Web lists-archives.com

Re: [Samba] Operation Not Supported error for GETXATTR when VFS plugin "nfs4acl_xattr" is used




Hello Jeremy and Ralph

Thanks for your suggestions.

I compiled samba-4.8.0 and running it instead of samba-4.6.2. I saw the
changes that you mentioned in the latest vfs_nfs4acl_xattr module.

The operation not supported error is gone but it is now failing with access
denied. Here is what I tried:








*[root@test3 ajain]# net conf showshare local[local]        path =
/home/ajain/mount        comment = local share        guest ok = no
read only = no        hosts allow = ALL        vfs objects = nfs4acl_xattr*

*        nfs4acl_xattr:xattr_name = system.nfs4_acl
nfs4acl_xattr:encoding = xdr*

I added/enabled some debug messages and here is what I see for XDR type:

















*[2018/04/09 21:53:34.024425,  3, pid=32098, effective(1101151, 1100513),
real(1101151, 0)] ../source3/smbd/trans2.c:2667(call_trans2findfirst)
call_trans2findfirst: dirtype = 16, maxentries = 1366, close_after_first=0,
close_if_end = 1 requires_resume_key = 1 backup_priv = 0 level = 0x104,
max_data_bytes = 65535[2018/04/09 21:53:34.024788,  3, pid=32098,
effective(1101151, 1100513), real(1101151, 0)]
../source3/modules/vfs_nfs4acl_xattr.c:286(nfs4acl_xattr_get_nt_acl)
nfs4acl_xattr_get_nt_acl: nfs4acl_xattr_get_nt_acl[2018/04/09
21:53:34.024998,  3, pid=32098, effective(1101151, 1100513), real(1101151,
0)] ../source3/modules/vfs_nfs4acl_xattr.c:230(nfs4acl_blob_to_smb4)
nfs4acl_blob_to_smb4: NFS4ACL_ENCODING_XDR[2018/04/09 21:53:34.025027,  3,
pid=32098, effective(1101151, 1100513), real(1101151, 0)]
../source3/modules/nfs4acl_xattr_xdr.c:398(nfs4acl_xdr_blob_to_smb4)
nfs4acl_xdr_blob_to_smb4: nfs4acl_xdr_blob_to_smb4[2018/04/09
21:53:34.025043,  3, pid=32098, effective(1101151, 1100513), real(1101151,
0)]
../source3/modules/nfs4acl_xattr_xdr.c:286(nfs4acl_xdr_blob_to_nfs4acl)
nfs4acl_xdr_blob_to_nfs4acl: nfs4acl_xdr_blob_to_nfs4acl[2018/04/09
21:53:34.025053,  3, pid=32098, effective(1101151, 1100513), real(1101151,
0)]
../source3/modules/nfs4acl_xattr_xdr.c:293(nfs4acl_xdr_blob_to_nfs4acl)
nfs4acl_xdr_blob_to_nfs4acl: naces = 50[2018/04/09 21:53:34.025076,  3,
pid=32098, effective(1101151, 1100513), real(1101151, 0)]
../source3/modules/nfs4acl_xattr_xdr.c:339(nfs4acl_to_smb4acl)
nfs4acl_to_smb4acl: flags [8008] nace [0][2018/04/09 21:53:34.025147,  3,
pid=32098, effective(1101151, 1100513), real(1101151, 0)]
../source3/smbd/error.c:82(error_packet_set)  NT error packet at
../source3/smbd/trans2.c(2857) cmd=50 (SMBtrans2) NT_STATUS_ACCESS_DENIED*

There are not more than 4 ACEs on the root directory but we see naces = 50.
I feel that the encoding of ACL is not happening as expected.

Can you please post what kind of basic tests that succeed with
NFS4ACL_XATTR VFS module?

I appreciate your help.

Thanks
Akash



On Sat, Apr 7, 2018 at 1:16 AM, Jeremy Allison <jra@xxxxxxxxx> wrote:

> On Fri, Apr 06, 2018 at 09:28:16PM +0200, Ralph Böhme wrote:
> > On Fri, Apr 06, 2018 at 12:40:31PM -0700, Jeremy Allison wrote:
> > > On Fri, Apr 06, 2018 at 09:22:17PM +0200, Ralph Böhme wrote:
> > > > On Fri, Apr 06, 2018 at 10:27:32AM -0700, Jeremy Allison via samba
> wrote:
> > > > > On Fri, Apr 06, 2018 at 01:44:50PM +0530, Akash Jain wrote:
> > > > > > Hi All
> > > > > >
> > > > > > I found there is one bug in the plugin. The name of the
> attribute for ACL as
> > > > > > per strace output of nfs4_setfacl is system.nfs4_acl.
> > > > > > The source code has defined it as
> > > > > > #define NFS4ACL_XATTR_NAME      ( "system.nfs4acl" )
> > > > > >
> > > > > > Note there is missing underscore.
> > > > > >
> > > > > > After this, the EOPNOTSUPP error is not observed.
> > > > > >
> > > > > > Hope this helps
> > > > >
> > > > > Hmmm. This has been changed for Samba 4.8.0 and above,
> > > > > with commit df99ac27106dededcf0a98a251e58c24b90bf6d1.
> > > > >
> > > > > This would seem to be a correct fix, as it seems
> > > > >
> > > > > "The "system" xattr namespace is reserved for the kernel. Any
> attempt to
> > > > >     use xattrs in that namesspace will fail with EOPNOTSUPP,
> regardless of
> > > > >     priveleges."
> > > > >
> > > > > Can you check with 4.8.x ?
> > > >
> > > > I guess that statement may not be correct, depending on which kernel
> subsystem
> > > > exposes the xattr? My testing was with local filesytems, not with
> nfsv4
> > > > mounts. Apparantly it works with nfs4_getfacl|nfs4_setfacl...
> > >
> > > Ah, my guess is there's a missing check in the kernel
> > > NFSv4 redirector somewhere. Anyway, we can't use system.XXX
> > > namespace if it doesn't work on local filesystems on
> > > Linux.
> >
> > the good thing is with the new module it's configurable...
>
> Oh I didn't spot that, so it is ! Well done that man :-) :-).
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba