samba - Dec 2019 - Setting ACLs with smbcacls fails (partly)

Hello,

I'm running a PDC and a secondary DC in privilegded lxc containers and 
try to setup a fileserver in an unprivileged lxc container.
The shares of the file server are on the ZFS of the host and mapped via 
bind-mount.
I've got the problem, that I get error messages when setting the ACLs of 
a samba share either via the Windows explorer or using the smbcacls command.

On Windows explorer I get the error message:
 ??? "Failed To Enumerate Objects In The Container, Access Is Denied"

With smbcacls when adding a user the error is:
 ??? root at svr-002:/# smbcacls //svr-002/users / -U administrator --add 
ACL:S-1-5-21-106799508-1697487934-2302158525-1604:ALLOWED/3/FULL -d=0
 ??? Enter MYWRKGRP\administrator's password:
 ??? ERROR: security descriptor set failed: NT_STATUS_ACCESS_DENIED

Creating files and folders from within windows explorer works. I just 
can't set the permissons on the elements without the error mesage.

Funny thing is, that ACL is set, even when there appears the above error 
message:

So before issuing the smbcacls add command the ACLs are as follows:

 ??? root at svr-002:/# smbcacls //svr-002/users / -U administrator
 ??? lp_load_ex: changing to config backend registry
 ??? Enter MYWRKGRP\administrator's password:
 ??? REVISION:1
 ??? CONTROL:SR|SI|DI|DP
 ??? OWNER:MYWRKGRP\Administrator
 ??? GROUP:Unix Group\root
 ??? ACL:MYWRKGRP\Administrator:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
 ??? ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\Administrator:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
 ??? ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
 ??? ACL:Unix User\root:ALLOWED/OI|CI/FULL
 ??? ACL:Everyone:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
 ??? ACL:Unix Group\root:ALLOWED/0x0/FULL
 ??? ACL:Unix Group\root:ALLOWED/0x0/FULL
 ??? ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
 ??? ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
 ??? ACL:Creator Group:ALLOWED/OI|CI|IO/
 ??? ACL:Unix Group\root:ALLOWED/OI|CI|IO/

After issuing the smbcacls add command

 ??? root at svr-002:/# smbcacls //svr-002/users / -U administrator
 ??? lp_load_ex: changing to config backend registry
 ??? Enter MYWRKGRP\administrator's password:
 ??? REVISION:1
 ??? CONTROL:SR|SI|DP
 ??? OWNER:MYWRKGRP\administrator
 ??? GROUP:Unix Group\root
 ??? ACL:MYWRKGRP\administrator:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\Testuser:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
 ??? ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\administrator:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\Domain Users:ALLOWED/OI|CI/READ
 ??? ACL:MYWRKGRP\Domain Admins:ALLOWED/OI|CI/FULL
 ??? ACL:Unix User\root:ALLOWED/OI|CI/FULL
 ??? ACL:Everyone:ALLOWED/OI|CI/FULL
 ??? ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
 ??? ACL:Unix Group\root:ALLOWED/0x0/FULL
 ??? ACL:Unix Group\root:ALLOWED/0x0/FULL
 ??? ACL:MYWRKGRP\Unix Admins:ALLOWED/0x0/FULL
 ??? ACL:Creator Owner:ALLOWED/OI|CI|IO/FULL
 ??? ACL:Creator Group:ALLOWED/OI|CI|IO/
 ??? ACL:Unix Group\root:ALLOWED/OI|CI|IO/

As you can see, the user Testuser (the one with the SID 
S-1-5-21-106799508-1697487934-2302158525-1604) has been added to the ACL

Similar behaviour under Windows. When I remove the user in the Advanced 
Security Settings Dialog and press apply, the error message "Failed To 
Enumerate Objects In The Container, Access Is Denied" appears.
When I leave the Advanced Security Settings dialog with cancel, the 
settings have however been applied. So after the removal of user 
Testuser from the Windows Explorer the check with smbcacls shows that 
the user has been removed.

Has any one an idea what might causing this issue?

