Bug 9160 - add_current_ace_to_acl: malformed ACL in file ACL
Summary: add_current_ace_to_acl: malformed ACL in file ACL
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: x64 Linux
: P5 critical (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
: 9275 (view as bug list)
Depends on: 9406
Blocks: 9342
  Show dependency treegraph
 
Reported: 2012-09-13 19:20 UTC by Jacob Oliver (mail address dead)
Modified: 2020-12-19 20:20 UTC (History)
2 users (show)

See Also:


Attachments
Attached log file (4.47 MB, text/plain)
2012-09-13 19:20 UTC, Jacob Oliver (mail address dead)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jacob Oliver (mail address dead) 2012-09-13 19:20:28 UTC
Created attachment 7892 [details]
Attached log file

Every time I attempt to modify an ACE on a share via windows (Using S3fs), the deny permission will either be deleted (Only deny permissions if there are allows for the certain user/group), or if I set the user/group to Deny: Full control, the entire ACE is deleted.

Here's a portion of my smb.conf (Containing the shares I've tested with).

[global]
    server role = domain controller
    workgroup = MESTIZAJE
    realm = mestizaje.org
    netbios name = M-DC-01
    disable netbios = false
    server string = Mestizaje Domain Controller
    dns forwarder = 8.8.8.8
    dns recursive queries = yes
    allow dns updates = signed
    use spnego = true
    client use spnego principal = true
    local master = true
    preferred master = true
    paranoid server security = true
    server signing = true
    client signing = true
    tls enabled = true
    idmap trusted only = true
    encrypt passwords = true
    null passwords = false
    client plaintext auth = false
    lanman auth = false
    client lanman auth = false
    ntlm auth = false
    client ntlmv2 auth = true
# Did break windows 7    server max protocol = SMB2
    min protocol = NT1
    server max protocol = NT1
    server min protocol = NT1
# Did break windows 7    client max protocol = SMB2
    client max protocol = NT1
    client min protocol = NT1
    interfaces = bond0 lo
    bind interfaces only = true
    hosts deny = 0.0.0.0/0
    hosts allow = 192.168.1.0/24
    idmap trusted only = true
    encrypt passwords = true
    time server = true
    csc policy = disable
    oplocks = true
    null passwords = false
    max wins ttl = 10
    wins support = true
    winbind sealed pipes = true
    rpc big endian = false
    dns proxy = true
    strict locking = false
#    max xmit = 16384
## 65535 < Performance than 32768 < Performance Than 49152
    socket options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY IPTOS_THROUGHPUT SO_SNDBUF=49152 SO_RCVBUF=49152
    unix charset = UTF-8
    dos charset = CP850
    unicode = true
    read raw = false
    write raw = true
    host msdfs = false
    case insensitive filesystem = false
    unix extensions = true
    nt status support = true
    nt acl support = true
    acl check permissions = true
    acl compatibility = win2k
    ea support = true
    store dos attributes = true
    hide files = /*.db/*.ini/*RECYCLE*/.*/*.vbs/*.bat/*.dat/*.adm/*.adml/*.admx/*.msc/*.mmc/*.tmp/*.sys/$*/*.log/*.reg/
    hide dot files = true
    log level = 10
    debug level = 10
    #max log size = 96
    log file = /mestizaje.org/Samba/Logs/Samba4.Amorak.s4rw
    template shell = /bin/bash
    template homedir = /home/mestizaje.org/%USERNAME%
## Testing s3fs
# Implemented into stable at 4.0.0Beta2
#    server services = -smb +s3fs
#    dcerpc endpoint servers = -winreg -srvsvc
## Printing subsection
    load printers = true
    printing = cups
    printcap name = cups
    cups options = "raw media=a4"
    use client driver = false
## End of testing s3fs
#    force create mode = 0750
#    force directory mode = 0750
## Virtual Server Configuration
#    The parameter is incorrect
#    netbios aliases = Kushtaka
#    smb ports = 139
#    include /usr/local/samba/etc/VirtualServers/smb.conf.Kushtaka
## End of virtual server configuration

[netlogon]
    path = /mestizaje.org/Shares/SYSVOL/mestizaje.org/scripts
    comment = NETLOGON
    volume = NETLOGON
    read only = false
    browseable = false
    fstype = NTFS
    map hidden = false

[sysvol]
    path = /mestizaje.org/Shares/SYSVOL
    comment = SYSVOL
    volume = SYSVOL
    read only = false
    browseable = false
    fstype = NTFS
    map hidden = false

## Printing Shares
#[printers]
#    path = /mestizaje.org/Shares/Printers/spool
#    comment = Printer Spool Share
#    volume = PRINTERS
#    browseable = false
#    printable = true
#    read only = true
#    create mask = 0777
#    guest ok = true
#
#[print$]
#    path = /mestizaje.org/Shares/Install/Drivers/Printers
#    volume = PRINTDRIVERS
#    comment = Printer Drivers
#    read only = false
#    create mask = 0755
#    directory mask = 0755
#    browseable = false
#    printable = false
#    fstype = NTFS

