samba - Oct 2007 - Problem with ACLs "Too many ACE entries for file to convert to posix perms."

At the suggestion of Stas, I'm starting a new thread on this one.  This
pretty much covers where I'm at right now:

Doug, thanks, here's a complete listing of the config file, and some
logging, hopefully this will be illuminating to somebody.
> Neither of these lines set the log level.
Yes, I've been setting it in the init script.  When I do ps -ef | grep
smbd, I see that logging is enabled.  I straightened out that problem
(the one behind the monitor *sheepish grin*), and the logging works as
it's supposed to.
> Getting windows acl's is a multi step process.
Tell me about it ;-)
> You need a file system capable of supporting extended acl's.  I
believe you previously said you were using UFS file system.  I haven't
used UFS since 1987.  Man Mount on linux doesn't suggest extended acl's
are supported.  Are they?

Both Solaris and CentOS support them.  Using fsetacl and fgetacl, I can
set acls and see them on files in the FS
> Once the file system is capable of supporting extended acl's, you need
to mount the filesystem with the appropriate options.  By default,
considering the age of UFS, I would assume extended acl's aren't
supported by default, if they are at all.

Sun has been updating it, acl support is on by default.  In fact, as
near as I can tell, you can't turn it off.  I'm under the impression
that there are many flavors of UFS, not all of which are compatible.
> Once the filesystem is mounted with the right options, then samba has
to have been compiled with the correct options, which you've verified.

It sure looks like it ;-)
> After all that, samba has top be configured correctly to support acl's
in windows.  Samba can be configured to serve files in ms-dos mode, so
it's not a given.

The smb.conf manpage indicates that nt acl support = yes by default.
Making it explicit doesn't seem to change the behavior.
> Usually, if someone is asked to show the configuration, put out the
entire conf file.  There's been a lot of dribs and drabs, but much has
been missing.  First thing I do is run a copy thru testparm.  Most of
this thread has been like blind mans bluff.

Usually I try to keep it to a minimum, because people frequently don't
trim out the stuff when they reply.  Result, a *lot* of extraneous crap.
As more and more people don't trim, the signal to noise ratio quickly
approaches zero.  As requested, I've put the whole thing in.  I've been
using testparm throughout this project, and I've included its output
too, since it strips comments and stuff that's included by default.
> Just so you know - a lot of people are using acl's in samba.
I don't doubt it.  How I'd love to join them, and I appreciate
everybody's help.
> Regards, Doug
Below, there's also a dump of the level 10 logging from trying to add an
entry to the ACL.  This covers adding an element to the ACL, but not the
issue of seeing them, I'm guessing the issues may be related.  To cut to
the chase, the fatal looking line appears to be the one 3 timestamps
from the bottom:

[2007/10/30 14:16:53, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file
foo.txt to convert to posix perms.

This looks suspiciously like it's not actually trying to set the
security as an ACL.  If it were, I'd expect that it wouldn't be trying
to squeeze everything into posix perms.

~Eric


The complete config file:

bash-3.00# cat /usr/local/samba/lib/smb.conf # This is the main Samba
configuration file. You should read the # smb.conf(5) manual page in
order to understand the options listed # here. Samba has a huge number
of configurable options (perhaps too # many!) most of which are not
shown in this example # # Any line which starts with a ; (semi-colon) or
a # (hash) # is a comment and is ignored. In this example we will use a
# # for commentry and a ; for parts of the config file that you # may
wish to enable # # NOTE: Whenever you modify this file you should run
the command "testparm"
# to check that you have not made any basic syntactic errors.
#
#======================= Global Settings
====================================[global]

# workgroup = NT-Domain-Name or Workgroup-Name
   workgroup = W2K3TEST
   realm = W2K3TEST.LOCAL
   preferred master = no
   server string = croesus running samba
   security = ADS
   encrypt passwords = yes
   winbind separator = +
   winbind use default domain = no
   winbind enum users = no
   winbind enum groups = no
   idmap uid = 10000-20000
   idmap gid = 10000-20000

# if you want to automatically load your printer list rather # than
setting them up individually then you'll need this
   printcap name = /etc/printcap
   load printers = yes

# this tells Samba to use a separate log file for each machine # that
connects
   log file = /var/log/samba/log.%m

# Put a capping on the size of the log files (in Kb).
   max log size = 5000

# Most people will find that this option gives better performance.
# See speed.txt and the manual pages for details
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

#============================ Share Definitions
=============================
[afiles]
   nt acl support = yes
   admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
   path = /honda/afiles
   writeable = yes
   inherit owner = yes
   inherit permissions = yes
   inherit acls = yes

[stastest]
   path = /honda/stastest
   admin users = W2K3TEST+administrator, @W2K3TEST+admins
   writeable = yes

[ericshare]
   path = /ericshare
   writeable = yes

[chrisshare]
   path = /chrisshare
   writeable = yes

# NOTE: If you have a BSD-style print system there is no need to #
specifically define each individual printer [printers]
   comment = All Printers
   path = /var/spool/samba
   browseable = no
# Set public = yes to allow user 'guest account' to print
   guest ok = no
   writable = no
   printable = yes

