Bug 11490 - samba-4.2.3 seems ACL support is not available on HPUX
Summary: samba-4.2.3 seems ACL support is not available on HPUX
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.2.3
Hardware: All HP-UX
: P1 regression (vote)
Target Milestone: ---
Assignee: Björn Jacke
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-03 11:20 UTC by jinyunshuai
Modified: 2017-12-06 16:19 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jinyunshuai 2015-09-03 11:20:27 UTC
configuring samba-4.2.3 will get the error of "ACL support not found" on hpux, as:
===============
/home/samba-4.2.3/source3/wscript:481: error: ACL support not found. Try installing libacl1-dev or libacl-devel.  Otherwise, use --without-acl-support to build without ACL support. ACL support is required to change permissions from Windows clients.
Comment 1 jinyunshuai 2015-09-03 11:23:27 UTC
The related configure codes:
======================
    if Options.options.with_acl_support:
        if (host_os.rfind('hpux') > -1):
                Logs.info('Using HPUX ACLs')
                conf.DEFINE('HAVE_HPUX_ACLS',1)
                conf.DEFINE('POSIX_ACL_NEEDS_MASK',1)
                default_static_modules.extend(TO_LIST('vfs_hpuxacl'))
        elif (host_os.rfind('aix') > -1):
                Logs.info('Using AIX ACLs')
                conf.DEFINE('HAVE_AIX_ACLS',1)
                default_static_modules.extend(TO_LIST('vfs_aixacl vfs_aixacl2'))
        elif (host_os.rfind('darwin') > -1):
            Logs.warn('ACLs on Darwin currently not supported')
            conf.fatal("ACL support not available on Darwin/MacOS. "
                       "Use --without-acl-support for building without "
                       "ACL support. "
                       "ACL support is required to change permissions "
                       "from Windows clients.")
        else:
            conf.CHECK_FUNCS_IN(['acl_get_file'], 'acl')
            if conf.CHECK_CODE('''

===========================
On hpux platform, the uname sysname type is "HP-UX", so we can change "host_os.rfind('hpux')" to "host_os.rfind('hp-ux')", can fix the above issue.
Comment 2 jinyunshuai 2015-09-03 11:32:54 UTC
After above fix, will get following build errors :
=========================
In file included from ../source3/include/includes.h:363,
                 from ../source3/lib/sysacls.c:22:
../source3/../lib/util/samba_util.h:877: warning: parameter has incomplete type
../source3/lib/sysacls.c: In function `sys_acl_get_permset':
../source3/lib/sysacls.c:98: warning: assignment from incompatible pointer type
../source3/lib/sysacls.c: In function `sys_acl_get_file':
../source3/lib/sysacls.c:501: error: too many arguments to function `hpuxacl_sys_acl_get_file'
../source3/lib/sysacls.c: In function `sys_acl_get_fd':
../source3/lib/sysacls.c:507: error: too many arguments to function `hpuxacl_sys_acl_get_fd'
=========================
The root cause of the issue is:
hpuxacl_sys_acl_get_file function declared as:
=============================
SMB_ACL_T hpuxacl_sys_acl_get_file(vfs_handle_struct *handle,
				   const char *path_p,
				   SMB_ACL_TYPE_T type);
==========================
but it be called as:
====================
hpuxacl_sys_acl_get_file(handle, path_p, type, mem_ctx)
====================

solution: 

do following changes in source3/modules/vfs_hpuxacl.h 
================
SMB_ACL_T hpuxacl_sys_acl_get_file(vfs_handle_struct *handle,
				   const char *path_p,
				   SMB_ACL_TYPE_T type);

SMB_ACL_T hpuxacl_sys_acl_get_fd(vfs_handle_struct *handle,
				 files_struct *fsp);
=========================
to 
========================
SMB_ACL_T hpuxacl_sys_acl_get_file(vfs_handle_struct *handle,
                                   const char *path_p,
                                   SMB_ACL_TYPE_T type,
                                   TALLOC_CTX *mem_ctx);

