Tom Speeter
2012-Jul-05 20:15 UTC
[Samba] acl_tdb failed to convert file acl to posix permisions
We are using SAMBA 3.6.6 on Centos 5 with the acl_tdb VFS module. Our share is backed by storage on a SAN devices that does not support ACLs or extended attributes ... so we're trying the acl_tdb module as a mechanism to support Windows ACLs. We have verified that samba has ACL support enabled, and ACL support works find if we export the share from the local EXT4 filesystem. When trying to add a user ACL from Windows, we get ACCESS_DENIED error, with the following log entries: (set_canon_ace_list) canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms rwx [2012/07/03 17:19:29.724227, 10] smbd/posix_acls.c:2757(set_canon_ace_list) canon_ace index 1. Type = allow SID = S-1-5-18 gid 10021 (10021) SMB_ACL_GROUP ace_flags = 0x0 perms rwx [2012/07/03 17:19:29.724417, 10] smbd/posix_acls.c:2757(set_canon_ace_list) canon_ace index 2. Type = allow SID = S-1-5-21-1177087545-3838858134-2882343936-1294 uid 10002 (neosphere-admin) SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx [2012/07/03 17:19:29.724755, 10] smbd/posix_acls.c:2757(set_canon_ace_list) canon_ace index 3. Type = allow SID = S-1-5-21-1177087545-3838858134-2882343936-1297 gid 10019 (neosphere-administrators) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx [2012/07/03 17:19:29.724979, 10] smbd/posix_acls.c:2757(set_canon_ace_list) canon_ace index 4. Type = allow SID = S-1-5-21-1177087545-3838858134-2882343936-1117 uid 10000 (rshen) SMB_ACL_USER ace_flags = 0x0 perms rwx [2012/07/03 17:19:29.725214, 10] modules/vfs_posixacl.c:91(posixacl_sys_acl_set_file) Calling acl_set_file: NeoSphere/test100.txt, 0 [2012/07/03 17:19:29.725260, 10] modules/vfs_posixacl.c:110(posixacl_sys_acl_set_file) acl_set_file failed: Operation not supported [2012/07/03 17:19:29.725300, 2] smbd/posix_acls.c:2828(set_canon_ace_list) set_canon_ace_list: sys_acl_set_file type file failed for file NeoSphere/test100.txt (Operation not supported). [2012/07/03 17:19:29.725341, 3] smbd/posix_acls.c:2932(convert_canon_ace_to_posix_perms) convert_canon_ace_to_posix_perms: Too many ACE entries for file NeoSphere/test100.txt to convert to posix perms. [2012/07/03 17:19:29.725378, 3] smbd/posix_acls.c:4001(set_nt_acl) set_nt_acl: failed to convert file acl to posix permissions for file NeoSphere/test100.txt. [2012/07/03 17:19:29.725415, 3] smbd/error.c:81(error_packet_set) error packet at smbd/nttrans.c(2106) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED In posix_acls.c we can see that in such a scenario, the code comes here (line 3993): /* * If we cannot set using POSIX ACLs we fall back to checking if we need to chmod. */ if(!acl_set_support && acl_perms) { mode_t posix_perms; if (!convert_canon_ace_to_posix_perms( fsp, file_ace_list, &posix_perms)) { free_canon_ace_list(file_ace_list); free_canon_ace_list(dir_ace_list); DEBUG(3,("set_nt_acl: failed to convert file acl to " "posix permissions for file %s.\n", fsp_str_dbg(fsp))); return NT_STATUS_ACCESS_DENIED; } ... acl_set_support is false, and acl_perms is true, and the call to 'convert_canon_ace_to_posix' fails because there are 5 ace entries, and that function immediately fails: static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace *file_ace_list, mode_t *posix_perms) { int snum = SNUM(fsp->conn); size_t ace_count = count_canon_ace_list(file_ace_list); canon_ace *ace_p; canon_ace *owner_ace = NULL; canon_ace *group_ace = NULL; canon_ace *other_ace = NULL; mode_t and_bits; mode_t or_bits; if (ace_count != 3) { DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE " "entries for file %s to convert to posix perms.\n", fsp_str_dbg(fsp))); return False; } So it seems that there is NO support for filesystems that do not support native ACLs, or is this a bug ... or is there some other option to reroute processing of the request? SMB.CONF: [SAN] path = /mnt/DDN-FS02 log level = 10 debuglevel = 10 writeable = yes browseable = yes inherit permissions = yes inherit acls = yes map acl inherit = yes nt acl support = yes force unknown acl user = yes vfs objects = acl_tdb acl_tdb: ignore system acls = yes
Apparently Analagous Threads
- Warning messages when using rbind
- Modify permission not available unless group permissions are set to write.
- ACLs under windows 7 - you do not have permissions to access
- NT_STATUS_ACCESS_DENIED on previously created files
- Clients can't write to group-writable files - plea for help