After it gets wrung through testparm:

bash-3.00# /usr/local/samba/bin/testparm Load smb config files from
/usr/local/samba/lib/smb.conf Processing section "[afiles]"
Processing section "[stastest]"
Processing section "[ericshare]"
Processing section "[chrisshare]"
Processing section "[printers]"
Loaded services file OK.
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
Press enter to see a dump of your service definitions

[global]
        workgroup = W2K3TEST
        realm = W2K3TEST.LOCAL
        server string = croesus running samba
        security = ADS
        log file = /var/log/samba/log.%m
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = /etc/printcap
        preferred master = No
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = +

[afiles]
        path = /honda/afiles
        admin users = W2K3TEST+bobadmin, @W2K3TEST+admins
        read only = No
        inherit permissions = Yes
        inherit acls = Yes
        inherit owner = Yes

[stastest]
        path = /honda/stastest
        admin users = W2K3TEST+administrator, @W2K3TEST+admins
        read only = No

[ericshare]
        path = /ericshare
        read only = No

[chrisshare]
        path = /chrisshare
        read only = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

I got the logging straightened out on the Solaris machine, here's what
happens when I try to add a user to the ACL.  W2K3TEST+areaders is the
entry I'm trying to add:

[2007/10/30 14:16:53, 10] smbd/posix_acls.c:set_nt_acl(3089)
  set_nt_acl: called for file foo.txt
[2007/10/30 14:16:53, 5] smbd/posix_acls.c:unpack_nt_owners(921)
  unpack_nt_owners: validating owner_sids.
[2007/10/30 14:16:53, 5] smbd/posix_acls.c:unpack_nt_owners(964)
  unpack_nt_owners: owner_sids validated.
[2007/10/30 14:16:53, 3]
passdb/lookup_sid.c:fetch_sid_from_uid_cache(918)
  fetch sid from uid cache 10003 ->
S-1-5-21-365335231-1557355366-1421764157-1644
[2007/10/30 14:16:53, 3]
passdb/lookup_sid.c:fetch_sid_from_gid_cache(995)
  fetch sid from gid cache 10006 ->
S-1-5-21-365335231-1557355366-1421764157-513
[2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_uid_from_cache(938)
  fetch uid from cache 10003 ->
S-1-5-21-365335231-1557355366-1421764157-1644
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
  create_canon_ace_lists: adding file ACL:
  canon_ace index 0. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER perms rw- [2007/10/30 14:16:53, 3]
passdb/lookup_sid.c:fetch_gid_from_cache(1015)
  fetch gid from cache 10003 ->
S-1-5-21-365335231-1557355366-1421764157-1119
[2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
  fetch gid from cache 10003 ->
S-1-5-21-365335231-1557355366-1421764157-1119
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
  create_canon_ace_lists: adding file ACL:
  canon_ace index 0. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x [2007/10/30 14:16:53, 3]
passdb/lookup_sid.c:fetch_gid_from_cache(1015)
  fetch gid from cache 10006 ->
S-1-5-21-365335231-1557355366-1421764157-513
[2007/10/30 14:16:53, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1015)
  fetch gid from cache 10006 ->
S-1-5-21-365335231-1557355366-1421764157-513
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
  create_canon_ace_lists: adding file ACL:
  canon_ace index 0. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP perms rw-
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:create_canon_ace_lists(1505)
  create_canon_ace_lists: adding file ACL:
  canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
  print_canon_ace_list: file ace - before merge
  canon_ace index 0. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
  canon_ace index 1. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
  canon_ace index 2. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP_OBJ perms rw-
  canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
  print_canon_ace_list: dir ace - before merge [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
  print_canon_ace_list: file ace - before deny
  canon_ace index 0. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
  canon_ace index 1. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
  canon_ace index 2. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP_OBJ perms rw-
  canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
  print_canon_ace_list: dir ace - before deny [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
  print_canon_ace_list: file ace - before valid
  canon_ace index 0. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
  canon_ace index 1. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
  canon_ace index 2. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP_OBJ perms rw-
  canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
  print_canon_ace_list: dir ace - before valid [2007/10/30 14:16:53, 3]
smbd/dosmode.c:unix_mode(147)
  unix_mode(foo.txt) returning 0744
[2007/10/30 14:16:53, 10] smbd/posix_acls.c:print_canon_ace_list(595)
  print_canon_ace_list: file ace - return
  canon_ace index 0. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1644 uid 10003
(W2K3TEST+bobadmin) SMB_ACL_USER_OBJ perms rw-
  canon_ace index 1. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-1119 gid 10003
(W2K3TEST+areaders) SMB_ACL_GROUP perms r-x
  canon_ace index 2. Type = allow SID
S-1-5-21-365335231-1557355366-1421764157-513 gid 10006 (W2K3TEST+domain
users) SMB_ACL_GROUP_OBJ perms rw-
  canon_ace index 3. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER
perms rw- [2007/10/30 14:16:53, 10]
smbd/posix_acls.c:print_canon_ace_list(595)
  print_canon_ace_list: dir ace - return [2007/10/30 14:16:53, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file
foo.txt to convert to posix perms.
[2007/10/30 14:16:53, 3] smbd/posix_acls.c:set_nt_acl(3269)
  set_nt_acl: failed to convert file acl to posix permissions for file
foo.txt.
[2007/10/30 14:16:53, 3] smbd/error.c:error_packet(146)
  error packet at smbd/nttrans.c(2088) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba
man/listinfo/samba