Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] Use ACL over NFS4
258 views
Skip to first unread message
Paul.Ni...@desknetinc.com
Oct 27, 2011, 4:00:01 PM10/27/11
to
I have an NFS4 server exporting a folder, and a Samba server importing that
folder which it then turns around and shares over Samba. I would like
Windows machines accessing this folder and its sub folders to be properly
restricted according to ACLs.
The NFS4 server is running CentOS 5.7 and is NFS exporting an EXT4 folder.
The Samba server is running CentOS 6.0, and Samba 3.5.4-68.el6_0.2. On the
Samba server, I am able to use chmod, chown, nfs4_setfacl, ls, and
nfs4_getfacl to set and retrieve file and folder permissions and ACLs in
the NFS4 mounted folder, and it all seems to be working sanely. I have both
servers using winbind. On a Windows 7 machine, I am able to browse to
\\test-samba-server, and see all the Samba shared folders that I've set up
in smb.conf.
Those folders files where I have restricted or allowed read, write, and
execute permissions for the domain user logged onto the Windows 7 machine,
using the standard POSIX method, work as expected. Thus, I think winbind is
working correctly right now. However, if I try to allow access through
nfs4_setfacl (and keep the file or folder restricted through the file
permissions), the user on the Windows 7 machine is always denied access.
I am seeing this in /var/log/messages when I turn on lots of logging:
Oct 26 16:01:39 test-samba-server smbd[14979]: [2011/10/26 16:01:39.737663,
1] smbd/dosmode.c:255(get_ea_dos_attribute)
Oct 26 16:01:39 test-samba-server smbd[14979]: get_ea_dos_attributes:
Cannot get attribute from EA on file .: Error = Operation not supported
If I share a local EXT4 folder that's been bind mounted with the user_xattr
option, then I don't get the problem there. ACLs restrict and allow the
Windows 7 user as I would expect (I can create them on CentOS using
setfacl), and the logged error does not show up. On the NFS server, I am
specifying the user_xattr option in the bind mount of the folder that I'm
exporting.
NFS4 doesn't have a user_xattr option that I can use when mounting. Does
anyone have any ideas for what I could do to get Samba to use ACLs over
NFS4? If you need more configuration details, or if I could be more clear
on any part, let me know.
Paul Nickerson
IT Systems Administrator & Support
DeskNet Inc.
Portland, Maine
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Jeremy Allison
Oct 27, 2011, 4:30:02 PM10/27/11
to
On Thu, Oct 27, 2011 at 03:21:51PM -0400, Paul.Ni...@desknetinc.com wrote:
>
> I have an NFS4 server exporting a folder, and a Samba server importing that
> folder which it then turns around and shares over Samba. I would like
> Windows machines accessing this folder and its sub folders to be properly
> restricted according to ACLs.
>
> The NFS4 server is running CentOS 5.7 and is NFS exporting an EXT4 folder.
> The Samba server is running CentOS 6.0, and Samba 3.5.4-68.el6_0.2. On the
> Samba server, I am able to use chmod, chown, nfs4_setfacl, ls, and
> nfs4_getfacl to set and retrieve file and folder permissions and ACLs in
> the NFS4 mounted folder, and it all seems to be working sanely. I have both
> servers using winbind. On a Windows 7 machine, I am able to browse to
> \\test-samba-server, and see all the Samba shared folders that I've set up
> in smb.conf.
>
> Those folders files where I have restricted or allowed read, write, and
> execute permissions for the domain user logged onto the Windows 7 machine,
> using the standard POSIX method, work as expected. Thus, I think winbind is
> working correctly right now. However, if I try to allow access through
> nfs4_setfacl (and keep the file or folder restricted through the file
> permissions), the user on the Windows 7 machine is always denied access.
>
> I am seeing this in /var/log/messages when I turn on lots of logging:
> Oct 26 16:01:39 test-samba-server smbd[14979]: [2011/10/26 16:01:39.737663,
> 1] smbd/dosmode.c:255(get_ea_dos_attribute)
> Oct 26 16:01:39 test-samba-server smbd[14979]: get_ea_dos_attributes:
> Cannot get attribute from EA on file .: Error = Operation not supported
This error isn't an ACL error, it's Samba trying to store the extra
>
> I have an NFS4 server exporting a folder, and a Samba server importing that
> folder which it then turns around and shares over Samba. I would like
> Windows machines accessing this folder and its sub folders to be properly
> restricted according to ACLs.
>
> The NFS4 server is running CentOS 5.7 and is NFS exporting an EXT4 folder.
