Tom Speeter
2012-Jul-05 20:15 UTC
[Samba] acl_tdb failed to convert file acl to posix permisions
We are using SAMBA 3.6.6 on Centos 5 with the acl_tdb VFS module. Our share is
backed by storage on a SAN devices that does not support ACLs or extended
attributes ... so we're trying the acl_tdb module as a mechanism to support
Windows ACLs. We have verified that samba has ACL support enabled, and ACL
support works find if we export the share from the local EXT4 filesystem.
When trying to add a user ACL from Windows, we get ACCESS_DENIED error, with the
following log entries:
(set_canon_ace_list)
canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags =
0x0 perms rwx
[2012/07/03 17:19:29.724227, 10] smbd/posix_acls.c:2757(set_canon_ace_list)
canon_ace index 1. Type = allow SID = S-1-5-18 gid 10021 (10021) SMB_ACL_GROUP
ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.724417, 10] smbd/posix_acls.c:2757(set_canon_ace_list)
canon_ace index 2. Type = allow SID =
S-1-5-21-1177087545-3838858134-2882343936-1294 uid 10002 (neosphere-admin)
SMB_ACL_USER_OBJ ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.724755, 10] smbd/posix_acls.c:2757(set_canon_ace_list)
canon_ace index 3. Type = allow SID =
S-1-5-21-1177087545-3838858134-2882343936-1297 gid 10019
(neosphere-administrators) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.724979, 10] smbd/posix_acls.c:2757(set_canon_ace_list)
canon_ace index 4. Type = allow SID =
S-1-5-21-1177087545-3838858134-2882343936-1117 uid 10000 (rshen) SMB_ACL_USER
ace_flags = 0x0 perms rwx
[2012/07/03 17:19:29.725214, 10]
modules/vfs_posixacl.c:91(posixacl_sys_acl_set_file)
Calling acl_set_file: NeoSphere/test100.txt, 0
[2012/07/03 17:19:29.725260, 10]
modules/vfs_posixacl.c:110(posixacl_sys_acl_set_file)
acl_set_file failed: Operation not supported
[2012/07/03 17:19:29.725300, 2] smbd/posix_acls.c:2828(set_canon_ace_list)
set_canon_ace_list: sys_acl_set_file type file failed for file
NeoSphere/test100.txt (Operation not supported).
[2012/07/03 17:19:29.725341, 3]
smbd/posix_acls.c:2932(convert_canon_ace_to_posix_perms)
convert_canon_ace_to_posix_perms: Too many ACE entries for file
NeoSphere/test100.txt to convert to posix perms.
[2012/07/03 17:19:29.725378, 3] smbd/posix_acls.c:4001(set_nt_acl)
set_nt_acl: failed to convert file acl to posix permissions for file
NeoSphere/test100.txt.
[2012/07/03 17:19:29.725415, 3] smbd/error.c:81(error_packet_set)
error packet at smbd/nttrans.c(2106) cmd=160 (SMBnttrans)
NT_STATUS_ACCESS_DENIED
In posix_acls.c we can see that in such a scenario, the code comes here (line
3993):
/*
* If we cannot set using POSIX ACLs we fall back to checking if we need
to chmod.
*/
if(!acl_set_support && acl_perms) {
mode_t posix_perms;
if (!convert_canon_ace_to_posix_perms( fsp, file_ace_list,
&posix_perms)) {
free_canon_ace_list(file_ace_list);
free_canon_ace_list(dir_ace_list);
DEBUG(3,("set_nt_acl: failed to convert file acl to
"
"posix permissions for file %s.\n",
fsp_str_dbg(fsp)));
return NT_STATUS_ACCESS_DENIED;
}
... acl_set_support is false, and acl_perms is true, and the call to
'convert_canon_ace_to_posix' fails because there are 5 ace entries, and
that function immediately fails:
static bool convert_canon_ace_to_posix_perms( files_struct *fsp, canon_ace
*file_ace_list, mode_t *posix_perms)
{
int snum = SNUM(fsp->conn);
size_t ace_count = count_canon_ace_list(file_ace_list);
canon_ace *ace_p;
canon_ace *owner_ace = NULL;
canon_ace *group_ace = NULL;
canon_ace *other_ace = NULL;
mode_t and_bits;
mode_t or_bits;
if (ace_count != 3) {
DEBUG(3,("convert_canon_ace_to_posix_perms: Too many ACE
"
"entries for file %s to convert to posix
perms.\n",
fsp_str_dbg(fsp)));
return False;
}
So it seems that there is NO support for filesystems that do not support native
ACLs, or is this a bug ... or is there some other option to reroute processing
of the request?
SMB.CONF:
[SAN]
path = /mnt/DDN-FS02
log level = 10
debuglevel = 10
writeable = yes
browseable = yes
inherit permissions = yes
inherit acls = yes
map acl inherit = yes
nt acl support = yes
force unknown acl user = yes
vfs objects = acl_tdb
acl_tdb: ignore system acls = yes
Apparently Analagous Threads
- Warning messages when using rbind
- Modify permission not available unless group permissions are set to write.
- ACLs under windows 7 - you do not have permissions to access
- NT_STATUS_ACCESS_DENIED on previously created files
- Clients can't write to group-writable files - plea for help
