getfacl truncates user and group names on ufs filesystems with POSIX acls
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 10 Jan 2022 23:08:55 UTC
On a FreeBSD V12 server I ran a samba4 server with AD functionality. On
/var I use an ufs filesystem with POSIX acls, because the provisioning
step of samba4 needs this for data stored in the "sysvol" (directory
/var/db/samba4/sysvol).
The file /etc/nsswitch includes the necessary winbind entries:
group: files winbind
hosts: files dns
networks: files
passwd: files winbind
shells: files
services: files
protocols: files
rpc: files
This setup works fine with one exception: I could not backup and restore
the sysvol data with bacula. The reason for this problem is the fact:
samba needs group names with more than 32 (MAXLOGNAME - 1) bytes and
stores these names with the help of acls.
Bacula has the same program logic to read acls as getfacl(1), so I can
show the truncation problem direct:
-> wbinfo -g | grep policy
ADMYDOMAIN\group policy creator owners
-> getfacl /var/db/samba4/sysvol/ad.mydomain/Policies | grep policy
group:ADMYDOMAIN\group policy creator :rwx
The following patch for libc solves the problem for me:
--- posix1e/acl_to_text.c.orig 2017-11-25 18:12:48.000000000 +0100
+++ posix1e/acl_to_text.c 2022-01-10 19:04:05.551305000 +0100
@@ -44,6 +44,9 @@
#include "acl_support.h"
+#undef MAXLOGNAME
+#define MAXLOGNAME 257 /* max login name length
(incl. NUL) */
+
/*
* acl_to_text - generate a text form of an acl
* spec says nothing about output ordering, so leave in acl order
The length problem exists only for POSIX acls not for nfsv4acls.
It also can be demonstrated without the help of samba4/winbind:
echo "longestgroupnameeverintheworldandtheuniverse:*:3333:" >> /etc/group
cd /var/tmp
echo "ACL Test" > acltest
setfacl -m g:longestgroupnameeverintheworldandtheuniverse:rwx acltest
getfacl acltest
With the winbind entries in /etc/nsswitch.conf I see some messages "...
not found, and no fallback provided"
on console (in single user mode) or in debug.log (in multi user mode
before /etc/rc.d/ldconfig is
running, also from static linked programs. Some examples of programs
using e.g. getpwnam() and endpwent():
dhclient[540]: NSSWITCH(_nsdispatch): winbind, passwd, endpwent, not
found, and no fallback provided
pflogd[694]: NSSWITCH(_nsdispatch): winbind, passwd, endpwent, not
found, and no fallback provided
unbound: NSSWITCH(_nsdispatch): winbind, group, setgrent, not found,
and no fallback provided
install: NSSWITCH(_nsdispatch): winbind, passwd, setpwent, not found,
and no fallback provided
These messages should only be logged, when _NSS_DEBUG is defined for
libc. The situation looks similar to the message with comment "This gets
pretty annoying .." in the same sourcefile. Therefore I use the patch
--- nsdispatch.c.orig 2019-05-14 09:42:45.000000000 +0200
+++ nsdispatch.c 2019-11-15 11:58:16.000000000 +0100
@@ -734,10 +734,13 @@
(void *)srclist[i].name, ap);
va_end(ap);
st->fallback_depth = saved_depth;
- } else
+ } else {
+#ifdef _NSS_DEBUG
nss_log(LOG_DEBUG, "%s, %s, %s, not found, "
"and no fallback provided",
srclist[i].name, database, method_name);
+#endif
+ }
}
}
Andreas