Problems with ACL support in Samba 2.2.5 - 2.2.8
Trying to add users using security tab i WinXP doesn't work for us, no users are added. Existing ACLs are possible to change and delete. This behavior has been identified with both Solaris 2.6, Linux 2.4.9-31 with XFS, Samba 2.2.5 and 2.2.8. I'm attaching global part of out smb.conf and a snippet from the log. Regards, Johannes smb.conf: [global] workgroup = SGU security = DOMAIN encrypt passwords = Yes min passwd length = 6 password server = sys4 sgu4 username map = /usr/local/samba/lib/users.map log file = /var/opt/samba/log/%m deadtime = 10 character set = ISO8859-1 wins server = 10.1.20.104 invalid users = smsclitoknacct& smsclisvcacct& create mask = 0644 host msdfs = yes inherit acls = yes log level = 2 Log: [2003/03/28 16:09:27, 2] lib/util_sock.c:open_socket_out(873) error connecting to 10.1.20.104:445 (Connection refused) [2003/03/28 16:09:28, 1] smbd/service.c:make_connection(636) sp078 (10.1.20.94) connect to service lab as user jste (uid=133, gid=100) (pid 10936) [2003/03/28 16:09:39, 0] smbd/service.c:make_connection(251) sp078 (10.1.20.94) couldn't find service la [2003/03/28 16:09:42, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2050) Returning domain sid for domain PCHYD29 -> S-1-5-21-195616947-1880241807-4126645089 [2003/03/28 16:09:42, 2] passdb/pdb_smbpasswd.c:startsmbfilepwent(170) startsmbfilepwent_internal: unable to open file /etc/samba/smbpasswd. Error was No such file or directory [2003/03/28 16:09:42, 0] passdb/pdb_smbpasswd.c:pdb_getsampwrid(1418) unable to open passdb database. [2003/03/28 16:09:46, 0] smbd/posix_acls.c:create_canon_ace_lists(1017) create_canon_ace_lists: unable to map SID S-1-5-21-1444693150-211357965-837300805-2170 to uid or gid. [2003/03/28 16:11:25, 0] smbd/service.c:make_connection(251) sp078 (10.1.20.94) couldn't find service la [2003/03/28 16:11:28, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2050) Returning domain sid for domain PCHYD29 -> S-1-5-21-195616947-1880241807-4126645089 [2003/03/28 16:11:35, 0] smbd/posix_acls.c:create_canon_ace_lists(1017) create_canon_ace_lists: unable to map SID S-1-5-21-1444693150-211357965-837300805-1084 to uid or gid. [2003/03/28 16:11:37, 0] smbd/service.c:make_connection(251) sp078 (10.1.20.94) couldn't find service la [2003/03/28 16:11:39, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2050) Returning domain sid for domain PCHYD29 -> S-1-5-21-195616947-1880241807-4126645089 [2003/03/28 16:12:06, 0] smbd/service.c:make_connection(251) sp078 (10.1.20.94) couldn't find service la [2003/03/28 16:12:08, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2050) Returning domain sid for domain PCHYD29 -> S-1-5-21-195616947-1880241807-4126645089 [2003/03/28 16:12:17, 0] smbd/posix_acls.c:create_canon_ace_lists(1017) create_canon_ace_lists: unable to map SID S-1-5-21-1444693150-211357965-837300805-1029 to uid or gid. [2003/03/28 16:13:35, 1] smbd/service.c:close_cnum(675) sp078 (10.1.20.94) closed connection to service lab [2003/03/28 16:13:35, 2] smbd/server.c:exit_server(511)
ACL support 2.2.7a
Client: Windows XP Server: Samba 2.2.2, 2.2.5 - Solaris 2.6, 8 Security: Domain, NT PDC We have the same problem a you but with XP not NT. Have your resolved it? ACL's can be modified from the security tab from windows XP but not added. Using NT it works. Users and groups are listed as: MACHINE\user MACHINE\group but when you try to add a user / group the only thing XP accept is: DOMAIN\user and DOMAIN\group and when you apply the rights they disappear. Usernames are the same in NIS and the NT domain. Regards, Johannes - I used the following environment: - Samba 2.2.7a - AIX 5.2 - PDC on NT Operations that work: - Change a manually added, with acledit, acl user or group entry from NT - Remove a manually, added, with acledit, acl user or group entry from NT Operations that does not work: - Add acl user or group entry from NT (the user can manually add acl entries with acledit on the file) This worked on AIX 5.1 with Samba 2.2.5 (tested with users). Maybe the acl structures has been changed in AIX 5.2? Logfile shows that chacl() sets errno 2 (ENOENT) indicating that the file does not exist: ... Starting AIX sys_acl_set_permset entry->ace_access = 448 Ending AIX sys_acl_set_permset user_obj=1, group_obj=1, other_obj=1 Entering sys_acl_set_file File name is testit.txt errno is 2 return code is 0 Exiting the sys_acl_set_file ... ls -l testit.txt: total 1 -rwxrwxrwx 1 aaa a24 Jan 21 14:42 testit.txt aclget testit.txt: attributes: base permissions owner(aaa): rwx group(a): rwx others: rwx extended permissions enabled
System documentation of Samba
One of our servers crashed and when we booted it again one Samba process hung and grabbed one of the servers cpu's. When we killed the samba process, another process generated 100% load on one cpu. From the log file: smbd/open.c:open_mode_check(555) open_mode_check: exlusive oplock left by process 23227 after break ! For file profile/.../office.file.doc, dev = 900, inode = 2704003. Deleting it to continue... lib/util.c:smb_panic(1055) PANIC: open_mode_check: Existant process 23227 left active oplock. We tried to disable oplocks but no luck. After some more testing we deleted all files in /var/opt/samba/lock (brlock.tdb connections.tdb messages.tdb ntdrivers.tdb ntprinters.tdb share_info.tdb unexpected.tdb browse.dat locking.tdb ntforms.tdb printing.tdb ) and restarted samba. This time it worked fine. Is there som information about the tdb file and the inner structures of Samba? What do we lose if we delete the diffrent tdb files? We are using Samba 2.2.2 Regards, Johannes -- SGU - Sveriges Geologiska Undersökning Johannes Tyve Sysadmin +46-18-17 92 21 --
Very bad performance when copying large files from windows to samba-share
An easier way to find the bootleneek... Start top or/and iostat on the samba box. Start copying a file that are successfull. Check if the file is growing in the same rate as it is supposed to on the samba box (ls -l). If it takes the full size before the copy starts it uses Strict Allocate. Using top and iostat you should be able to determine what resources you are using. You say that it's a 30 second timeout. Maybe you could change it. I guess it's something on the win98 box. Maybe someone else could help here? This could be a workaround until the problem is solved. Regards, Johannes _ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx