samba - Aug 2002 - Access Denied when changing ACLs from W2000 client

Hi all

I'm having some problems trying to configure ACLs from a Win2000 SP3
client.  I'm running Samba 2.2.5 on kernel 2.4.18 (with acl + ext attr),
Samba is compiled with acl support etc.

Samba is configured with security=domain, and is running with local 
groups etc rather than thru winbind, I haven't been game enough to tread
those waters yet.

With the debug level set to 5 I'm getting the following errors in my 
client machine log after trying to add an extra group into the permissions
via folder properties on the W2k client.

Can anyone shed some light on this, I've played around with the security
mode
settings etc on this share, almost certainly this is where I'm going wrong,
but
I can't see where. 

The share excerpt from smb.conf is listed before the log entries.

TIA

-------
[Shared]
	comment = Shared Workgroup Area
	path = /home/samba/shared
	valid users = @g-users
	admin users = @g-itstaff
	read only = No
	inherit permissions = no
	inherit acls = yes
	guest ok = No
	security mask = 0777
	force security mode = 00
	directory security mask = 0777
	force directory security mode = 00
	vfs object = /usr/lib/samba/recycle.so
	vfs options = /etc/samba/recycle.conf

-------
[2002/08/20 18:01:06, 5] rpc_parse/parse_prs.c:prs_uint8(500)
                      00ab id_auth[5] : 05
[2002/08/20 18:01:06, 5] rpc_parse/parse_prs.c:prs_uint32s(785)
                      00ac sub_auths : 00000015 78e3081a b5b9d1db f95de5a2
000003e8 
[2002/08/20 18:01:06, 5] smbd/posix_acls.c:unpack_nt_owners(433)
  unpack_nt_owners: validating owner_sids.
[2002/08/20 18:01:06, 5] smbd/posix_acls.c:unpack_nt_owners(474)
  unpack_nt_owners: owner_sids validated.
[2002/08/20 18:01:06, 3] smbd/dosmode.c:unix_mode(111)
  unix_mode(TestACL) returning 0760
[2002/08/20 18:01:06, 3]
smbd/posix_acls.c:convert_canon_ace_to_posix_perms(1809)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file TestACL to
convert to posix perms.
[2002/08/20 18:01:06, 3] smbd/posix_acls.c:set_nt_acl(2242)
  set_nt_acl: failed to convert file acl to posix permissions for file
TestACL.
[2002/08/20 18:01:06, 3] smbd/error.c:error_packet(91)
  error string = Function not implemented
[2002/08/20 18:01:06, 3] smbd/error.c:error_packet(106)
  error packet at smbd/nttrans.c(1714) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED

Peter,

 >>  smbd/posix_acls.c:convert_canon_ace_to_posix_perms(1809)
 >>  convert_canon_ace_to_posix_perms: Too many ACE entries for file
TestACL
 >>  to
 >>  convert to posix perms.

Do you already have a bunch of ACLs set on the files your trying.

I am just getting up to speed with Samba, so I can't really read the logs
yet, but I do know that Linux only supports a few ACLs per file.  I think the
latest and greatest is 21 ACLs per file. (I think that is a limit for both
ext2/3 and xfs, but I'm not sure.).
=20
Early 2.4.18 kernels supported even less ACLs under XFS due to a XFS bug.  I
think it was 9 or 15, but I'm not sure. I don't know if that bug
affected ext2/3.

Samba may also have a limit, but I don't know.

 >>  Hi all

 >>  I'm having some problems trying to configure ACLs from a Win2000
SP3
 >>  client.  I'm running Samba 2.2.5 on kernel 2.4.18 (with acl + ext
attr),
 >>  Samba is compiled with acl support etc.

 >>  Samba is configured with security=3Ddomain, and is running with
local=20
 >>  groups etc rather than thru winbind, I haven't been game enough
to tread
 >>  those waters yet.

 >>  With the debug level set to 5 I'm getting the following errors in
my=20
 >>  client machine log after trying to add an extra group into the
permissions
 >>  via folder properties on the W2k client.

