[Samba] Use ACL over NFS4

Paul.Nickerson at desknetinc.com Paul.Nickerson at desknetinc.com
Thu Oct 27 15:10:12 MDT 2011 

Jeremy Allison <jra at samba.org> - 10/27/2011 04:28 PM
>This error isn't an ACL error, it's Samba trying to store the extra
>Windows attributes into a Linux EA. If NFS doesn't support this, you'll
>need to stop Samba from trying to do this by doing:

>store dos attributes = no
>ea support = no

>Unfortunately that means that Samba will have to fall back to trying
>to store the (neccessary) extra metadata info in the normal POSIX
permissions,
>which will mess up the NFS ACLs.

I can't put Samba on the NFS server, but I may be able to make a large
Samba VM and move the data over to there. Not a very desirable solution for
us, though.

If I turn off both those settings, that error stops, but the Windows
machine is still getting the same access denied.  If I can get ACL working
without any EA, it might be good enough for us. We don't need Windows
permission lists or metadata to be kept with files stored on the Samba
server (though I will check will people on that), but we do need different
winbind users and groups to have different access permissions. I'd like to
try getting ACL sans EA working.

Now, with those two options tuned off, I am seeing that the first
difference in the logs between using local ACL and NFS4 ACL is as follows
(snipped logs).

The working local ACL:
Oct 27 16:19:12 test-samba-server smbd[29532]: [2011/10/27 16:19:12.418061,
3] smbd/vfs.c:1008(check_reduced_name)
Oct 27 16:19:12 test-samba-server smbd[29532]:   check_reduced_name: .
reduced to /imports/localacl/localACLdir
Oct 27 16:19:12 test-samba-server winbindd[1271]: [2011/10/27
16:19:12.418959,  3]
winbindd/winbindd_getpwuid.c:47(winbindd_getpwuid_send)
Oct 27 16:19:12 test-samba-server winbindd[1271]:   getpwuid 16777216
Oct 27 16:19:12 test-samba-server winbindd[1271]: [2011/10/27
16:19:12.420362,  3]
winbindd/winbindd_getpwuid.c:47(winbindd_getpwuid_send)
Oct 27 16:19:12 test-samba-server winbindd[1271]:   getpwuid 16777216
Oct 27 16:19:12 test-samba-server smbd[29532]: [2011/10/27 16:19:12.422693,
3] smbd/process.c:1485(process_smb)
Oct 27 16:19:12 test-samba-server smbd[29532]:   Transaction 119 of length
114 (0 toread)

The not working NFS4 ACL:
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.390591,
3] smbd/vfs.c:1008(check_reduced_name)
Oct 27 16:40:59 test-samba-server smbd[29936]:   check_reduced_name: .
reduced to /imports/boundeddrive/forPaulACL
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.391973,
1] ../librpc/ndr/ndr.c:214(ndr_print_debug)
Oct 27 16:40:59 test-samba-server smbd[29936]:        sd: struct
security_descriptor
Oct 27 16:40:59 test-samba-server smbd[29936]:           revision
: SECURITY_DESCRIPTOR_REVISION_1 (1)
Oct 27 16:40:59 test-samba-server smbd[29936]:           type
: 0x9004 (36868)
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_OWNER_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_GROUP_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  1:
SEC_DESC_DACL_PRESENT
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_DACL_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_SACL_PRESENT
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_SACL_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_DACL_TRUSTED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_SERVER_SECURITY
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_DACL_AUTO_INHERIT_REQ
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_SACL_AUTO_INHERIT_REQ
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_DACL_AUTO_INHERITED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_SACL_AUTO_INHERITED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  1:
SEC_DESC_DACL_PROTECTED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_SACL_PROTECTED
Oct 27 16:40:59 test-samba-server smbd[29936]:                  0:
SEC_DESC_RM_CONTROL_VALID
Oct 27 16:40:59 test-samba-server smbd[29936]:                  1:
SEC_DESC_SELF_RELATIVE
Oct 27 16:40:59 test-samba-server smbd[29936]:           owner_sid
: *
Oct 27 16:40:59 test-samba-server smbd[29936]:               owner_sid
: S-1-22-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]:           group_sid
: *
Oct 27 16:40:59 test-samba-server smbd[29936]:               group_sid
: S-1-22-2-0
Oct 27 16:40:59 test-samba-server smbd[29936]:           sacl
: NULL
Oct 27 16:40:59 test-samba-server smbd[29936]:           dacl
: *
Oct 27 16:40:59 test-samba-server smbd[29936]:               dacl: struct
security_acl
Oct 27 16:40:59 test-samba-server smbd[29936]:                   revision
: SECURITY_ACL_REVISION_NT4 (2)
Oct 27 16:40:59 test-samba-server smbd[29936]:                   size
: 0x004c (76)
Oct 27 16:40:59 test-samba-server smbd[29936]:                   num_aces
: 0x00000003 (3)
Oct 27 16:40:59 test-samba-server smbd[29936]:                   aces:
ARRAY(3)
Oct 27 16:40:59 test-samba-server smbd[29936]:                       aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags                    : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size                     : 0x0018 (24)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask              : 0x001f01ff (2032127)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object                   : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee                  : S-1-22-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]:                       aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags                    : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size                     : 0x0018 (24)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask              : 0x001f01ff (2032127)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object                   : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee                  : S-1-22-2-0
Oct 27 16:40:59 test-samba-server smbd[29936]:                       aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type                     : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags                    : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size                     : 0x0014 (20)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask              : 0x00000000 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object                   : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee                  : S-1-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.400418,
3] smbd/error.c:80(error_packet_set)
Oct 27 16:40:59 test-samba-server smbd[29936]:   error packet at
smbd/error.c(160) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED

Up to this point, the logs are significantly identical. As best I can tell,
in the NFS4 case, Samba isn't even trying to ask winbind for info, but
instead is just returning the POSIX permissions (root:root, rwxrwx---). Is
that what's happening?

Paul Nickerson
IT Systems Administrator & Support
DeskNet Inc.
Portland, Maine

More information about the samba mailing list