---- Things I've tried without success:

Playing around with
 ??? acl_xattr:ignore system acls
 ??? acl_xattr:default acl style

Setting up the file server in a privileged container
rejoining to the domain

playing around with different chmod and chgrp settings

----
---- Used software versions
 ??? Host is Proxmox 6.1-5, Kernel version 5.3.13-1-pve
 ??? The lxc containers are based on Debian 10.
 ??? Samba Version is? 4.9.5-Debian
 ??? Windows Pro 10.0.17134
----

------------ file server settings ----------------------
--- smb.conf of the fileserver

 ??? [global]
 ??????? workgroup = MYWRKGRP
 ??????? realm = MYWRKGRP.MYDOM.COM
 ??? ??? netbios name = SVR-002
 ??????? security = ADS
 ??????? winbind enum users = yes
 ??????? winbind enum groups = yes
 ??????? winbind use default domain = no
 ??????? winbind refresh tickets = Yes
 ??????? template shell = /bin/bash
 ??????? idmap config * : range = 10000 - 19999
 ??????? idmap config MYWRKGRP : backend = rid
 ??????? idmap config MYWRKGRP : range = 1000000 - 1999999
 ??????? map acl inherit = yes
 ??????? inherit acls = Yes
 ??????? inherit permissions = Yes
 ??????? store dos attributes = Yes
 ??????? vfs objects = acl_xattr
 ??????? bind interfaces only = no

 ??? [users]
 ??????? path = /home/MYWRKGRP/
 ??????? comment = Home Directories
 ??????? guest ok = no
 ??????? read only = no
 ??????? browseable = no
 ??????? create mask = 700
 ??????? directory mask = 700
----
---- nsswitch.conf of the fileserver

 ??? passwd:???????? files winbind
 ??? group:????????? files winbind
 ??? shadow:???????? files
 ??? gshadow:??????? files

 ??? hosts:????????? files dns
 ??? networks:?????? files

 ??? protocols:????? db files
 ??? services:?????? db files
 ??? ethers:???????? db files
 ??? rpc:??????????? db files

 ??? netgroup:?????? nis

----
---- output of net rpc rights
root at svr-002:/# net rpc rights list privileges SeDiskOperatorPrivilege 
-Uadministrator
 ??? Enter administrator's password:
 ??? SeDiskOperatorPrivilege:
 ??? MYWRKGRP\administrator
 ??? BUILTIN\Administrators
 ??? MYWRKGRP\Domain Admins
----

---- output of getfacl
 ??? getfacl: Removing leading '/' from absolute path names
 ??? # file: home/MYWRKGRP/
 ??? # owner: MYWRKGRP\\administrator
 ??? # group: root
 ??? # flags: ss-
 ??? user::rwx
 ??? user:root:rwx
 ??? user:1000512:rwx
 ??? user:1000513:r-x
 ??? user:MYWRKGRP\\Testuser:rwx
 ??? user:1002103:rwx
 ??? group::rwx
 ??? group:root:rwx
 ??? group:MYWRKGRP\\administrator:rwx
 ??? group:MYWRKGRP\\domain\040admins:rwx
 ??? group:MYWRKGRP\\domain\040users:r-x
 ??? group:MYWRKGRP\\Testuser:rwx
 ??? group:MYWRKGRP\\unix\040admins:rwx
 ??? mask::rwx
 ??? other::rwx
 ??? default:user::rwx
 ??? default:user:root:rwx
 ??? default:user:MYWRKGRP\\administrator:rwx
 ??? default:user:1000512:rwx
 ??? default:user:1000513:r-x
 ??? default:user:MYWRKGRP\\Testuser:rwx
 ??? default:group::---
 ??? default:group:root:---
 ??? default:group:MYWRKGRP\\administrator:rwx
 ??? default:group:MYWRKGRP\\domain\040admins:rwx
 ??? default:group:MYWRKGRP\\domain\040users:r-x
 ??? default:group:MYWRKGRP\\Testuser:rwx
 ??? default:mask::rwx
 ??? default:other::rwx
----
---- output of getfattr
 ??? root at svr-002:/# getfattr -n security.NTACL -d /home/MYWRKGRP/
 ??? /home/MYWRKGRP/: security.NTACL: No such attribute
----

--------------------- PDC settings --------------------------------
---- smb.conf of the PDC

