samba - Apr 2011 - acl_xattr access denied when adding permissions for another user

Dear all
We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the
impression that the VFS module acl_xattr provides the best way
of keeping Windows ACLs. We don't have concurrent NFS or local users
so it's Windows only.

The clients as well as the Samba server are members of an AD domain.
Creating files/directories works as expected and also manipulating
permissions for the initial user/group does not raise any problem.
Trying to add permissions for an additional user (looked up in AD)
fails with the Windows XP client side "permission denied" pop-up box.


the share's config:

[EA]
        # public fileserver share
    path                       = /smb/X
    comment                    = xattr ACL Test
    public                     = no
    writable                   = yes
    browseable                 = yes
    vfs objects                = acl_xattr
    inherit permissions        = yes
    inherit acls               = yes


On the server side the relevant parts of the logfile are


[2011/04/05 12:18:16.331704,  2] lib/access.c:406(check_access)
  Allowed connection from  (x.x.x.x)
[2011/04/05 12:18:16.335694,  3] smbd/vfs.c:97(vfs_init_default)
  Initialising default vfs hooks
[2011/04/05 12:18:16.335737,  5] smbd/vfs.c:87(smb_register_vfs)
  Successfully added vfs backend '/[Default VFS]/'
[2011/04/05 12:18:16.335779,  5] smbd/vfs.c:87(smb_register_vfs)
  Successfully added vfs backend 'solarisacl'
[2011/04/05 12:18:16.335802,  3] smbd/vfs.c:122(vfs_init_custom)
  Initialising custom vfs hooks from [/[Default VFS]/]
  Successfully loaded vfs module [/[Default VFS]/] with the new modules system
[2011/04/05 12:18:16.335838,  3] smbd/vfs.c:122(vfs_init_custom)
  Initialising custom vfs hooks from [acl_xattr]
[2011/04/05 12:18:16.335862,  5] smbd/vfs.c:162(vfs_init_custom)
  vfs module [acl_xattr] not loaded - trying to load...
[2011/04/05 12:18:16.336548,  2] lib/module.c:64(do_smb_load_module)
  Module '/smb/sw/lib/vfs/acl_xattr.so' loaded
[2011/04/05 12:18:16.336591,  5] smbd/vfs.c:87(smb_register_vfs)
  Successfully added vfs backend 'acl_xattr'
  Successfully loaded vfs module [acl_xattr] with the new modules system
[2011/04/05 12:18:16.336945,  2] modules/vfs_acl_xattr.c:193(connect_acl_xattr)
  connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true' and 'force unknown acl user = true' for service EA
[2011/04/05 12:18:16.337787,  1] smbd/service.c:1070(make_connection_snum)
  x.x.x.x (x.x.x.x) connect to service EA initially as user nau (uid=10000,
gid=10000) (pid 23491)

...

[2011/04/05 12:18:16.348517,  3] smbd/vfs.c:1038(check_reduced_name)
  check_reduced_name: D reduced to /smb/X/D
[2011/04/05 12:18:16.350387,  5] smbd/posix_acls.c:1191(unpack_nt_owners)
  unpack_nt_owners: validating owner_sids.
[2011/04/05 12:18:16.350434,  5] smbd/posix_acls.c:1238(unpack_nt_owners)
  unpack_nt_owners: owner_sids validated.
[2011/04/05 12:18:16.351005,  2] smbd/posix_acls.c:2903(set_canon_ace_list)
  set_canon_ace_list: sys_acl_set_file type file failed for file D (Operation
not applicable).
[2011/04/05 12:18:16.351086,  3]
smbd/posix_acls.c:3007(convert_canon_ace_to_posix_perms)
  convert_canon_ace_to_posix_perms: Too many ACE entries for file D to convert
to posix perms.
[2011/04/05 12:18:16.351114,  3] smbd/posix_acls.c:4109(set_nt_acl)
  set_nt_acl: failed to convert file acl to posix permissions for file D.
[2011/04/05 12:18:20.872901,  1] smbd/service.c:1251(close_cnum)
  134.60.1.35 (134.60.1.35) closed connection to service EA


So why do I need POSIX ACLs at all?

Any hints are greatly appreciated!

Thomas

On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau
wrote:
> We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the
> impression that the VFS module acl_xattr provides the best way
> of keeping Windows ACLs. We don't have concurrent NFS or local users
> so it's Windows only.
ZFS does NFSv4 ACLs which are quite close, albeit not
perfect. There's a zfs_acl module for Solaris, you might
also give that a try.
> The clients as well as the Samba server are members of an AD domain.
> Creating files/directories works as expected and also manipulating
> permissions for the initial user/group does not raise any problem.
> Trying to add permissions for an additional user (looked up in AD)
> fails with the Windows XP client side "permission denied" pop-up
box.
Does "acl_xattr : ignore system acls"  help?

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 G?ttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG G?ttingen, HRB 2816, GF: Dr. Johannes Loxen

On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau
wrote:
> Dear all
> We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the
> impression that the VFS module acl_xattr provides the best way
> of keeping Windows ACLs. We don't have concurrent NFS or local users
> so it's Windows only.
> 
> The clients as well as the Samba server are members of an AD domain.
> Creating files/directories works as expected and also manipulating
> permissions for the initial user/group does not raise any problem.
> Trying to add permissions for an additional user (looked up in AD)
> fails with the Windows XP client side "permission denied" pop-up
box.
If you're using ZFS (which has native NFSv4 ACLs) why not use
the vfs_zfsacl module ?

Jeremy.