Whenever I try to read or modify ACLs from my Windows 2000 PDC, my Samba Domain Member Server (Security = ADS) does not allow setting ACLs, nor does it display the existing ACLs. - I have setup ACLs in my Kernel - I have translated and installed libacl and libattr - I can see and modify ACLs with getfacl and setfacl. - I have translated Samba 3.0.23d with --with-acl-support=yes - I have enabled ACLs on my share with nt acl support = yes Still ACLs do not show up, neither for files nor for directories. (A) Strange thing - a bug in smbd??: even though smbd is dynamically linked to libacl and libattr (I checked this with ldd), "smbd -b | grep acl" is empty. Can someone please confirm this?! (B) I tried smbtorture: OPENATTR and EATEST fail. Does this have something to do with my ACL problem? (C) Log excerpt when trying to set ACL: I get "convert_canon_ace_to_posix_perms: Too many ACE entries" error. I could not find an explanation for this on the net. [2007/01/29 12:23:17, 3] smbd/dosmode.c:unix_mode(147) unix_mode(acl2.test) returning 0744 [2007/01/29 12:23:17, 3] smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579) convert_canon_ace_to_posix_perms: Too many ACE entries for file acl2.test to convert to posix perms. [2007/01/29 12:23:17, 3] smbd/posix_acls.c:set_nt_acl(3269) set_nt_acl: failed to convert file acl to posix permissions for file acl2.test. (D) What am I missing - how can I approach the issue and find out, why ACLs do not work on my system? Kind regards, Jens
On Jan 29 2007 12:45, Jens Nissen wrote:> >Whenever I try to read or modify ACLs from my Windows 2000 PDC, my Samba >Domain Member Server (Security = ADS) does not allow setting ACLs, nor >does it display the existing ACLs.Does it at least enforce them?>(A) Strange thing - a bug in smbd??: even though smbd is dynamically >linked to libacl and libattr (I checked this with ldd), "smbd -b | grep >acl" is empty. Can someone please confirm this?!Use grep -i.>[2007/01/29 12:23:17, 3] >smbd/posix_acls.c:convert_canon_ace_to_posix_perms(2579) > convert_canon_ace_to_posix_perms: Too many ACE entries for file >acl2.test to convert to posix perms.Filesystems limit the number of ACLs. For XFS, I think it is 25 entries.>[2007/01/29 12:23:17, 3] smbd/posix_acls.c:set_nt_acl(3269) > set_nt_acl: failed to convert file acl to posix permissions for file >acl2.test.-`J' --
OK - I managed to track down the bug inside Samba, but I have no easy way to work around it. The dynamic mapping of vfs acls inside Samba does not seem to work. See the following sequence in posix_acls.c in function get_nt_acl: /* * Get the ACL from the path. */ posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, SMB_ACL_TYPE_ACCESS); /// My Workaround /// posix_acl equals 0 here if (!posix_acl) { posix_acl=acl_get_file(fsp->fsp_name, SMB_ACL_TYPE_ACCESS); } /// posix_acl is something else than 0 here /// End My Workaround While SMB_VFS_SYS_ACL_GET_FILE returns a Null-Pointer, the call afterwards to acl_get_file does return a ACL description which is non-zero. So the vfs-wrapper code fails, even though smbd is obviously linked to the correct ACL 1.0 library (as acl_get_file can be found inside libacl). How can I work around this? It would be horrible, if I had to find all wrapped library code and replace it by something hard-wired. Kind regards, Jens Nissen -------- Original-Nachricht -------- Datum: Tue, 30 Jan 2007 11:44:18 +0100 (MET) Von: Jan Engelhardt <jengelh@linux01.gwdg.de> An: Jens Nissen <jens.nissen@gmx.net> Betreff: Re: [Samba] ACLs fail in 3.0.23d> > >One question: how does Samba find out, that ACLs are activated? > > I suppose the only sane way is to try calling functions from libacl. If > they fail unreasonably, then the fs does not support ACLs. > > >>> Whenever I try to read or modify ACLs from my Windows 2000 PDC, my > Samba > >>> Domain Member Server (Security = ADS) does not allow setting ACLs, nor > >>> does it display the existing ACLs. > >> > >> Does it at least enforce them? > > > >What does "enforce" mean? > > chmod 600 file > setfacl -m u:otheruser:rwx file > > should give otheruser write permissions on the file, even if Windows > does not get ACLs right (e.g. W98, which does not know ACLs at all). > > > > >But I am missing something like --WITH-ACL: > > smbd -b shows defines, not configure options. > > > Jan > -- > ft: http://freshmeat.net/p/chaostables/-- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jens Nissen wrote:> OK - I managed to track down the bug inside Samba, > but I have no easy way to work around it. > The dynamic mapping of vfs acls inside Samba does > not seem to work. See the following sequence in posix_acls.c > in function get_nt_acl: > > /* > * Get the ACL from the path. > */ > > posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, SMB_ACL_TYPE_ACCESS); > > /// My Workaround > /// posix_acl equals 0 here > if (!posix_acl) > { > posix_acl=acl_get_file(fsp->fsp_name, SMB_ACL_TYPE_ACCESS); > } > /// posix_acl is something else than 0 here > /// End My Workaround > > While SMB_VFS_SYS_ACL_GET_FILE returns a Null-Pointer, the > call afterwards to acl_get_file does return a ACL description > which is non-zero.Are you absolutely sure you built with ACL support? (--with-acl-support) and that `smbd -b | grep ACL` returns the expected result for your platform? Also what file system is this? cheers, jerry ====================================================================Samba ------- http://www.samba.org Centeris ----------- http://www.centeris.com "What man is a man who does not make the world better?" --Balian -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFv24hIR7qMdg1EfYRAn5AAJ4g43TpD6kfSxk1wgQZnEm1zU/n7QCfRpvT DVt4OvndKTXOiVSYUG0FXWg=93u5 -----END PGP SIGNATURE-----
I have an extf3-filesystem and I am absolutely sure, that Samba is correctly compiled - see the following line from the map-file: 0x00041b24 acl_get_fd@@ACL_1.0 ... 0x00041d7c acl_get_file@@ACL_1.0 As mentioned before: # /bin/smbd -b | grep -i ACL HAVE_SYS_ACL_H HAVE_POSIX_ACLS And in addition: if I call directly "acl_get_file" from Samba, I get a POSIX ACE!!! This shows IMHO: - smbd is linked against / loads /boot/lib/libacl.so.1 - the file system has ACLs / ACEs available (also controlled with getfacl / chacl /setfacl) I traced the log-file for the string "vfs hooks". There are two places in vfs.c where this string can come from: - "Initialising default vfs hooks" - "Initialising custom vfs hooks from [%s]" I only get the first string. So the vfs_wrapper is initialised by default which (??) is the posix_ace module??? (Can someone confirm this?). If that is the case, there are a few ways, the wrapper could give wrong results. One is, that a thread is forked and the initializing code is not called. In this case, acl_get_file would not get called. One other reason could be, that some other function gets called as the table is wrong. I cannot really tell, as I do not have a gdb on the system running (and I do not really know how to use it as a matter of fact :-( ) Kind regards and thanks for all kinds of help in advance!!! Jens -------- Original-Nachricht -------- Datum: Tue, 30 Jan 2007 10:11:13 -0600 Von: "Gerald (Jerry) Carter" <jerry@samba.org> An: Jens Nissen <jens.nissen@gmx.net> Betreff: Re: [Samba] ACLs fail in 3.0.23d> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jens Nissen wrote: > > > OK - I managed to track down the bug inside Samba, > > but I have no easy way to work around it. > > The dynamic mapping of vfs acls inside Samba does > > not seem to work. See the following sequence in posix_acls.c > > in function get_nt_acl: > > > > /* > > * Get the ACL from the path. > > */ > > > > posix_acl = SMB_VFS_SYS_ACL_GET_FILE(conn, fsp->fsp_name, > SMB_ACL_TYPE_ACCESS); > > > > /// My Workaround > > /// posix_acl equals 0 here > > if (!posix_acl) > > { > > posix_acl=acl_get_file(fsp->fsp_name, SMB_ACL_TYPE_ACCESS); > > } > > /// posix_acl is something else than 0 here > > /// End My Workaround > > > > While SMB_VFS_SYS_ACL_GET_FILE returns a Null-Pointer, the > > call afterwards to acl_get_file does return a ACL description > > which is non-zero. > > Are you absolutely sure you built with ACL support? > (--with-acl-support) and that `smbd -b | grep ACL` returns > the expected result for your platform? Also what file > system is this? > > > > > cheers, jerry > ====================================================================> Samba ------- http://www.samba.org > Centeris ----------- http://www.centeris.com > "What man is a man who does not make the world better?" --Balian > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFFv24hIR7qMdg1EfYRAn5AAJ4g43TpD6kfSxk1wgQZnEm1zU/n7QCfRpvT > DVt4OvndKTXOiVSYUG0FXWg> =93u5 > -----END PGP SIGNATURE------- Der GMX SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen! Ideal f?r Modem und ISDN: http://www.gmx.net/de/go/smartsurfer
I found a lot of stuff about ENOATTR. Can somebody point me to the correct way of handling ENOATTR with Samba 3.0.23d? To start with: I have trouble getting "smbtorture EATEST" to work. smbtorture assumes in limsbclient.h that unless ENOATTR is defined, ENOATTTR should be ENOENT (which is defined to be 2 in /usr/include/linux/errno.h). My ext3-ATTR(attr-2.4.32 + patches 0.8.73 I think it was) implementation does something similar: in absence of ENOATTR it returns ENODATA (which is 61). posix_acls.c and other smbd-components do something similar wrong (using ENOSYS which is 38). How do I fix the inconsistency best: - Patch Samba smbd and torture? - Patch linux/errno.h and recompile everything? What value should ENOATTR have in this case? - Patch attr-2.4 manually? Kind regards, Jens