 ??? [global]
 ??? ??? ??? netbios name = DC-101
 ??? ??? ??? realm = MYWRKGRP.MYDOM.COM
 ??? ??? ??? server role = active directory domain controller
 ??? ??? ??? dns forwarder = 10.0.0.1
 ??? ??? ??? workgroup = MYWRKGRP
 ??? [netlogon]
 ??? ??? ??? path = /var/lib/samba/sysvol/mywrkgrp.mydom.com/scripts
 ??? ??? ??? read only = No

 ??? [sysvol]
 ??? ??? ??? path = /var/lib/samba/sysvol
 ??? ??? ??? read only = No
----

----------------- lxc and settings on the lxc host ---------------------
---- ZFS is setup as follows:
 ??? root at proxmox02:/etc/pve/lxc# zfs get xattr hdd_zfs_guests/home
 ??? NAME???????????????? PROPERTY? VALUE? SOURCE
 ??? hdd_zfs_guests/home? xattr???? sa???? inherited from hdd_zfs_guests

 ??? root at proxmox02:/etc/pve/lxc# zfs get acltype hdd_zfs_guests/home
 ??? NAME???????????????? PROPERTY? VALUE???? SOURCE
 ??? hdd_zfs_guests/home? acltype?? posixacl? local

 ??? root at proxmox02:/etc/pve/lxc# zfs get aclinherit hdd_zfs_guests/home
 ??? NAME???????????????? PROPERTY??? VALUE????????? SOURCE
 ??? hdd_zfs_guests/home? aclinherit? passthrough??? local
----
---- The container is setup as follows:
 ??? arch: amd64
 ??? cores: 2
 ??? hostname: svr-002
 ??? memory: 1024
 ??? mp0: /hdd_zfs_guests/shares,mp=/shares
 ??? mp1: /hdd_zfs_guests/home,mp=/home
 ??? nameserver: 10.0.1.5
 ??? net0: 
name=eth0,bridge=vmbr1,gw=10.0.0.1,hwaddr=56:19:46:64:BA:6B,ip=10.0.2.3/8,tag=2,type=veth
 ??? ostype: debian
 ??? rootfs: hdd_zfs_guests:subvol-312-disk-5,acl=1,size=8G
 ??? searchdomain: mywrkgrp.mydom.com
 ??? swap: 1024
 ??? unprivileged: 1
 ??? lxc.idmap: u 0 100000 2000000
 ??? lxc.idmap: g 0 100000 2000000
----
---- files /etc/setgid and /etc/setuid have the same content
 ??? root:10000:2100000
----
-------------------------------------------------------------------------



Any help is really appreciated as I'm trying to get around this error 
now for days.

Thanks!

Chris

On 25/12/2019 16:46, Chris via samba wrote:
> Hello,
Merry Christmas ;-)
>
> I'm running a PDC and a secondary DC in privilegded lxc containers and 
> try to setup a fileserver in an unprivileged lxc container.
No, you are running two DCs, it is just that one of them has the PDC 
Emulator role (it probably has the other 6 as well)

> The shares of the file server are on the ZFS of the host and mapped 
> via bind-mount.
Ah, that could be a problem, ZFS uses NFSv4 ACLs

> ------------ file server settings ----------------------
> --- smb.conf of the fileserver
>
> ??? [global]
> ??????? workgroup = MYWRKGRP
> ??????? realm = MYWRKGRP.MYDOM.COM
> ??? ??? netbios name = SVR-002
> ??????? security = ADS
> ??????? winbind enum users = yes
> ??????? winbind enum groups = yes
> ??????? winbind use default domain = no
> ??????? winbind refresh tickets = Yes
> ??????? template shell = /bin/bash
> ??????? idmap config * : range = 10000 - 19999
> ??????? idmap config MYWRKGRP : backend = rid
> ??????? idmap config MYWRKGRP : range = 1000000 - 1999999
> ??????? map acl inherit = yes
> ??????? inherit acls = Yes
> ??????? inherit permissions = Yes
> ??????? store dos attributes = Yes
> ??????? vfs objects = acl_xattr
Try 'nfs4acl_xattr' instead, see 'man vfs_nfs4acl_xattr'

