[Samba] acl_xattr access denied when adding permissions for another user

Thomas Nau Thomas.Nau at uni-ulm.de
Tue Apr 5 04:40:12 MDT 2011

Dear all
We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the
impression that the VFS module acl_xattr provides the best way
of keeping Windows ACLs. We don't have concurrent NFS or local users
so it's Windows only.

The clients as well as the Samba server are members of an AD domain.
Creating files/directories works as expected and also manipulating
permissions for the initial user/group does not raise any problem.
Trying to add permissions for an additional user (looked up in AD)
fails with the Windows XP client side "permission denied" pop-up box.

the share's config:

        # public fileserver share
    path                       = /smb/X
    comment                    = xattr ACL Test
    public                     = no
    writable                   = yes
    browseable                 = yes
    vfs objects                = acl_xattr
    inherit permissions        = yes
    inherit acls               = yes

On the server side the relevant parts of the logfile are

[2011/04/05 12:18:16.331704,  2] lib/access.c:406(check_access)
  Allowed connection from  (x.x.x.x)
[2011/04/05 12:18:16.335694,  3] smbd/vfs.c:97(vfs_init_default)
  Initialising default vfs hooks
[2011/04/05 12:18:16.335737,  5] smbd/vfs.c:87(smb_register_vfs)
  Successfully added vfs backend '/[Default VFS]/'
[2011/04/05 12:18:16.335779,  5] smbd/vfs.c:87(smb_register_vfs)
  Successfully added vfs backend 'solarisacl'
[2011/04/05 12:18:16.335802,  3] smbd/vfs.c:122(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
  Successfully loaded vfs module [/[Default VFS]/] with the new modules system
[2011/04/05 12:18:16.335838,  3] smbd/vfs.c:122(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2011/04/05 12:18:16.335862,  5] smbd/vfs.c:162(vfs_init_custom)
  vfs module [acl_xattr] not loaded - trying to load...
[2011/04/05 12:18:16.336548,  2] lib/module.c:64(do_smb_load_module)
  Module '/smb/sw/lib/vfs/acl_xattr.so' loaded
[2011/04/05 12:18:16.336591,  5] smbd/vfs.c:87(smb_register_vfs)
  Successfully added vfs backend 'acl_xattr'
  Successfully loaded vfs module [acl_xattr] with the new modules system
[2011/04/05 12:18:16.336945,  2] modules/vfs_acl_xattr.c:193(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service EA
[2011/04/05 12:18:16.337787,  1] smbd/service.c:1070(make_connection_snum)
  x.x.x.x (x.x.x.x) connect to service EA initially as user nau (uid=10000, gid=10000) (pid 23491)


[2011/04/05 12:18:16.348517,  3] smbd/vfs.c:1038(check_reduced_name)
  check_reduced_name: D reduced to /smb/X/D
[2011/04/05 12:18:16.350387,  5] smbd/posix_acls.c:1191(unpack_nt_owners)
  unpack_nt_owners: validating owner_sids.
[2011/04/05 12:18:16.350434,  5] smbd/posix_acls.c:1238(unpack_nt_owners)
  unpack_nt_owners: owner_sids validated.
[2011/04/05 12:18:16.351005,  2] smbd/posix_acls.c:2903(set_canon_ace_list)
  set_canon_ace_list: sys_acl_set_file type file failed for file D (Operation not applicable).
[2011/04/05 12:18:16.351086,  3] smbd/posix_acls.c:3007(convert_canon_ace_to_posix_perms)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file D to convert to posix perms.
[2011/04/05 12:18:16.351114,  3] smbd/posix_acls.c:4109(set_nt_acl)
  set_nt_acl: failed to convert file acl to posix permissions for file D.
[2011/04/05 12:18:20.872901,  1] smbd/service.c:1251(close_cnum) ( closed connection to service EA

So why do I need POSIX ACLs at all?

Any hints are greatly appreciated!


More information about the samba mailing list