samba - Nov 2005 - Can't set ACL on Samba

Hi everybody,

i'm getting mad configuring samba to join an ADS, resolve domain  
users and groups and set ACLs via windows explorer on a share mounted  
with POSIX ACL and extended attributes.

At the point where i am, i've managed to get Samba join correctly the  
domain with idmap_rid backend working fine.

I can correctly set (add, remove, modify) file acls and extended  
attributes via bash, but when i try to simply add a user permission  
on a file or directory via the windows explorer security settings i  
get in the log (level 3):

[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBntcreateX (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
   unix_mode(WINDOWSRegDefrag.dat) returning 0744
[2005/11/17 23:12:22, 2] smbd/open.c:open_file(372)
   albe opened file WINDOWSRegDefrag.dat read=No write=No (numopen=1)
[2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
   Transaction 9 of length 244
[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBnttrans (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/ 
nttrans.c:call_nt_transact_set_security_desc(2081)
   call_nt_transact_set_security_desc: file = WINDOWSRegDefrag.dat,  
sent 0x4
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache 
(158)
   fetch sid from uid cache 11334 ->  
S-1-5-21-2707684321-3739850521-1540700870-1334
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache 
(232)
   fetch sid from gid cache 10512 ->  
S-1-5-21-2707684321-3739850521-1540700870-512
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
   fetch uid from cache 11334 ->  
S-1-5-21-2707684321-3739850521-1540700870-1334
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
   fetch uid from cache 11369 ->  
S-1-5-21-2707684321-3739850521-1540700870-1369
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253)
   fetch gid from cache 10512 ->  
S-1-5-21-2707684321-3739850521-1540700870-512
[2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
   unix_mode(WINDOWSRegDefrag.dat) returning 0744
[2005/11/17 23:12:22, 3] smbd/ 
posix_acls.c:convert_canon_ace_to_posix_perms(2585)
   convert_canon_ace_to_posix_perms: Too many ACE entries for file  
WINDOWSRegDefrag.dat to convert to posix perms.
[2005/11/17 23:12:22, 3] smbd/posix_acls.c:set_nt_acl(3265)
   set_nt_acl: failed to convert file acl to posix permissions for  
file WINDOWSRegDefrag.dat.
[2005/11/17 23:12:22, 3] smbd/error.c:error_packet(147)
   error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)  
NT_STATUS_ACCESS_DENIED
[2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
   Transaction 10 of length 45
[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBclose (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/reply.c:reply_close(3247)
   close fd=-1 fnum=11974 (numopen=1)
[2005/11/17 23:12:22, 2] smbd/close.c:close_normal_file(270)
   AGBSOFT\albe closed file WINDOWSRegDefrag.dat (numopen=0)

I can correctly set file permission of the classical posix elements:  
user, group and others.


My smb.conf

[global]
         workgroup = AGBSOFT
         realm = AGBSOFT.CH
         server string = CVS Server
         security = ADS
         client schannel = No
         allow trusted domains = No
         password server = agbsoft-nt1.agbsoft.ch
         log level = 3
         log file = /var/log/samba/%m.log
         max log size = 0
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         load printers = No
         os level = 18
         preferred master = No
         domain master = No
         wins server = 10.100.0.2
         idmap backend = idmap_rid:AGBSOFT=10000-200000000
         idmap uid = 10000-200000000
         idmap gid = 10000-200000000
         template shell = /bin/bash
         winbind use default domain = Yes
         winbind nested groups = Yes

[prova]
         comment = prova
         path = /home/ftp
         valid users = "@AGBSOFT\Domain Admins"
         read only = No

My samba 3.0.20b is compiled with ads and acl support. Kernel is a  
2.6.14.2, compiled with acl and extended attributes for used  
filesystems.
The system is running a slackware 10.2. I had to rebuild from source  
attr, acl, libattr, libacl to have compiling with acl support.

What i'm i doing wrong?

