[Samba] Inconsistent SYSVOL ACLs

Michael Tokarev mjt at tls.msk.ru
Mon Apr 3 11:16:46 UTC 2023

03.04.2023 14:02, Michael Tokarev via samba пишет:
> 03.04.2023 02:53, Anderson Sampaio Mello via samba пишет:
>> First of all thank you all for the answers and for trying to help me.
>> I agree with you michael regarding the parameters passed in the ./configure
>> command, the location is not part of the problem.
>> The file system used is XFS. and the strace command logs are in the
>> attached link
>> https://drive.google.com/file/d/1R_b6TzeJVmNIpnlkPfRk0CtkpeU4dgcg/view?usp=share_link
>  From this trace:
> getxattr("/usr/local/samba/var/lib/samba/sysvol/exemple.com", "security.NTACL", NULL, 0) = 320
> getxattr("/usr/local/samba/var/lib/samba/sysvol/exemple.com", "security.NTACL", 
> "\4\0\4\0\0\0\2\0\4\0\2\0\1\0\35\26\34P,\223\25\234{\21\3324g-\34\rgD"..., 320) = 320
> getxattr("/usr/local/samba/var/lib/samba/sysvol/exemple.com/scripts", "security.NTACL", NULL, 0) = 0
> getxattr("/usr/local/samba/var/lib/samba/sysvol/exemple.com/scripts", "security.NTACL", "", 0) = 0
> write(2, "ERROR(runtime): uncaught excepti"..., 63ERROR(runtime): uncaught exception - (11, 'Buffer Size Error')

Here's the typical trace from my system:

getxattr("/var/lib/samba/sysvol/samdom.local", "security.NTACL", NULL, 0) = 320
getxattr("/var/lib/samba/sysvol/samdom.local", "security.NTACL", 
"\4\0\4\0\0\0\2\0\4\0\2\0\1\0t\360\20\347\31\352_)\367\333\315\16\244\16Qh\314\327"..., 320) = 320
getxattr("/var/lib/samba/sysvol/samdom.local/scripts", "security.NTACL", NULL, 0) = 320
getxattr("/var/lib/samba/sysvol/samdom.local/scripts", "security.NTACL", 
"\4\0\4\0\0\0\2\0\4\0\2\0\1\0t\360\20\347\31\352_)\367\333\315\16\244\16Qh\314\327"..., 320) = 320
getxattr("/var/lib/samba/sysvol/samdom.local/Policies", "security.NTACL", NULL, 0) = 356
getxattr("/var/lib/samba/sysvol/samdom.local/Policies", "security.NTACL", 
"\4\0\4\0\0\0\2\0\4\0\2\0\1\0q\313\210\333\224\376\345&Pq|\343\203E\221\300/\375"..., 356) = 356

so it does it twice: once to get the length of the attr (with NULL value ptr),
allocates the buffer, and call getxattr again to get actual value.

You don't have NTACL for "scripts". And sysvolcheck is not expecting this.

Now the next question is how to create an empty NTACL xattr like in your
case.  I don't know how to do that.

I tried running samba on xfs, - the above strace is actually from xfs-based
install. It works the same way.

Ok. I can do this:

  attr -Ss NTACL -V "" /var/lib/samba/sysvol/samdom.local/scripts

and now sysvolcheck complains exactly like in your case.

samba-tool needs fixing :)



> So it looks like we have a bug in the python code. After successful getxattr() call
> (for a fun filename - exemple.com) it return an error.  It smells like the code
> does not expect to see 0-length NTACL.
> /mjt

More information about the samba mailing list