[Samba] acl_tdb failed to convert file acl to posix permisions

Tom Speeter tspeeter at neosgeo.com
Thu Jul 5 14:15:09 MDT 2012 

We are using SAMBA 3.6.6 on Centos 5 with the acl_tdb VFS module.  Our share is backed by storage on a SAN devices that does not support ACLs or extended attributes ... so we're trying the acl_tdb module as a mechanism to support Windows ACLs.   We have verified that samba has ACL support enabled, and ACL support works find if we export the share from the local EXT4 filesystem.

When trying to add a user ACL from Windows, we get ACCESS_DENIED error, with the following log entries:

(set_canon_ace_list)
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.724227, 10] smbd/posix_acls.c:2757(set_canon_ace_list)
  canon_ace index 1. Type = allow SID = S-1-5-18 gid 10021 (10021) SMB_ACL_GROUP ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.724417, 10] smbd/posix_acls.c:2757(set_canon_ace_list)
  canon_ace index 2. Type = allow SID = S-1-5-21-1177087545-3838858134-2882343936-1294 uid 10002 (neosphere-admin) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.724755, 10] smbd/posix_acls.c:2757(set_canon_ace_list)
  canon_ace index 3. Type = allow SID = S-1-5-21-1177087545-3838858134-2882343936-1297 gid 10019 (neosphere-administrators) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.724979, 10] smbd/posix_acls.c:2757(set_canon_ace_list)
  canon_ace index 4. Type = allow SID = S-1-5-21-1177087545-3838858134-2882343936-1117 uid 10000 (rshen) SMB_ACL_USER ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.725214, 10] modules/vfs_posixacl.c:91(posixacl_sys_acl_set_file)
  Calling acl_set_file: NeoSphere/test100.txt, 0
[2012/07/03 17:19:29.725260, 10] modules/vfs_posixacl.c:110(posixacl_sys_acl_set_file)
  acl_set_file failed: Operation not supported
[2012/07/03 17:19:29.725300,  2] smbd/posix_acls.c:2828(set_canon_ace_list)
  set_canon_ace_list: sys_acl_set_file type file failed for file NeoSphere/test100.txt (Operation not supported).
[2012/07/03 17:19:29.725341,  3] smbd/posix_acls.c:2932(convert_canon_ace_to_posix_perms)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file NeoSphere/test100.txt to convert to posix perms.
[2012/07/03 17:19:29.725378,  3] smbd/posix_acls.c:4001(set_nt_acl)
  set_nt_acl: failed to convert file acl to posix permissions for file NeoSphere/test100.txt.
[2012/07/03 17:19:29.725415,  3] smbd/error.c:81(error_packet_set)
  error packet at smbd/nttrans.c(2106) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED


In posix_acls.c  we can see that in such a scenario, the code comes here (line 3993):

      /*
         * If we cannot set using POSIX ACLs we fall back to checking if we need to chmod.
         */

        if(!acl_set_support && acl_perms) {
                mode_t posix_perms;

                if (!convert_canon_ace_to_posix_perms( fsp, file_ace_list, &posix_perms)) {
                        free_canon_ace_list(file_ace_list);
                        free_canon_ace_list(dir_ace_list);
                        DEBUG(3,("set_nt_acl: failed to convert file acl to "
                                 "posix permissions for file %s.\n",
                                 fsp_str_dbg(fsp)));
                        return NT_STATUS_ACCESS_DENIED;
                }

... acl_set_support is false, and acl_perms is true,  and the call to 'convert_canon_ace_to_posix' fails because there are 5 ace entries, and that function immediately fails:

static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms)
{
        int snum = SNUM(fsp->conn);
        size_t ace_count = count_canon_ace_list(file_ace_list);
        canon_ace *ace_p;
        canon_ace *owner_ace = NULL;
        canon_ace *group_ace = NULL;
        canon_ace *other_ace = NULL;
        mode_t and_bits;
        mode_t or_bits;

        if (ace_count != 3) {
                DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE "
                         "entries for file %s to convert to posix perms.\n",
                         fsp_str_dbg(fsp)));
                return False;
        }

So it seems that there is NO support for filesystems that do not support native ACLs, or is this a bug ... or is there some other option to reroute processing of the request?


SMB.CONF:

  [SAN]
path = /mnt/DDN-FS02
log level = 10
debuglevel = 10
writeable = yes
browseable = yes
inherit permissions = yes
inherit acls = yes
map acl inherit = yes
nt acl support = yes
force unknown acl user = yes
vfs objects = acl_tdb
acl_tdb: ignore system acls = yes

More information about the samba mailing list