Thanks in advance for any help.

I remain at disposal for any further information.



Alberto

Hi everybody,

i'm getting mad configuring samba to join an ADS, resolve domain  
users and groups and set ACLs via windows explorer on a share mounted  
with POSIX ACL and extended attributes.

At the point where i am, i've managed to get Samba join correctly the  
domain with idmap_rid backend working fine.

I can correctly set (add, remove, modify) file acls and extended  
attributes via bash, but when i try to simply add a user permission  
on a file or directory via the windows explorer security settings i  
get in the log (level 3):

[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBntcreateX (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
   unix_mode(WINDOWSRegDefrag.dat) returning 0744
[2005/11/17 23:12:22, 2] smbd/open.c:open_file(372)
   albe opened file WINDOWSRegDefrag.dat read=No write=No (numopen=1)
[2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
   Transaction 9 of length 244
[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBnttrans (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/ 
nttrans.c:call_nt_transact_set_security_desc(2081)
   call_nt_transact_set_security_desc: file = WINDOWSRegDefrag.dat,  
sent 0x4
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache 
(158)
   fetch sid from uid cache 11334 ->  
S-1-5-21-2707684321-3739850521-1540700870-1334
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache 
(232)
   fetch sid from gid cache 10512 ->  
S-1-5-21-2707684321-3739850521-1540700870-512
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
   fetch uid from cache 11334 ->  
S-1-5-21-2707684321-3739850521-1540700870-1334
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
   fetch uid from cache 11369 ->  
S-1-5-21-2707684321-3739850521-1540700870-1369
[2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253)
   fetch gid from cache 10512 ->  
S-1-5-21-2707684321-3739850521-1540700870-512
[2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
   unix_mode(WINDOWSRegDefrag.dat) returning 0744
[2005/11/17 23:12:22, 3] smbd/ 
posix_acls.c:convert_canon_ace_to_posix_perms(2585)
   convert_canon_ace_to_posix_perms: Too many ACE entries for file  
WINDOWSRegDefrag.dat to convert to posix perms.
[2005/11/17 23:12:22, 3] smbd/posix_acls.c:set_nt_acl(3265)
   set_nt_acl: failed to convert file acl to posix permissions for  
file WINDOWSRegDefrag.dat.
[2005/11/17 23:12:22, 3] smbd/error.c:error_packet(147)
   error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)  
NT_STATUS_ACCESS_DENIED
[2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
   Transaction 10 of length 45
[2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
   switch message SMBclose (pid 2339) conn 0x8353068
[2005/11/17 23:12:22, 3] smbd/reply.c:reply_close(3247)
   close fd=-1 fnum=11974 (numopen=1)
[2005/11/17 23:12:22, 2] smbd/close.c:close_normal_file(270)
   AGBSOFT\albe closed file WINDOWSRegDefrag.dat (numopen=0)

I can correctly set file permission of the classical posix elements:  
user, group and others.


My smb.conf

[global]
         workgroup = AGBSOFT
         realm = AGBSOFT.CH
         server string = CVS Server
         security = ADS
         client schannel = No
         allow trusted domains = No
         password server = agbsoft-nt1.agbsoft.ch
         log level = 3
         log file = /var/log/samba/%m.log
         max log size = 0
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         load printers = No
         os level = 18
         preferred master = No
         domain master = No
         wins server = 10.100.0.2
         idmap backend = idmap_rid:AGBSOFT=10000-200000000
         idmap uid = 10000-200000000
         idmap gid = 10000-200000000
         template shell = /bin/bash
         winbind use default domain = Yes
         winbind nested groups = Yes

[prova]
         comment = prova
         path = /home/ftp
         valid users = "@AGBSOFT\Domain Admins"
         read only = No

My samba 3.0.20b is compiled with ads and acl support. Kernel is a  
2.6.14.2, compiled with acl and extended attributes for used  
filesystems.
The system is running a slackware 10.2. I had to rebuild from source  
attr, acl, libattr, libacl to have compiling with acl support.