SMB_ACL_T hpuxacl_sys_acl_get_fd(vfs_handle_struct *handle,
                                 files_struct *fsp,
                                 TALLOC_CTX *mem_ctx);
================================


then rebuild, will get following error:
================================
../source3/modules/vfs_hpuxacl.c: In function `hpuxacl_sys_acl_delete_def_file':                     
../source3/modules/vfs_hpuxacl.c:369: error: too few arguments to function `hpuxacl_sys_acl_get_file'
 
=================

the root cause is the hpuxacl_sys_acl_get_file be called as in vfs_hpuxacl.c:369: 
===============
smb_acl = hpuxacl_sys_acl_get_file(handle, path, 
					   SMB_ACL_TYPE_ACCESS);
================

the solution:
add TALLOC_CTX *mem_ctx; line, and change
smb_acl = hpuxacl_sys_acl_get_file(handle, path,SMB_ACL_TYPE_ACCESS); to smb_acl = hpuxacl_sys_acl_get_file(handle, path,SMB_ACL_TYPE_ACCESS,mem_ctx); in ../source3/modules/vfs_hpuxacl.c:369.
Comment 3 Volker Lendecke 2015-09-03 11:43:27 UTC
(In reply to jinyunshuai from comment #2)

Any chance you get us the required changes as diff or even git format-patch patches?

https://wiki.samba.org/index.php/Using_Git_for_Samba_Development

has a very brief intoduction to what is necessary.
Comment 4 jinyunshuai 2015-09-03 11:52:52 UTC
After above fixes, samba-4.2.3 can be built succcessfully.

But there are some permission issue.  when using smbclient to access samba server share dir, will get the error of "NT_STATUS_ACCESS_DENIED" 

the share dir:
================
drwxrwxrwx   2 root       sys             96 Sep  2 05:13 share-test
=======================

the logs:
============================
  11959 [2015/09/02 05:36:00.768474,  4, pid=19366, effective(10008, 10008), real(0, 0)] ../source3/smbd/sec_ctx.c:421(pop_sec_ctx)
  11960   pop_sec_ctx (10008, 10008) - sec_ctx_stack_ndx = 0
  11961 [2015/09/02 05:36:00.768733, 10, pid=19366, effective(10008, 10008), real(0, 0)] ../source3/passdb/lookup_sid.c:1112(legacy_gid_to_sid)
  11962   LEGACY: gid 3 -> sid S-1-22-2-3
  11963 [2015/09/02 05:36:00.769209, 10, pid=19366, effective(10008, 10008), real(0, 0), class=acls] ../source3/smbd/posix_acls.c:2724(canonicalise_acl)
  11964   canonicalise_acl: Access ace entries before arrange :
  11965 [2015/09/02 05:36:00.769453, 10, pid=19366, effective(10008, 10008), real(0, 0), class=acls] ../source3/smbd/posix_acls.c:2737(canonicalise_acl)
  11966   canon_ace index 0. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
  11967 [2015/09/02 05:36:00.769845, 10, pid=19366, effective(10008, 10008), real(0, 0), class=acls] ../source3/smbd/posix_acls.c:2737(canonicalise_acl)
  11968   canon_ace index 1. Type = allow SID = S-1-22-2-3 gid 3 (sys) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
  11969 [2015/09/02 05:36:00.771356, 10, pid=19366, effective(10008, 10008), real(0, 0), class=acls] ../source3/smbd/posix_acls.c:2737(canonicalise_acl)
  11970   canon_ace index 2. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms ---
  11971 [2015/09/02 05:36:00.772131, 10, pid=19366, effective(10008, 10008), real(0, 0), class=acls] ../source3/smbd/posix_acls.c:848(print_canon_ace_list)
  11972   print_canon_ace_list: canonicalise_acl: ace entries after arrange
  11973   canon_ace index 0. Type = allow SID = S-1-22-1-0 uid 0 (root) SMB_ACL_USER_OBJ ace_flags = 0x0 perms ---
  11974   canon_ace index 1. Type = allow SID = S-1-22-2-3 gid 3 (sys) SMB_ACL_GROUP_OBJ ace_flags = 0x0 perms ---
  11975   canon_ace index 2. Type = allow SID = S-1-1-0 other SMB_ACL_OTHER ace_flags = 0x0 perms ---
  11976 [2015/09/02 05:36:00.773262, 10, pid=19366, effective(10008, 10008), real(0, 0), class=acls] ../source3/smbd/posix_acls.c:1110(map_canon_ace_perms)
  11977   map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
  11978 [2015/09/02 05:36:00.773505, 10, pid=19366, effective(10008, 10008), real(0, 0), class=acls] ../source3/smbd/posix_acls.c:1110(map_canon_ace_perms)
  11979   map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
  11980 [2015/09/02 05:36:00.773732, 10, pid=19366, effective(10008, 10008), real(0, 0), class=acls] ../source3/smbd/posix_acls.c:1110(map_canon_ace_perms)
  11981   map_canon_ace_perms: Mapped (UNIX) 0 to (NT) 0
  11982 [2015/09/02 05:36:00.774715, 10, pid=19366, effective(10008, 10008), real(0, 0)] ../source3/smbd/open.c:174(smbd_check_access_rights)
  11983   smbd_check_access_rights: file . requesting 0x1 returning 0x1 (NT_STATUS_ACCESS_DENIED)
===========================
Comment 5 jinyunshuai 2015-09-05 02:37:50 UTC
Hi Guys,  have any opinion about above issue? or any tips ?  