# Admins Profiles

[AdminsProfiles$]
    path = /mestizaje.org/Profiles/Admins/Profile
    volume = USERDATA
    comment = My Profile
    read only = false
    create mask = 0600
    create mask = 0600
    force create mode = 0600
    directory mask = 0700
    force directory mode = 0700
    browseable = false
    printable = false
    fstype = NTFS
    csc policy = disable

[AdminsDocs$]
    path = /mestizaje.org/Profiles/Documents/Admins
    volume = USERDOCS
    comment = My Documents
    read only = false
    create mask = 0600
    force create mode = 0600
    directory mask = 0700
    force directory mode = 0700
    browseable = false
    printable = false
    fstype = NTFS
    msdfs root = false
#    recycle: config-files = /usr/local/samba/etc/samba/samba-recycle.conf
#    vfs objects = recycle
#    recycle:keeptree = true
#    recycle:touch = true
#    recycle:touch_mtime = true
#    recycle:maxsize = 67108864
#    recycle:versions = true
#    recycle:repository = /mestizaje.org/Profiles/MyDocs/Admins/%U/Trash
#    recycle:exclude = *.tmp,*.temp,*.o,*.obj,~$*,*.~??,*.dat,*.ini
    oplocks = true

[AdminsAppData$]
    path = /mestizaje.org/Profiles/Admins/AppData
    volume = APPLICATIONDATA
    comment = APPLICATIONDATA
    read only = false
    create mask = 0600
    force create mode = 0600
    directory mask = 0700
    force directory mode = 0700
    recycle: config-files = /usr/local/samba/etc/samba/samba-recycle.conf
    browseable = false
    printable = false
    fstype = NTFS


I have attached a log file with a debug and log level of 10 below.
Comment 1 Jacob Oliver (mail address dead) 2012-09-13 19:30:14 UTC
Just a note - It's Samba4 Beta8 compiled with:

./configure --enable-uid-wrapper --enable-socket-wrapper --enable-nss-wrapper --enable-gnutls --enable-cups --download

On Ubuntu 12.04
Comment 2 Jacob Oliver (mail address dead) 2012-09-17 13:38:19 UTC
Can also be confirmed on RC1 compiled with the same options.
I've also tested on EXT4 with user_xattrs and acl, and XFS, and the bug still appears.

The domain was provisioned with the --use_xattrs=yes option. Could that possibly be related the problem?
Comment 3 Jacob Oliver (mail address dead) 2012-10-01 15:17:24 UTC
Okay, so for anyone else who comes across this, I'd recommend looking through the mailing lists.

It turns out that this can be fixed by adding:

vfs objects = acl_xattr

to each share that requires ACL's to be mapped.
Comment 4 Inno Yev 2012-10-10 11:42:09 UTC
Thanks a lot man. you cannot imagine how this small line save my days of stress

(In reply to comment #3)
> Okay, so for anyone else who comes across this, I'd recommend looking through
> the mailing lists.
> 
> It turns out that this can be fixed by adding:
> 
> vfs objects = acl_xattr
> 
> to each share that requires ACL's to be mapped.
Comment 5 Jacob Oliver (mail address dead) 2012-10-10 18:59:18 UTC
It's cool, but I still think that the ACE issue needs to be addressed. The Samba team have completely ignored that this issue exists, which is a shame as they've produced a great piece of software. But on a heavily loaded server, this system wouldn't work as all of the ACE's are stored in a TDB file, so the server will end up spending half of it's time checking whether the user is actually allowed to access the requested resource. I used Samba to attempt to slowly budge away from Windows completely, not to get halfway through beta stage and have to consider moving my primary fileserver over to Server 2008 just because I couldn't set a Deny ACE. Please guys, get this sorted, because if you want businesses to be able to replace their existing environments with Samba4, whether it's as a DC or a File Server, if they find a bug as large as this they'll run a mile.
Comment 6 Andrew Bartlett 2012-11-16 10:10:20 UTC
Except for the suggestion around ACL lookups being against a TDB (they are not, they are stored in an xattr in the filesystem) this should be fully addressed by the patch attached to bug #9406.

We do apologise for the time it has taken to address this regression.

Thanks,
Comment 7 Karolin Seeger 2012-12-04 11:07:42 UTC
Should be fixed in Samba 4.0.0rc6.
Please feel free to re-open if it's still an issue.

Thanks!
Comment 8 Björn Jacke 2020-12-19 20:20:29 UTC
*** Bug 9275 has been marked as a duplicate of this bug. ***