> The Samba server is running CentOS 6.0, and Samba 3.5.4-68.el6_0.2. On the
> Samba server, I am able to use chmod, chown, nfs4_setfacl, ls, and
> nfs4_getfacl to set and retrieve file and folder permissions and ACLs in
> the NFS4 mounted folder, and it all seems to be working sanely. I have both
> servers using winbind. On a Windows 7 machine, I am able to browse to
> \\test-samba-server, and see all the Samba shared folders that I've set up
> in smb.conf.
>
> Those folders files where I have restricted or allowed read, write, and
> execute permissions for the domain user logged onto the Windows 7 machine,
> using the standard POSIX method, work as expected. Thus, I think winbind is
> working correctly right now. However, if I try to allow access through
> nfs4_setfacl (and keep the file or folder restricted through the file
> permissions), the user on the Windows 7 machine is always denied access.
>
> I am seeing this in /var/log/messages when I turn on lots of logging:
> Oct 26 16:01:39 test-samba-server smbd[14979]: [2011/10/26 16:01:39.737663,
> 1] smbd/dosmode.c:255(get_ea_dos_attribute)
> Oct 26 16:01:39 test-samba-server smbd[14979]: get_ea_dos_attributes:
> Cannot get attribute from EA on file .: Error = Operation not supported
Windows attributes into a Linux EA. If NFS doesn't support this, you'll
need to stop Samba from trying to do this by doing:
store dos attributes = no
ea support = no
Unfortunately that means that Samba will have to fall back to trying
to store the (neccessary) extra metadata info in the normal POSIX permissions,
which will mess up the NFS ACLs.
It's probably better to move the Samba server onto the same machine
that's exporting NFSv4 and ensure POSIX ACL and EA support are enabled
on that EXT4 disk.
Then Samba can export Windows ACLs correctly if you set:
store dos attributes = yes
ea support = yes
vfs objects = acl_xattr
in the share definition. That causes Samba to store Windows EAs (not
strictly needed), Windows metadata and Windows ACLs into EXT4 EA's.
Jeremy.
Paul.Ni...@desknetinc.com
Oct 27, 2011, 5:20:02 PM10/27/11
to
Jeremy Allison <j...@samba.org> - 10/27/2011 04:28 PM
Samba VM and move the data over to there. Not a very desirable solution for
us, though.
If I turn off both those settings, that error stops, but the Windows
machine is still getting the same access denied. If I can get ACL working
without any EA, it might be good enough for us. We don't need Windows
permission lists or metadata to be kept with files stored on the Samba
server (though I will check will people on that), but we do need different
winbind users and groups to have different access permissions. I'd like to
try getting ACL sans EA working.
Now, with those two options tuned off, I am seeing that the first
difference in the logs between using local ACL and NFS4 ACL is as follows
(snipped logs).
The working local ACL:
Oct 27 16:19:12 test-samba-server smbd[29532]: [2011/10/27 16:19:12.418061,
3] smbd/vfs.c:1008(check_reduced_name)
Oct 27 16:19:12 test-samba-server smbd[29532]: check_reduced_name: .
reduced to /imports/localacl/localACLdir
Oct 27 16:19:12 test-samba-server winbindd[1271]: [2011/10/27
16:19:12.418959, 3]
winbindd/winbindd_getpwuid.c:47(winbindd_getpwuid_send)
Oct 27 16:19:12 test-samba-server winbindd[1271]: getpwuid 16777216
Oct 27 16:19:12 test-samba-server winbindd[1271]: [2011/10/27
16:19:12.420362, 3]
winbindd/winbindd_getpwuid.c:47(winbindd_getpwuid_send)
Oct 27 16:19:12 test-samba-server winbindd[1271]: getpwuid 16777216
Oct 27 16:19:12 test-samba-server smbd[29532]: [2011/10/27 16:19:12.422693,
3] smbd/process.c:1485(process_smb)
Oct 27 16:19:12 test-samba-server smbd[29532]: Transaction 119 of length
114 (0 toread)
The not working NFS4 ACL:
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.390591,
3] smbd/vfs.c:1008(check_reduced_name)
Oct 27 16:40:59 test-samba-server smbd[29936]: check_reduced_name: .