Rowland

On 25/12/2019 20:04, Rowland penny via samba wrote:
> On 25/12/2019 16:46, Chris via samba wrote:
>> Hello,
> Merry Christmas
Thanks Rowland! Hope you had a Merry Christmas too
>> The shares of the file server are on the ZFS of the host and mapped 
>> via bind-mount.
>
> Ah, that could be a problem, ZFS uses NFSv4 ACLs
>>
> Try 'nfs4acl_xattr' instead, see 'man vfs_nfs4acl_xattr'
I tried to set in the [users] share. The result in the log.smbd looks 
like this:

------

root at svr-002:/# tail -f /var/log/samba/log.smbd [2019/12/27 
13:39:51.454236,? 0] ../source3/smbd/service.c:631(make_connection_snum)
 ? make_connection_snum: vfs_init failed for service users
[2019/12/27 13:39:51.455426,? 0] ../lib/util/modules.c:49(load_module)
 ? Error loading module 
'/usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so': 
/usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so: cannot open shared 
object file: No such file or directory
[2019/12/27 13:39:51.455461,? 0] ../source3/smbd/vfs.c:184(vfs_init_custom)
 ? error probing vfs module 'nfs4acl_xattr': NT_STATUS_UNSUCCESSFUL
[2019/12/27 13:39:51.455479,? 0] ../source3/smbd/vfs.c:379(smbd_vfs_init)
 ? smbd_vfs_init: vfs_init_custom failed for nfs4acl_xattr
[2019/12/27 13:39:51.455494,? 0] 
../source3/smbd/service.c:631(make_connection_snum)
 ? make_connection_snum: vfs_init failed for service users
------

I think thats due to the fact, that the NFSv4 support is probably not 
build in the Linux ZFS version of proxmox. According to what I found on 
github, the support for NFSv4 ACL is still under development.

Any other ideas?

Thanks,

Christian

On 27/12/2019 12:59, Chris via samba wrote:
> On 25/12/2019 20:04, Rowland penny via samba wrote:
>
>> On 25/12/2019 16:46, Chris via samba wrote:
>>> Hello,
>> Merry Christmas
> Thanks Rowland! Hope you had a Merry Christmas too
>>> The shares of the file server are on the ZFS of the host and mapped
>>> via bind-mount.
>>
>> Ah, that could be a problem, ZFS uses NFSv4 ACLs
>>>
>> Try 'nfs4acl_xattr' instead, see 'man
vfs_nfs4acl_xattr'
>
> I tried to set in the [users] share. The result in the log.smbd looks 
> like this:
>
> ------
>
> root at svr-002:/# tail -f /var/log/samba/log.smbd [2019/12/27 
> 13:39:51.454236,? 0] ../source3/smbd/service.c:631(make_connection_snum)
> ? make_connection_snum: vfs_init failed for service users
> [2019/12/27 13:39:51.455426,? 0] ../lib/util/modules.c:49(load_module)
> ? Error loading module 
> '/usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so': 
> /usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so: cannot open 
> shared object file: No such file or directory
> [2019/12/27 13:39:51.455461,? 0] 
> ../source3/smbd/vfs.c:184(vfs_init_custom)
> ? error probing vfs module 'nfs4acl_xattr': NT_STATUS_UNSUCCESSFUL
> [2019/12/27 13:39:51.455479,? 0] ../source3/smbd/vfs.c:379(smbd_vfs_init)
> ? smbd_vfs_init: vfs_init_custom failed for nfs4acl_xattr
> [2019/12/27 13:39:51.455494,? 0] 
> ../source3/smbd/service.c:631(make_connection_snum)
> ? make_connection_snum: vfs_init failed for service users
> ------
>
> I think thats due to the fact, that the NFSv4 support is probably not 
> build in the Linux ZFS version of proxmox. According to what I found 
> on github, the support for NFSv4 ACL is still under development.
>
> Any other ideas?
>
> Thanks,
>
> Christian
>
Yes, but you are probably not going to like them ;-)

Upgrade to Samba 4.10.x, this definitely has 
/usr/lib/x86_64-linux-gnu/samba/vfs/nfs4acl_xattr.so

OR

Don't run Samba in your container.

OR

Don't use ZFS

Rowland