Thank you in advance。
Comment 6 Björn Jacke 2015-09-11 16:43:38 UTC
i don't think that this is related to the build bug. I don't even think the access denies is a bug so this is not for bugzilla. if would be great if you can add a patch for the build issue here.
Comment 7 jinyunshuai 2015-09-14 01:28:24 UTC
the access denies is not a bug? you think the access denies is reasonable?
can you analyze this issue to us?


according to my understanding, as the share dir permission as followng shows, we should have right to access this share dir.
================
drwxrwxrwx   2 root       sys             96 Sep  2 05:13 share-test
=======================
Comment 8 jinyunshuai 2015-09-14 02:17:25 UTC
(In reply to Björn Jacke from comment #6)

the access denies is not a bug? you think the access denies is reasonable?
can you analyze this issue to us?


according to my understanding, as the share dir permission as followng shows, we should have right to access this share dir.
================
drwxrwxrwx   2 root       sys             96 Sep  2 05:13 share-test
=======================

and if add "--without-acl-support" to configure. 
and do not exist access denies issue we talked above.
Comment 9 Björn Jacke 2015-09-14 07:06:00 UTC
first of all this is unrelated to the builg bug you reported here, don't mix different problems in one bug report. Apart of that the S-1-22 SID shows me that you don't have unmapped unix (not domain) users here. In addition to that you just show the classical rights, that "ls" shows, which does not reflect any ACLs you might have set. This is definetely unrelated to this bug report. For support you might consult https://www.samba.org/samba/support/
Comment 10 Arjit 2016-11-29 05:21:16 UTC
I am getting the same NT_STATUS_ACCESS_DENIED issue with samba 4.5.0 on hpux ia64.
Is this issue been resolved ?
Or any patch is available for the same ?
Comment 11 Uri Simchoni 2017-11-27 20:21:44 UTC
Anyone using hpux and encountering the "access denied" issue pointerd at in comment #4 - can you open a separate bug (if it still exists)? I may have a fix for that, but I think it would be prudent to report it as a separate bug because this one was initially reported as a build issue.
Comment 12 Björn Jacke 2017-12-06 16:19:34 UTC
and the POSIX ACL bug is what bug 13176 is about. Closing this build bug report now.