What i'm i doing wrong?

Thanks in advance for any help.

I remain at disposal for any further information.



Alberto

This is in my original message
> I can correctly set (add, remove, modify) file acls and extended  
> attributes via bash
and this is my mount

/dev/hda1 on / type reiserfs (rw,acl,user_xattr)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)

Alberto



Il giorno 19/nov/05, alle ore 19:06, Jeremy Allison ha scritto:
> On Thu, Nov 17, 2005 at 11:45:16PM +0100, Albe wrote:
>> Hi everybody,
>>
>> i'm getting mad configuring samba to join an ADS, resolve domain
>> users and groups and set ACLs via windows explorer on a share mounted
>> with POSIX ACL and extended attributes.
>> S-1-5-21-2707684321-3739850521-1540700870-512
>> [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
>>   unix_mode(WINDOWSRegDefrag.dat) returning 0744
>> [2005/11/17 23:12:22, 3] smbd/
>> posix_acls.c:convert_canon_ace_to_posix_perms(2585)
>>   convert_canon_ace_to_posix_perms: Too many ACE entries for file
>> WINDOWSRegDefrag.dat to convert to posix perms.
>
> This means your underlying file system doesn't support POSIX acls.
> Check your mount flags.
>
> Jeremy.

My samba 3.0.20b is compiled with ads and acl support. Kernel is a
2.6.14.2 <http://2.6.14.2>, compiled with acl and extended attributes 
for used
filesystems.
The system is running a slackware 10.2. I had to rebuild from source
attr, acl, libattr, libacl to have compiling with acl support.

plus

/[root@ariannadb EHD]# smbd -b | grep ACL
   HAVE_SYS_ACL_H
   HAVE_POSIX_ACLS
[root@ariannadb EHD]#
/
I doublechecked that.

I also found out that the groups created by the idmap_rid backend do not 
reflect entirely the real groups in the Active Directory domain.

Thanks for the help.