 >>  Can anyone shed some light on this, I've played around with the
security
 >>  mode
 >>  settings etc on this share, almost certainly this is where I'm
going
 >>  wrong,
 >>  but
 >>  I can't see where.=20

 >>  The share excerpt from smb.conf is listed before the log entries.

 >>  TIA

 >>  -------
 >>  [Shared]
 >>      comment =3D Shared Workgroup Area
 >>      path =3D /home/samba/shared
 >>      valid users =3D @g-users
 >>      admin users =3D @g-itstaff
 >>      read only =3D No
 >>      inherit permissions =3D no
 >>      inherit acls =3D yes
 >>      guest ok =3D No
 >>      security mask =3D 0777
 >>      force security mode =3D 00
 >>      directory security mask =3D 0777
 >>      force directory security mode =3D 00
 >>      vfs object =3D /usr/lib/samba/recycle.so
 >>      vfs options =3D /etc/samba/recycle.conf

 >>  -------
 >>  [2002/08/20 18:01:06, 5] rpc_parse/parse_prs.c:prs_uint8(500)
 >>  00ab id_auth[5] : 05
 >>  [2002/08/20 18:01:06, 5] rpc_parse/parse_prs.c:prs_uint32s(785)
 >>  00ac sub_auths : 00000015 78e3081a b5b9d1db f95de5a2
 >>  000003e8=20
 >>  [2002/08/20 18:01:06, 5] smbd/posix_acls.c:unpack_nt_owners(433)
 >>  unpack_nt_owners: validating owner_sids.
 >>  [2002/08/20 18:01:06, 5] smbd/posix_acls.c:unpack_nt_owners(474)
 >>  unpack_nt_owners: owner_sids validated.
 >>  [2002/08/20 18:01:06, 3] smbd/dosmode.c:unix_mode(111)
 >>  unix_mode(TestACL) returning 0760
 >>  [2002/08/20 18:01:06, 3]
 >>  smbd/posix_acls.c:convert_canon_ace_to_posix_perms(1809)
 >>  convert_canon_ace_to_posix_perms: Too many ACE entries for file
TestACL
 >>  to
 >>  convert to posix perms.
 >>  [2002/08/20 18:01:06, 3] smbd/posix_acls.c:set_nt_acl(2242)
 >>  set_nt_acl: failed to convert file acl to posix permissions for file
 >>  TestACL.
 >>  [2002/08/20 18:01:06, 3] smbd/error.c:error_packet(91)
 >>  error string =3D Function not implemented
 >>  [2002/08/20 18:01:06, 3] smbd/error.c:error_packet(106)
 >>  error packet at smbd/nttrans.c(1714) cmd=3D160 (SMBnttrans)
 >>  NT_STATUS_ACCESS_DENIED
 >>  --=20
 >>  To unsubscribe from this list go to the following URL and read the
 >>  instructions:  http://lists.samba.org/mailman/listinfo/samba





Greg Freemyer
Internet Engineer
Deployment and Integration Specialist
Compaq ASE - Tru64 v4, v5
Compaq Master ASE - SAN Architect
The Norcross Group
www.NorcrossGroup.com

> >>  smbd/posix_acls.c:convert_canon_ace_to_posix_perms(1809)
> >>  convert_canon_ace_to_posix_perms: Too many ACE entries 
>for file TestACL
> >>  to
> >>  convert to posix perms.
>
>Do you already have a bunch of ACLs set on the files your trying.
Nope.  This is the first lot of ACLs I'm attempting to set up on
this particular set of files.  I can set rwx for one group using 
setfacl and r-x for another, but creating a new file/dir in one
of the configured directories doesn't inherit the ACLs from its 
parent, even though inherit acls is turned on for that share.

This is getting kinda confusing to be honest, I have an idea I don't
fully understand the underlying issues with Samba relating to the
ACLs and the underlying unix permissions, in some ways I'm flying a
blind as this is the first time I've attempted to use Samba on top
of ACL-enabled filesystems.

Google has been getting a hammering but so far I haven't turned up 
anything overly helpful.