid.c:fetch_gid_from_cache(1015)
fetch gid from cache 10003 ->
S-1-5-21-365335231-1557355366-1421764157-1119
[2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
fetch gid from cache 10003 ->
S-1-5-21-365335231-1557355366-1421764157-1119
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
create_canon_ace_lists: adding file ACL:
canon_ace index 0. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x [2007/10/30 14:16:53, 3]
passdb/lookup_sid.c:fetch_gid_from_cache(1015)
fetch gid from cache 10006 ->
S-1-5-21-365335231-1557355366-1421764157-513
[2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
fetch gid from cache 10006 ->
S-1-5-21-365335231-1557355366-1421764157-513
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
create_canon_ace_lists: adding file ACL:
canon_ace index 0. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP perms rw-
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
create_canon_ace_lists: adding file ACL:
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
print_canon_ace_list: file ace - before merge
canon_ace index 0. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
canon_ace index 1. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
canon_ace index 2. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP_OBJ perms rw-
canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
print_canon_ace_list: dir ace - before merge [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
print_canon_ace_list: file ace - before deny
canon_ace index 0. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
canon_ace index 1. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
canon_ace index 2. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP_OBJ perms rw-
canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
print_canon_ace_list: dir ace - before deny [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
print_canon_ace_list: file ace - before valid
canon_ace index 0. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
canon_ace index 1. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
canon_ace index 2. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP_OBJ perms rw-
canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
print_canon_ace_list: dir ace - before valid [2007/10/30 14:16:53, 3]
smbd/dosmode.c:unix_mode(147)
unix_mode(foo.txt) returning 0744
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
print_canon_ace_list: file ace - return
canon_ace index 0. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
canon_ace index 1. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
canon_ace index 2. Type = allow SID =
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP_OBJ perms rw-
canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
print_canon_ace_list: dir ace - return [2007/10/30 14:16:53, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
convert_canon_ace_to_posix_perms: Too many ACE entries for file
foo.txt to convert to posix perms.
[2007/10/30 14:16:53, 3] smbd/posix_acls.c:set_nt_acl(3269)
set_nt_acl: failed to convert file acl to posix permissions for file
foo.txt.
[2007/10/30 14:16:53, 3] smbd/error.c:error_packet(146)
error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
man/listinfo/samba
More information about the samba
mailing list