Regards,


Alberto


updatemyself . wrote:
> hai...
>
> Look like that u need to rebuild samba...
> with "--with-acl-support" option
> download src rpm ...... install it..
> then edit it... before building ur samba RPM
>
> if u want more.. help.. feel free to contact...
>
> regards
> jerrrynikki
>
> On 11/18/05, *Albe* <k3rmit@libero.it
<mailto:k3rmit@libero.it>> wrote:
>
>     Hi everybody,
>
>     i'm getting mad configuring samba to join an ADS, resolve domain
>     users and groups and set ACLs via windows explorer on a share mounted
>     with POSIX ACL and extended attributes.
>
>     At the point where i am, i've managed to get Samba join correctly
the
>     domain with idmap_rid backend working fine.
>
>     I can correctly set (add, remove, modify) file acls and extended
>     attributes via bash, but when i try to simply add a user permission
>     on a file or directory via the windows explorer security settings i
>     get in the log (level 3):
>
>     [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
>        switch message SMBntcreateX (pid 2339) conn 0x8353068
>     [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
>        unix_mode( WINDOWSRegDefrag.dat) returning 0744
>     [2005/11/17 23:12:22, 2] smbd/open.c:open_file(372)
>        albe opened file WINDOWSRegDefrag.dat read=No write=No (numopen=1)
>     [2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
>        Transaction 9 of length 244
>     [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
>        switch message SMBnttrans (pid 2339) conn 0x8353068
>     [2005/11/17 23:12:22, 3] smbd/
>     nttrans.c:call_nt_transact_set_security_desc (2081)
>        call_nt_transact_set_security_desc: file = WINDOWSRegDefrag.dat,
>     sent 0x4
>     [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_uid_cache
>     (158)
>        fetch sid from uid cache 11334 ->
>     S-1-5-21-2707684321-3739850521-1540700870-1334
>     [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_sid_from_gid_cache
>     (232)
>        fetch sid from gid cache 10512 ->
>     S-1-5-21-2707684321-3739850521-1540700870-512
>     [2005/11/17 23:12:22, 3]
>     passdb/lookup_sid.c:fetch_uid_from_cache(179)
>        fetch uid from cache 11334 ->
>     S-1-5-21-2707684321-3739850521-1540700870-1334
>     [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_uid_from_cache(179)
>        fetch uid from cache 11369 ->
>     S-1-5-21-2707684321-3739850521-1540700870-1369
>     [2005/11/17 23:12:22, 3] passdb/lookup_sid.c:fetch_gid_from_cache(253)
>        fetch gid from cache 10512 ->
>     S-1-5-21-2707684321-3739850521-1540700870-512
>     [2005/11/17 23:12:22, 3] smbd/dosmode.c:unix_mode(121)
>        unix_mode(WINDOWSRegDefrag.dat) returning 0744
>     [2005/11/17 23:12:22, 3] smbd/
>     posix_acls.c:convert_canon_ace_to_posix_perms(2585)
>        convert_canon_ace_to_posix_perms: Too many ACE entries for file
>     WINDOWSRegDefrag.dat to convert to posix perms.
>     [2005/11/17 23:12:22, 3] smbd/posix_acls.c:set_nt_acl(3265)
>        set_nt_acl: failed to convert file acl to posix permissions for
>     file WINDOWSRegDefrag.dat.
>     [2005/11/17 23:12:22, 3] smbd/error.c:error_packet(147)
>        error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
>     NT_STATUS_ACCESS_DENIED
>     [2005/11/17 23:12:22, 3] smbd/process.c:process_smb(1114)
>        Transaction 10 of length 45
>     [2005/11/17 23:12:22, 3] smbd/process.c:switch_message(900)
>        switch message SMBclose (pid 2339) conn 0x8353068
>     [2005/11/17 23:12:22, 3] smbd/reply.c:reply_close(3247)
>        close fd=-1 fnum=11974 (numopen=1)
>     [2005/11/17 23:12:22, 2] smbd/close.c:close_normal_file(270)
>        AGBSOFT\albe closed file WINDOWSRegDefrag.dat (numopen=0)
>
>     I can correctly set file permission of the classical posix elements:
>     user, group and others.
>
>
>     My smb.conf
>
>     [global]
>              workgroup = AGBSOFT
>              realm = AGBSOFT.CH
>              server string = CVS Server
>              security = ADS
>              client schannel = No
>              allow trusted domains = No
>              password server = agbsoft-nt1.agbsoft.ch
>     <http://agbsoft-nt1.agbsoft.ch>
>              log level = 3
>              log file = /var/log/samba/%m.log
>              max log size = 0
>              socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>              load printers = No
>              os level = 18
>              preferred master = No
>              domain master = No
>              wins server = 10.100.0.2 <http://10.100.0.2>
>              idmap backend = idmap_rid:AGBSOFT=10000-200000000
>              idmap uid = 10000-200000000
>              idmap gid = 10000-200000000
>              template shell = /bin/bash
>              winbind use default domain = Yes
>              winbind nested groups = Yes
>
>     [prova]
>              comment = prova
>              path = /home/ftp
>              valid users = "@AGBSOFT\Domain Admins"
>              read only = No
>
>     My samba 3.0.20b is compiled with ads and acl support. Kernel is a
>     2.6.14.2 <http://2.6.14.2>, compiled with acl and extended
>     attributes for used
>     filesystems.
>     The system is running a slackware 10.2. I had to rebuild from source
>     attr, acl, libattr, libacl to have compiling with acl support.
>
>     What i'm i doing wrong?
>
>     Thanks in advance for any help.
>
>     I remain at disposal for any further information.
>
>
>
>     Alberto
>
>
>
>
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions:  https://lists.samba.org/mailman/listinfo/samba
>
>