samba - Mar 2004 - Getting ACLs to work with Samba 3.0.2a

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

I'm currently trying to get ACLs to work with my Samba-PDC. I compiled Samba
with the "--with-acl-support"-option and the configure-script says:

checking sys/acl.h usability... yes
checking sys/acl.h presence... yes
checking for sys/acl.h... yes

After install, a "ldd smbd" gives

libacl.so.1 => /lib/libacl.so.1 (0x40283000)

so I assume that Samba was compiled successfully with ACL-support. I use a 
reiserfs-partition with acl enabled (rw,acl) and am able to set ACLs via 
"setfacl".

However, trying to change ACLs with smbcacls always gives:

Failed to parse security descriptor

Trying to change the ACLs from a windows box shows the correct acls, but 
attempting to change them results with a "access denied"-error.

How else can I check if Samba is actually using ACLs?

Sincerely,
- -- 
Michael Frotscher
Institute of Inorganic and Applied Chemistry
University of Hamburg, Germany 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFATG7N/f+kgY+d9bQRAqUkAKDaTX/NBTYUptS0wD65Z78GUAu9DQCfdM2q
JNwPA5rjuF79pbjEPemN5wQ=oSWW
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hmm, nobody got an idea on what it could be?

Cheers,
- -- 
Michael Frotscher
Institute of Inorganic and Applied Chemistry
University of Hamburg, Germany 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFATtDj/f+kgY+d9bQRAmhHAKDBFmTms2OgU1RLYnU9iZ6tJPI8KwCfSyv0
iMbNHrtpfQ7ijaxRfHTloog=4o6N
-----END PGP SIGNATURE-----

On Wed, 10 Mar 2004, Michael Frotscher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hmm, nobody got an idea on what it could be?
Yes.

1. Make sure that your file system is mounted with ACLs support

example:	(from my /etc/fstab)
	/dev/hda6       /export reiserfs        acl,user_xattr 1 2

2. Make sure that your Samba-3 has been correctly compiled.
The easiest test is:

	smbd -b | grep ACL

Correct output is:
   HAVE_SYS_ACL_H
   HAVE_POSIX_ACLS

3. Ensure that the user account you log into Windows with has the right
under UNIX to modify ACLS.

- John T.
-- 
John H Terpstra
Email: jht@samba.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dear John,
> 1. Make sure that your file system is mounted with ACLs support
It is. "mount" reports:

/dev/md4 on /home type reiserfs (rw,acl)

and the line in /etc/fstab is:

/dev/md4            /home             reiserfs   defaults,acl              1 2
> 2. Make sure that your Samba-3 has been correctly compiled.
smbd -b | grep ACL
   HAVE_SYS_ACL_H
   HAVE_POSIX_ACLS

Looks good.
> 3. Ensure that the user account you log into Windows with has the right
> under UNIX to modify ACLS.
I tried with the "root"-Account, which maps to
"Administrator" on Windows as
well as with a regular User-Account on a file in its home-directory. I have 
created users on unix with the shell set to "/bin/false" so they
cannot log
in locally, and then created the appropriate samba-accounts with
"pdbedit".

Nonetheless, even root does see the permissions on the files (and their 
owners), but is unable to modify them (permission denied, even on files owned 
by root and with 777-unix-permissions).

Sincerely,
- -- 
Michael Frotscher
Institute of Inorganic and Applied Chemistry
University of Hamburg, Germany 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFAUCPP/f+kgY+d9bQRAkvKAKDVJBceFqjozCklnMFlCIxFhkkVQACfamO2
tpWXydru9y/qa6QhwT7lMrs=b2vq
-----END PGP SIGNATURE-----

Hello Michael, hello list.

I have similar problems getting ACL's to work with samba. So far I have 
found out the following:

Setup1:
Suse (SLES8) with suse kernel 2.4.19, samba 3.0.2a from sernet.de (all 
tests John mentioned below succeeded) and reiserfs and xfs as filesystems.

Setup2:
Gentoo with kernel 2.6.0 and samba 3.0.2 self compiled with xfs as 
filesystem.

One additional difference is that Setup2 is the PDC with LDAP backend 
and Setup one has joined the domain as member server (interestingly I 
see <netbiosnameofserver>/<username> instead of
<domainname>/<username>
from the permissions tab).

Setup1 can:
-access all shares as expected.
-create files and directories with normal permissions from explorer.
-delete additional groups/users through explorer.
-add/delete additional groups/users with setfacl.

Setup1 cannot:
-add additional groups/users to files/folders through explorer.
-newly created files do not inherit additional groups/users.


Setup2 can:
-hmm, everything is just fine ;)

seems like the old suse kernel doesn't play well with ACL's.

greetings
  Paul

BTW: Is there any document/ table describing how NT acl's map to POSIX 
acl's.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, Samba-ML,

I'm still fiddling with the acls and found the following in the log:

[2004/03/17 12:49:11, 3] smbd/dosmode.c:unix_mode(110)
  unix_mode(install/yahoomsgr.exe) returning 0766
[2004/03/17 12:49:11, 3] 
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2499)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file 
install/yahoomsgr.exe to convert to posix perms.
[2004/03/17 12:49:11, 3] smbd/posix_acls.c:set_nt_acl(3140)
  set_nt_acl: failed to convert file acl to posix permissions for file 
install/yahoomsgr.exe.
[2004/03/17 12:49:11, 3] smbd/error.c:error_packet(94)
  error string = Function not implemented
[2004/03/17 12:49:11, 3] smbd/error.c:error_packet(118)
  error packet at smbd/nttrans.c(1741) cmd=160 (SMBnttrans) 
NT_STATUS_ACCESS_DENIED

What exactly does that want to tell me? That acl really isn't implemented or
that it just ran into some error?

POSIX-permissions on the file are:
# file: yahoomsgr.exe
# owner: root
# group: root
user::rwx
group::rwx
other::rwx

Sincerely,
- -- 
Michael Frotscher
Institute of Inorganic and Applied Chemistry
University of Hamburg, Germany 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAWDzQ/f+kgY+d9bQRAp8DAJ4vVs7lB44vnNrlmmdrXWqY45V2pQCg58iT
XpSqcHFROrpqRAqwLapeGms=w6UL
-----END PGP SIGNATURE-----