Freeman, Peter (ERHS)
2002-Aug-19 23:38 UTC
[Samba] Access Denied when changing ACLs from W2000 client
Hi all I'm having some problems trying to configure ACLs from a Win2000 SP3 client. I'm running Samba 2.2.5 on kernel 2.4.18 (with acl + ext attr), Samba is compiled with acl support etc. Samba is configured with security=domain, and is running with local groups etc rather than thru winbind, I haven't been game enough to tread those waters yet. With the debug level set to 5 I'm getting the following errors in my client machine log after trying to add an extra group into the permissions via folder properties on the W2k client. Can anyone shed some light on this, I've played around with the security mode settings etc on this share, almost certainly this is where I'm going wrong, but I can't see where. The share excerpt from smb.conf is listed before the log entries. TIA ------- [Shared] comment = Shared Workgroup Area path = /home/samba/shared valid users = @g-users admin users = @g-itstaff read only = No inherit permissions = no inherit acls = yes guest ok = No security mask = 0777 force security mode = 00 directory security mask = 0777 force directory security mode = 00 vfs object = /usr/lib/samba/recycle.so vfs options = /etc/samba/recycle.conf ------- [2002/08/20 18:01:06, 5] rpc_parse/parse_prs.c:prs_uint8(500) 00ab id_auth[5] : 05 [2002/08/20 18:01:06, 5] rpc_parse/parse_prs.c:prs_uint32s(785) 00ac sub_auths : 00000015 78e3081a b5b9d1db f95de5a2 000003e8 [2002/08/20 18:01:06, 5] smbd/posix_acls.c:unpack_nt_owners(433) unpack_nt_owners: validating owner_sids. [2002/08/20 18:01:06, 5] smbd/posix_acls.c:unpack_nt_owners(474) unpack_nt_owners: owner_sids validated. [2002/08/20 18:01:06, 3] smbd/dosmode.c:unix_mode(111) unix_mode(TestACL) returning 0760 [2002/08/20 18:01:06, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(1809) convert_canon_ace_to_posix_perms: Too many ACE entries for file TestACL to convert to posix perms. [2002/08/20 18:01:06, 3] smbd/posix_acls.c:set_nt_acl(2242) set_nt_acl: failed to convert file acl to posix permissions for file TestACL. [2002/08/20 18:01:06, 3] smbd/error.c:error_packet(91) error string = Function not implemented [2002/08/20 18:01:06, 3] smbd/error.c:error_packet(106) error packet at smbd/nttrans.c(1714) cmd=160 (SMBnttrans) NT_STATUS_ACCESS_DENIED
Greg Freemyer
2002-Aug-20 10:15 UTC
[Samba] Access Denied when changing ACLs from W2000 client
Peter, >> smbd/posix_acls.c:convert_canon_ace_to_posix_perms(1809) >> convert_canon_ace_to_posix_perms: Too many ACE entries for file TestACL >> to >> convert to posix perms. Do you already have a bunch of ACLs set on the files your trying. I am just getting up to speed with Samba, so I can't really read the logs yet, but I do know that Linux only supports a few ACLs per file. I think the latest and greatest is 21 ACLs per file. (I think that is a limit for both ext2/3 and xfs, but I'm not sure.). =20 Early 2.4.18 kernels supported even less ACLs under XFS due to a XFS bug. I think it was 9 or 15, but I'm not sure. I don't know if that bug affected ext2/3. Samba may also have a limit, but I don't know. >> Hi all >> I'm having some problems trying to configure ACLs from a Win2000 SP3 >> client. I'm running Samba 2.2.5 on kernel 2.4.18 (with acl + ext attr), >> Samba is compiled with acl support etc. >> Samba is configured with security=3Ddomain, and is running with local=20 >> groups etc rather than thru winbind, I haven't been game enough to tread >> those waters yet. >> With the debug level set to 5 I'm getting the following errors in my=20 >> client machine log after trying to add an extra group into the permissions >> via folder properties on the W2k client. >> Can anyone shed some light on this, I've played around with the security >> mode >> settings etc on this share, almost certainly this is where I'm going >> wrong, >> but >> I can't see where.=20 >> The share excerpt from smb.conf is listed before the log entries. >> TIA >> ------- >> [Shared] >> comment =3D Shared Workgroup Area >> path =3D /home/samba/shared >> valid users =3D @g-users >> admin users =3D @g-itstaff >> read only =3D No >> inherit permissions =3D no >> inherit acls =3D yes >> guest ok =3D No >> security mask =3D 0777 >> force security mode =3D 00 >> directory security mask =3D 0777 >> force directory security mode =3D 00 >> vfs object =3D /usr/lib/samba/recycle.so >> vfs options =3D /etc/samba/recycle.conf >> ------- >> [2002/08/20 18:01:06, 5] rpc_parse/parse_prs.c:prs_uint8(500) >> 00ab id_auth[5] : 05 >> [2002/08/20 18:01:06, 5] rpc_parse/parse_prs.c:prs_uint32s(785) >> 00ac sub_auths : 00000015 78e3081a b5b9d1db f95de5a2 >> 000003e8=20 >> [2002/08/20 18:01:06, 5] smbd/posix_acls.c:unpack_nt_owners(433) >> unpack_nt_owners: validating owner_sids. >> [2002/08/20 18:01:06, 5] smbd/posix_acls.c:unpack_nt_owners(474) >> unpack_nt_owners: owner_sids validated. >> [2002/08/20 18:01:06, 3] smbd/dosmode.c:unix_mode(111) >> unix_mode(TestACL) returning 0760 >> [2002/08/20 18:01:06, 3] >> smbd/posix_acls.c:convert_canon_ace_to_posix_perms(1809) >> convert_canon_ace_to_posix_perms: Too many ACE entries for file TestACL >> to >> convert to posix perms. >> [2002/08/20 18:01:06, 3] smbd/posix_acls.c:set_nt_acl(2242) >> set_nt_acl: failed to convert file acl to posix permissions for file >> TestACL. >> [2002/08/20 18:01:06, 3] smbd/error.c:error_packet(91) >> error string =3D Function not implemented >> [2002/08/20 18:01:06, 3] smbd/error.c:error_packet(106) >> error packet at smbd/nttrans.c(1714) cmd=3D160 (SMBnttrans) >> NT_STATUS_ACCESS_DENIED >> --=20 >> To unsubscribe from this list go to the following URL and read the >> instructions: http://lists.samba.org/mailman/listinfo/samba Greg Freemyer Internet Engineer Deployment and Integration Specialist Compaq ASE - Tru64 v4, v5 Compaq Master ASE - SAN Architect The Norcross Group www.NorcrossGroup.com
Freeman, Peter (ERHS)
2002-Aug-20 16:33 UTC
[Samba] Access Denied when changing ACLs from W2000 client
> >> smbd/posix_acls.c:convert_canon_ace_to_posix_perms(1809) > >> convert_canon_ace_to_posix_perms: Too many ACE entries >for file TestACL > >> to > >> convert to posix perms. > >Do you already have a bunch of ACLs set on the files your trying.Nope. This is the first lot of ACLs I'm attempting to set up on this particular set of files. I can set rwx for one group using setfacl and r-x for another, but creating a new file/dir in one of the configured directories doesn't inherit the ACLs from its parent, even though inherit acls is turned on for that share. This is getting kinda confusing to be honest, I have an idea I don't fully understand the underlying issues with Samba relating to the ACLs and the underlying unix permissions, in some ways I'm flying a blind as this is the first time I've attempted to use Samba on top of ACL-enabled filesystems. Google has been getting a hammering but so far I haven't turned up anything overly helpful.