Jeremy Allison <[email protected]> - 10/27/2011 04:28 PM >This error isn't an ACL error, it's Samba trying to store the extra >Windows attributes into a Linux EA. If NFS doesn't support this, you'll >need to stop Samba from trying to do this by doing:
>store dos attributes = no >ea support = no >Unfortunately that means that Samba will have to fall back to trying >to store the (neccessary) extra metadata info in the normal POSIX permissions, >which will mess up the NFS ACLs. I can't put Samba on the NFS server, but I may be able to make a large Samba VM and move the data over to there. Not a very desirable solution for us, though. If I turn off both those settings, that error stops, but the Windows machine is still getting the same access denied. If I can get ACL working without any EA, it might be good enough for us. We don't need Windows permission lists or metadata to be kept with files stored on the Samba server (though I will check will people on that), but we do need different winbind users and groups to have different access permissions. I'd like to try getting ACL sans EA working. Now, with those two options tuned off, I am seeing that the first difference in the logs between using local ACL and NFS4 ACL is as follows (snipped logs). The working local ACL: Oct 27 16:19:12 test-samba-server smbd[29532]: [2011/10/27 16:19:12.418061, 3] smbd/vfs.c:1008(check_reduced_name) Oct 27 16:19:12 test-samba-server smbd[29532]: check_reduced_name: . reduced to /imports/localacl/localACLdir Oct 27 16:19:12 test-samba-server winbindd[1271]: [2011/10/27 16:19:12.418959, 3] winbindd/winbindd_getpwuid.c:47(winbindd_getpwuid_send) Oct 27 16:19:12 test-samba-server winbindd[1271]: getpwuid 16777216 Oct 27 16:19:12 test-samba-server winbindd[1271]: [2011/10/27 16:19:12.420362, 3] winbindd/winbindd_getpwuid.c:47(winbindd_getpwuid_send) Oct 27 16:19:12 test-samba-server winbindd[1271]: getpwuid 16777216 Oct 27 16:19:12 test-samba-server smbd[29532]: [2011/10/27 16:19:12.422693, 3] smbd/process.c:1485(process_smb) Oct 27 16:19:12 test-samba-server smbd[29532]: Transaction 119 of length 114 (0 toread) The not working NFS4 ACL: Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.390591, 3] smbd/vfs.c:1008(check_reduced_name) Oct 27 16:40:59 test-samba-server smbd[29936]: check_reduced_name: . reduced to /imports/boundeddrive/forPaulACL Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.391973, 1] ../librpc/ndr/ndr.c:214(ndr_print_debug) Oct 27 16:40:59 test-samba-server smbd[29936]: sd: struct security_descriptor Oct 27 16:40:59 test-samba-server smbd[29936]: revision : SECURITY_DESCRIPTOR_REVISION_1 (1) Oct 27 16:40:59 test-samba-server smbd[29936]: type : 0x9004 (36868) Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_OWNER_DEFAULTED Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_GROUP_DEFAULTED Oct 27 16:40:59 test-samba-server smbd[29936]: 1: SEC_DESC_DACL_PRESENT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_DACL_DEFAULTED Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_SACL_PRESENT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_SACL_DEFAULTED Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_DACL_TRUSTED Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_SERVER_SECURITY Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_DACL_AUTO_INHERIT_REQ Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_SACL_AUTO_INHERIT_REQ Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_DACL_AUTO_INHERITED Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_SACL_AUTO_INHERITED Oct 27 16:40:59 test-samba-server smbd[29936]: 1: SEC_DESC_DACL_PROTECTED Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_SACL_PROTECTED Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_DESC_RM_CONTROL_VALID Oct 27 16:40:59 test-samba-server smbd[29936]: 1: SEC_DESC_SELF_RELATIVE Oct 27 16:40:59 test-samba-server smbd[29936]: owner_sid : * Oct 27 16:40:59 test-samba-server smbd[29936]: owner_sid : S-1-22-1-0 Oct 27 16:40:59 test-samba-server smbd[29936]: