From nobody Mon Jan 10 23:08:55 2022 X-Original-To: freebsd-fs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 9022F1947BDC for ; Mon, 10 Jan 2022 23:09:06 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4JXqJd1zn3z4s1h for ; Mon, 10 Jan 2022 23:09:05 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id 966D46BC53B for ; Tue, 11 Jan 2022 00:08:57 +0100 (CET) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id VMnszZr_c_iL for ; Tue, 11 Jan 2022 00:08:56 +0100 (CET) Received: from mail.local.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id 96EB06BC472 for ; Tue, 11 Jan 2022 00:08:56 +0100 (CET) Received: from mail.incore (localhost [127.0.0.1]) by mail.local.incore (Postfix) with ESMTP id 916A114A32 for ; Tue, 11 Jan 2022 00:08:56 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=incore.de; h= content-transfer-encoding:content-type:content-type:subject :subject:mime-version:user-agent:from:from:date:date:message-id :received:received; s=dkim; t=1641856136; bh=OvFrr6S6Qqxy3+eJpAf zfdK0gmVOBpC2qNCHvuumBic=; b=BbchVs9qtxETquR/hFfdUm9CkJ8Kgw/8Mo7 n8C6c/RmtOm25vlvqZK4chbgYRQ0T3WO4RFsY9xPjvEssc2nLZnk0pwu/u54d7hq ijtyRsIQJj6GPKKSxeU+KpRJeeiOFdWRj4RJf9ejSuRbxKxW+SCSQGnNZqIR3MRD mXr/aIFM= Received: from mail.local.incore ([127.0.0.1]) by mail.incore (mail.incore [127.0.0.1]) (amavisd-new, port 10024) with LMTP id ddy3FRtPixk7 for ; Tue, 11 Jan 2022 00:08:56 +0100 (CET) Received: from bsdmhs.longwitz (unknown [192.168.99.6]) by mail.local.incore (Postfix) with ESMTP id 4D0B814A31 for ; Tue, 11 Jan 2022 00:08:56 +0100 (CET) Message-ID: <61DCBC87.3040705@incore.de> Date: Tue, 11 Jan 2022 00:08:55 +0100 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) List-Id: Filesystems List-Archive: https://lists.freebsd.org/archives/freebsd-fs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-fs@freebsd.org MIME-Version: 1.0 To: freebsd-fs@freebsd.org Subject: getfacl truncates user and group names on ufs filesystems with POSIX acls Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4JXqJd1zn3z4s1h X-Spamd-Bar: / Authentication-Results: mx1.freebsd.org; dkim=pass header.d=incore.de header.s=dkim header.b=BbchVs9q; dmarc=none; spf=pass (mx1.freebsd.org: domain of longwitz@incore.de designates 195.145.1.138 as permitted sender) smtp.mailfrom=longwitz@incore.de X-Spamd-Result: default: False [0.61 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.91)[-0.915]; R_DKIM_ALLOW(-0.20)[incore.de:s=dkim]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:195.145.1.138]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-fs@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000]; DMARC_NA(0.00)[incore.de]; DKIM_TRACE(0.00)[incore.de:+]; FORGED_MUA_THUNDERBIRD_MSGID(4.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.977]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:3320, ipnet:195.145.0.0/16, country:DE]; RCVD_COUNT_SEVEN(0.00)[7]; MID_RHS_MATCH_FROM(0.00)[] X-ThisMailContainsUnwantedMimeParts: N On a FreeBSD V12 server I ran a samba4 server with AD functionality. On /var I use an ufs filesystem with POSIX acls, because the provisioning step of samba4 needs this for data stored in the "sysvol" (directory /var/db/samba4/sysvol). The file /etc/nsswitch includes the necessary winbind entries: group: files winbind hosts: files dns networks: files passwd: files winbind shells: files services: files protocols: files rpc: files This setup works fine with one exception: I could not backup and restore the sysvol data with bacula. The reason for this problem is the fact: samba needs group names with more than 32 (MAXLOGNAME - 1) bytes and stores these names with the help of acls. Bacula has the same program logic to read acls as getfacl(1), so I can show the truncation problem direct: -> wbinfo -g | grep policy ADMYDOMAIN\group policy creator owners -> getfacl /var/db/samba4/sysvol/ad.mydomain/Policies | grep policy group:ADMYDOMAIN\group policy creator :rwx The following patch for libc solves the problem for me: --- posix1e/acl_to_text.c.orig 2017-11-25 18:12:48.000000000 +0100 +++ posix1e/acl_to_text.c 2022-01-10 19:04:05.551305000 +0100 @@ -44,6 +44,9 @@ #include "acl_support.h" +#undef MAXLOGNAME +#define MAXLOGNAME 257 /* max login name length (incl. NUL) */ + /* * acl_to_text - generate a text form of an acl * spec says nothing about output ordering, so leave in acl order The length problem exists only for POSIX acls not for nfsv4acls. It also can be demonstrated without the help of samba4/winbind: echo "longestgroupnameeverintheworldandtheuniverse:*:3333:" >> /etc/group cd /var/tmp echo "ACL Test" > acltest setfacl -m g:longestgroupnameeverintheworldandtheuniverse:rwx acltest getfacl acltest With the winbind entries in /etc/nsswitch.conf I see some messages "... not found, and no fallback provided" on console (in single user mode) or in debug.log (in multi user mode before /etc/rc.d/ldconfig is running, also from static linked programs. Some examples of programs using e.g. getpwnam() and endpwent(): dhclient[540]: NSSWITCH(_nsdispatch): winbind, passwd, endpwent, not found, and no fallback provided pflogd[694]: NSSWITCH(_nsdispatch): winbind, passwd, endpwent, not found, and no fallback provided unbound: NSSWITCH(_nsdispatch): winbind, group, setgrent, not found, and no fallback provided install: NSSWITCH(_nsdispatch): winbind, passwd, setpwent, not found, and no fallback provided These messages should only be logged, when _NSS_DEBUG is defined for libc. The situation looks similar to the message with comment "This gets pretty annoying .." in the same sourcefile. Therefore I use the patch --- nsdispatch.c.orig 2019-05-14 09:42:45.000000000 +0200 +++ nsdispatch.c 2019-11-15 11:58:16.000000000 +0100 @@ -734,10 +734,13 @@ (void *)srclist[i].name, ap); va_end(ap); st->fallback_depth = saved_depth; - } else + } else { +#ifdef _NSS_DEBUG nss_log(LOG_DEBUG, "%s, %s, %s, not found, " "and no fallback provided", srclist[i].name, database, method_name); +#endif + } } } Andreas