[Samba] sysvol files - 'The data area passed to a system call is too small'

Jonathan Hunter jmhunter1 at gmail.com
Fri Apr 27 20:23:28 UTC 2018


I have been having problems with GPOs, sysvol, etc. for some time now, and
have found a workaround but I wondered if any of the samba devs were
interested in investigating this.

Basically, the problems manifest themselves as access errors, along the
lines of unable to read files, error messages such as 'The data area passed
to a system call is too small' and so on - which means that GPOs don't
work; files that are meant to be copied from sysvol can't be accessed; etc.

When I get these issues, I seem to be able to work around them by following
Louis's tips (Thanks, Louis!) as per https://www.spinics.net/lists/
samba/msg147788.html. In summary, I do the following:
- zip up the contents of sysvol (from a Linux machine, as I can't read all
files from Windows)
- remove the contents of sysvol
- unzip the file created in step 1 back above into sysvol, from a Windows
- re-apply permissions via the Group Policy snap-in on Windows (it offers
to re-set permissions when you click on each GPO)
- not ever running 'samba-tool ntacl sysvolreset' :)

I did raise a bug a while back (#12363) for what is probably related to
this, but I don't think I have quite the level of knowledge of samba
internals to investigate much further. The above bug was raised in relation
to 'ntacl sysvolreset' but I suspect it may be the same underlying issue

I don't think my setup is particularly unusual - I have a few 4.7.7 DCs
running on Debian / Raspbian with ext4 filesystem. The only non-standard
part is probably my rsync setup to synchronise sysvol across machines (I
use lsyncd on each DC, to allow multi-master replication) - but I can't see
that causing these issues.

The strange thing is, if I compare a 'working' file or directory, to a
'broken' file or directory - the permissions seem to be exactly the
same. Whether I look at the POSIX permissions via 'ls -l' or if I look at
'getfacl dir1' / 'getfacl dir2', there is no difference whatsoever.
I can't view the permissions via Windows, Explorer just gives me the error
'The requested security information is either unavailable or can't be
displayed' - which would make sense given the error message in the subject

Are ACLs stored anywhere else, that I could view? I have found a sample C
program here, which I might compile and try... :

FWIW, the sysvol entry in my smb.conf looks like this:
        path = /usr/local/samba/var/locks/sysvol
        read only = No
        acl_xattr:ignore system acls = yes

Any tips on anything else I could investigate?

I can work around this reasonably reliably via the steps above; but of
a) it's a PITA to have to keep doing that, and
b) I have no idea what causes things to break in the first place!

I'll try and leave one or two GPOs in their broken state for now in order
to use them for investigation, but I need to get the rest working, so will
delete & recreate those directories in the meantime.



"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list