[Samba] samba 3.5.3: loads of errors copying some simple ACLs with robocopy

Oliver Freyd Oliver.Freyd at iontof.com
Fri May 28 08:45:34 MDT 2010

Maybe I'm doing somthing really stupid, but while copying some windows 
share onto a samba server, on some random subdirectory robocopy
says ERROR 87 (0x00000057) Copying NTFS Security to Destination Directory...

The samba logfile has lots of these lines.

smb_acl_to_posix: ACL is invalid for set (Das Argument ist ungültig)

The strange thing is that the same configuration worked with
samba-3.4.8 (from lenny-backports, on lenny, with the lenny kernel).
The samba3.5.3 is the sernet-samba, on lenny, with lenny kernel (2.6.26).

The ACL on the files to be copied are really simple, just
Everyone/Full Control, and "netzadmin"/Full Control.
That user is admin user on the samba machine, and is the user doing the 
robocopy on a windows XP machine.

The filesystem is ext3, mounted with acl,user_xattr.

testparm says:

         workgroup = XXXXX
         netbios name = SERVER2
         passdb backend = ldapsam:ldap://
         passwd program = /usr/bin/passwd %u
         passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
         username map = /etc/samba/smbusers
         syslog = 0
         log file = /var/log/samba/machines/log.%m
         max log size = 1000
         name resolve order = wins bcast host
         socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 
         add user script = /usr/sbin/smbldap-useradd -m '%u'
         add group script = /usr/sbin/smbldap-groupadd '%g'
         add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
         set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
         add machine script = /usr/sbin/smbldap-useradd -w "%u"
         logon script = scripts\logon.cmd
         logon path =
         domain logons = Yes
         os level = 60
         domain master = No
         dns proxy = No
         wins server =
         ldap admin dn = cn=admin,dc=xxxxx,dc=com
         ldap group suffix = ou=groups
         ldap idmap suffix = ou=idmap
         ldap machine suffix = ou=machines
         ldap passwd sync = yes
         ldap suffix = dc=xxxxx,dc=com
         ldap ssl = no
         ldap timeout = 20
         ldap user suffix = ou=users
         add share command = /usr/bin/touch /tmp/test
         panic action = /usr/share/samba/panic-action %d
         idmap backend = ldap:ldap://
         idmap uid = 15000-20000
         idmap gid = 15000-20000
         admin users = netzadmin
         ea support = Yes
         map acl inherit = Yes

         comment = Network Logon Share
         path = /data/netlogon
         browseable = No
         locking = No

         comment = Installations
         path = /data/h/Installations
         read only = No
         create mask = 0770
         directory mask = 0770
         force unknown acl user = Yes
         inherit permissions = Yes
         inherit acls = Yes


BTW, using the
vfs objects = acl_xattr
gives less of these ERROR 87 lines.

Don't know if this is helpful, I'll go back to samba-3.4.8 for now...

More information about the samba mailing list