reduced to /imports/boundeddrive/forPaulACL
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.391973,
1] ../librpc/ndr/ndr.c:214(ndr_print_debug)
Oct 27 16:40:59 test-samba-server smbd[29936]: sd: struct
security_descriptor
Oct 27 16:40:59 test-samba-server smbd[29936]: revision
: SECURITY_DESCRIPTOR_REVISION_1 (1)
Oct 27 16:40:59 test-samba-server smbd[29936]: type
: 0x9004 (36868)
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_OWNER_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_GROUP_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 1:
SEC_DESC_DACL_PRESENT
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_DACL_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_PRESENT
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_DACL_TRUSTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SERVER_SECURITY
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_DACL_AUTO_INHERIT_REQ
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_AUTO_INHERIT_REQ
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_DACL_AUTO_INHERITED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_AUTO_INHERITED
Oct 27 16:40:59 test-samba-server smbd[29936]: 1:
SEC_DESC_DACL_PROTECTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_PROTECTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_RM_CONTROL_VALID
Oct 27 16:40:59 test-samba-server smbd[29936]: 1:
SEC_DESC_SELF_RELATIVE
Oct 27 16:40:59 test-samba-server smbd[29936]: owner_sid
: *
Oct 27 16:40:59 test-samba-server smbd[29936]: owner_sid
: S-1-22-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]: group_sid
: *
Oct 27 16:40:59 test-samba-server smbd[29936]: group_sid
: S-1-22-2-0
Oct 27 16:40:59 test-samba-server smbd[29936]: sacl
: NULL
Oct 27 16:40:59 test-samba-server smbd[29936]: dacl
: *
Oct 27 16:40:59 test-samba-server smbd[29936]: dacl: struct
security_acl
Oct 27 16:40:59 test-samba-server smbd[29936]: revision
: SECURITY_ACL_REVISION_NT4 (2)
Oct 27 16:40:59 test-samba-server smbd[29936]: size
: 0x004c (76)
Oct 27 16:40:59 test-samba-server smbd[29936]: num_aces
: 0x00000003 (3)
Oct 27 16:40:59 test-samba-server smbd[29936]: aces:
ARRAY(3)
Oct 27 16:40:59 test-samba-server smbd[29936]: aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size : 0x0018 (24)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask : 0x001f01ff (2032127)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee : S-1-22-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]: aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size : 0x0018 (24)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask : 0x001f01ff (2032127)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee : S-1-22-2-0
Oct 27 16:40:59 test-samba-server smbd[29936]: aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size : 0x0014 (20)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask : 0x00000000 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee : S-1-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.400418,
3] smbd/error.c:80(error_packet_set)
Oct 27 16:40:59 test-samba-server smbd[29936]: error packet at
smbd/error.c(160) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
Up to this point, the logs are significantly identical. As best I can tell,
in the NFS4 case, Samba isn't even trying to ask winbind for info, but
instead is just returning the POSIX permissions (root:root, rwxrwx---). Is
that what's happening?
Paul Nickerson
IT Systems Administrator & Support
DeskNet Inc.
Portland, Maine
>This error isn't an ACL error, it's Samba trying to store the extra
>Windows attributes into a Linux EA. If NFS doesn't support this, you'll
>need to stop Samba from trying to do this by doing:
>store dos attributes = no
>ea support = no
>Unfortunately that means that Samba will have to fall back to trying
>to store the (neccessary) extra metadata info in the normal POSIX
permissions,
>which will mess up the NFS ACLs.
I can't put Samba on the NFS server, but I may be able to make a large
>Windows attributes into a Linux EA. If NFS doesn't support this, you'll
>need to stop Samba from trying to do this by doing:
>store dos attributes = no
>ea support = no
>Unfortunately that means that Samba will have to fall back to trying
>to store the (neccessary) extra metadata info in the normal POSIX
permissions,
>which will mess up the NFS ACLs.
Samba VM and move the data over to there. Not a very desirable solution for
us, though.
If I turn off both those settings, that error stops, but the Windows
machine is still getting the same access denied. If I can get ACL working
without any EA, it might be good enough for us. We don't need Windows
permission lists or metadata to be kept with files stored on the Samba
server (though I will check will people on that), but we do need different
winbind users and groups to have different access permissions. I'd like to
try getting ACL sans EA working.
Now, with those two options tuned off, I am seeing that the first
difference in the logs between using local ACL and NFS4 ACL is as follows
(snipped logs).
The working local ACL:
Oct 27 16:19:12 test-samba-server smbd[29532]: [2011/10/27 16:19:12.418061,
3] smbd/vfs.c:1008(check_reduced_name)
Oct 27 16:19:12 test-samba-server smbd[29532]: check_reduced_name: .
reduced to /imports/localacl/localACLdir
Oct 27 16:19:12 test-samba-server winbindd[1271]: [2011/10/27
16:19:12.418959, 3]
winbindd/winbindd_getpwuid.c:47(winbindd_getpwuid_send)
Oct 27 16:19:12 test-samba-server winbindd[1271]: getpwuid 16777216
Oct 27 16:19:12 test-samba-server winbindd[1271]: [2011/10/27
16:19:12.420362, 3]
winbindd/winbindd_getpwuid.c:47(winbindd_getpwuid_send)
Oct 27 16:19:12 test-samba-server winbindd[1271]: getpwuid 16777216
Oct 27 16:19:12 test-samba-server smbd[29532]: [2011/10/27 16:19:12.422693,
3] smbd/process.c:1485(process_smb)
Oct 27 16:19:12 test-samba-server smbd[29532]: Transaction 119 of length
114 (0 toread)
The not working NFS4 ACL:
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.390591,
3] smbd/vfs.c:1008(check_reduced_name)
Oct 27 16:40:59 test-samba-server smbd[29936]: check_reduced_name: .