group_sid : * Oct 27 16:40:59 test-samba-server smbd[29936]: group_sid : S-1-22-2-0 Oct 27 16:40:59 test-samba-server smbd[29936]: sacl : NULL Oct 27 16:40:59 test-samba-server smbd[29936]: dacl : * Oct 27 16:40:59 test-samba-server smbd[29936]: dacl: struct security_acl Oct 27 16:40:59 test-samba-server smbd[29936]: revision : SECURITY_ACL_REVISION_NT4 (2) Oct 27 16:40:59 test-samba-server smbd[29936]: size : 0x004c (76) Oct 27 16:40:59 test-samba-server smbd[29936]: num_aces : 0x00000003 (3) Oct 27 16:40:59 test-samba-server smbd[29936]: aces: ARRAY(3) Oct 27 16:40:59 test-samba-server smbd[29936]: aces: struct security_ace Oct 27 16:40:59 test-samba-server smbd[29936]: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) Oct 27 16:40:59 test-samba-server smbd[29936]: flags : 0x00 (0) Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_OBJECT_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_CONTAINER_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_INHERIT_ONLY Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_INHERITED_ACE Oct 27 16:40:59 test-samba-server smbd[29936]: 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_FAILED_ACCESS Oct 27 16:40:59 test-samba-server smbd[29936]: size : 0x0018 (24) Oct 27 16:40:59 test-samba-server smbd[29936]: access_mask : 0x001f01ff (2032127) Oct 27 16:40:59 test-samba-server smbd[29936]: object : union security_ace_object_ctr(case 0) Oct 27 16:40:59 test-samba-server smbd[29936]: trustee : S-1-22-1-0 Oct 27 16:40:59 test-samba-server smbd[29936]: aces: struct security_ace Oct 27 16:40:59 test-samba-server smbd[29936]: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) Oct 27 16:40:59 test-samba-server smbd[29936]: flags : 0x00 (0) Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_OBJECT_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_CONTAINER_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_INHERIT_ONLY Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_INHERITED_ACE Oct 27 16:40:59 test-samba-server smbd[29936]: 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_FAILED_ACCESS Oct 27 16:40:59 test-samba-server smbd[29936]: size : 0x0018 (24) Oct 27 16:40:59 test-samba-server smbd[29936]: access_mask : 0x001f01ff (2032127) Oct 27 16:40:59 test-samba-server smbd[29936]: object : union security_ace_object_ctr(case 0) Oct 27 16:40:59 test-samba-server smbd[29936]: trustee : S-1-22-2-0 Oct 27 16:40:59 test-samba-server smbd[29936]: aces: struct security_ace Oct 27 16:40:59 test-samba-server smbd[29936]: type : SEC_ACE_TYPE_ACCESS_ALLOWED (0) Oct 27 16:40:59 test-samba-server smbd[29936]: flags : 0x00 (0) Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_OBJECT_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_CONTAINER_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_INHERIT_ONLY Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_INHERITED_ACE Oct 27 16:40:59 test-samba-server smbd[29936]: 0x00: SEC_ACE_FLAG_VALID_INHERIT (0) Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS Oct 27 16:40:59 test-samba-server smbd[29936]: 0: SEC_ACE_FLAG_FAILED_ACCESS Oct 27 16:40:59 test-samba-server smbd[29936]: size : 0x0014 (20) Oct 27 16:40:59 test-samba-server smbd[29936]: access_mask : 0x00000000 (0) Oct 27 16:40:59 test-samba-server smbd[29936]: object : union security_ace_object_ctr(case 0) Oct 27 16:40:59 test-samba-server smbd[29936]: trustee : S-1-1-0 Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.400418, 3] smbd/error.c:80(error_packet_set) Oct 27 16:40:59 test-samba-server smbd[29936]: error packet at smbd/error.c(160) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED Up to this point, the logs are significantly identical. As best I can tell, in the NFS4 case, Samba isn't even trying to ask winbind for info, but instead is just returning the POSIX permissions (root:root, rwxrwx---). Is that what's happening? Paul Nickerson IT Systems Administrator & Support DeskNet Inc. Portland, Maine -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