reduced to /imports/boundeddrive/forPaulACL
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.391973,
1] ../librpc/ndr/ndr.c:214(ndr_print_debug)
Oct 27 16:40:59 test-samba-server smbd[29936]: sd: struct
security_descriptor
Oct 27 16:40:59 test-samba-server smbd[29936]: revision
: SECURITY_DESCRIPTOR_REVISION_1 (1)
Oct 27 16:40:59 test-samba-server smbd[29936]: type
: 0x9004 (36868)
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_OWNER_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_GROUP_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 1:
SEC_DESC_DACL_PRESENT
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_DACL_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_PRESENT
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_DEFAULTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_DACL_TRUSTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SERVER_SECURITY
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_DACL_AUTO_INHERIT_REQ
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_AUTO_INHERIT_REQ
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_DACL_AUTO_INHERITED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_AUTO_INHERITED
Oct 27 16:40:59 test-samba-server smbd[29936]: 1:
SEC_DESC_DACL_PROTECTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_SACL_PROTECTED
Oct 27 16:40:59 test-samba-server smbd[29936]: 0:
SEC_DESC_RM_CONTROL_VALID
Oct 27 16:40:59 test-samba-server smbd[29936]: 1:
SEC_DESC_SELF_RELATIVE
Oct 27 16:40:59 test-samba-server smbd[29936]: owner_sid
: *
Oct 27 16:40:59 test-samba-server smbd[29936]: owner_sid
: S-1-22-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]: group_sid
: *
Oct 27 16:40:59 test-samba-server smbd[29936]: group_sid
: S-1-22-2-0
Oct 27 16:40:59 test-samba-server smbd[29936]: sacl
: NULL
Oct 27 16:40:59 test-samba-server smbd[29936]: dacl
: *
Oct 27 16:40:59 test-samba-server smbd[29936]: dacl: struct
security_acl
Oct 27 16:40:59 test-samba-server smbd[29936]: revision
: SECURITY_ACL_REVISION_NT4 (2)
Oct 27 16:40:59 test-samba-server smbd[29936]: size
: 0x004c (76)
Oct 27 16:40:59 test-samba-server smbd[29936]: num_aces
: 0x00000003 (3)
Oct 27 16:40:59 test-samba-server smbd[29936]: aces:
ARRAY(3)
Oct 27 16:40:59 test-samba-server smbd[29936]: aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size : 0x0018 (24)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask : 0x001f01ff (2032127)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee : S-1-22-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]: aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size : 0x0018 (24)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask : 0x001f01ff (2032127)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee : S-1-22-2-0
Oct 27 16:40:59 test-samba-server smbd[29936]: aces:
struct security_ace
Oct 27 16:40:59 test-samba-server smbd[29936]:
type : SEC_ACE_TYPE_ACCESS_ALLOWED (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
flags : 0x00 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_OBJECT_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_CONTAINER_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_NO_PROPAGATE_INHERIT
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERIT_ONLY
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_INHERITED_ACE
Oct 27 16:40:59 test-samba-server smbd[29936]:
0x00: SEC_ACE_FLAG_VALID_INHERIT (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_SUCCESSFUL_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
0: SEC_ACE_FLAG_FAILED_ACCESS
Oct 27 16:40:59 test-samba-server smbd[29936]:
size : 0x0014 (20)
Oct 27 16:40:59 test-samba-server smbd[29936]:
access_mask : 0x00000000 (0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
object : union security_ace_object_ctr(case 0)
Oct 27 16:40:59 test-samba-server smbd[29936]:
trustee : S-1-1-0
Oct 27 16:40:59 test-samba-server smbd[29936]: [2011/10/27 16:40:59.400418,
3] smbd/error.c:80(error_packet_set)
Oct 27 16:40:59 test-samba-server smbd[29936]: error packet at
smbd/error.c(160) cmd=162 (SMBntcreateX) NT_STATUS_ACCESS_DENIED
Up to this point, the logs are significantly identical. As best I can tell,
in the NFS4 case, Samba isn't even trying to ask winbind for info, but
instead is just returning the POSIX permissions (root:root, rwxrwx---). Is
that what's happening?
Paul Nickerson
IT Systems Administrator & Support
DeskNet Inc.
Portland, Maine
0 new messages