Problem
In a UCS environment, users are unable to save certain files to a network share.
When attempting to do so from a Windows client, a file transfer error occurs.
At the same time, the following log entries can be found in /var/log/log.smb on the Domain Controller:
[2026/04/09 09:58:10.426844, 1]
../../source3/smbd/posix_acls.c:2958(set_canon_ace_list)
set_canon_ace_list: sys_acl_set_file on file
[UCS/Dokumentationen/univention/Sicherheitsbeleuchtung/4.1
Sicherheitsbeleuchtung UG2/20250915_Sicherheitsbeleuchtung_UG2.dwg]:
(Die Operation wird nicht unterstützt)
[2026/04/09 09:58:10.432691, 1]
../../source3/smbd/smb2_trans2.c:4006(smb_set_file_dosmode)
smb_set_file_dosmode: file_set_dosmode of
UCS/Dokumentationen/univention/Sicherheitsbeleuchtung/4.1
Sicherheitsbeleuchtung UG2/20250915_Sicherheitsbeleuchtung_UG2.dwg
failed: Die angeforderte Funktion ist nicht implementiert
[2026/04/09 09:58:14.483322, 1]
../../source3/smbd/posix_acls.c:2958(set_canon_ace_list)
set_canon_ace_list: sys_acl_set_file on file
[UCS/Dokumentationen/univention/Sicherheitsbeleuchtung/4.1
Sicherheitsbeleuchtung UG2/20250915_Sicherheitsbeleuchtung_UG2.dwg]:
(Die Operation wird nicht unterstützt)
[2026/04/09 09:58:14.488281, 1]
../../source3/smbd/smb2_trans2.c:4006(smb_set_file_dosmode)
smb_set_file_dosmode: file_set_dosmode of
UCS/Dokumentationen/univention/Sicherheitsbeleuchtung/4.1
Sicherheitsbeleuchtung UG2/20250915_Sicherheitsbeleuchtung_UG2.dwg
failed: Die angeforderte Funktion ist nicht implementiert
[2026/04/09 09:58:17.391262, 1]
../../source3/smbd/posix_acls.c:2958(set_canon_ace_list)
set_canon_ace_list: sys_acl_set_file on file
[UCS/Dokumentationen/univention/Sicherheitsbeleuchtung/4.1
Sicherheitsbeleuchtung UG2/20250915_Sicherheitsbeleuchtung_UG2.dwg]:
(Die Operation wird nicht unterstützt)
[2026/04/09 09:58:17.395883, 1]
../../source3/smbd/smb2_trans2.c:4006(smb_set_file_dosmode)
smb_set_file_dosmode: file_set_dosmode of
UCS/Dokumentationen/univention/Sicherheitsbeleuchtung/4.1
Sicherheitsbeleuchtung UG2/20250915_Sicherheitsbeleuchtung_UG2.dwg
failed: Die angeforderte Funktion ist nicht implementiert
Root Cause
The error
sys_acl_set_file: Operation not supported
in combination with
smb_set_file_dosmode failed
indicates that the file server is unable to write Windows-specific file attributes or ACLs to the underlying storage.
In this setup:
- The Samba shares are located on a Dell Isilon NAS system
- The storage is mounted externally on the UCS system under
/mnt/isilon - The mount is configured using NFSv3
This explains the issue:
NFSv3 does not support the required mechanisms (especially extended attributes) needed by Samba to store Windows ACLs.
Investigation
Test of Extended Attributes (xattr)
Samba stores Windows file attributes in extended attributes of the Linux filesystem.
Therefore, it is required to verify whether the filesystem supports xattr.
Run the following command as root:
setfattr -n user.test -v "hallo" "/pfad_zum_share/UCS/Dokumentationen/univention/Sicherheitsbeleuchtung/4.1 Sicherheitsbeleuchtung UG2/20250915_Sicherheitsbeleuchtung_UG2.dwg"
Expected results:
- If the error
Operation not supportedappears → the filesystem or mount does not support xattr - If no error appears → xattr is working correctly
You can verify the attribute with:
getfattr -d <path>
Actual setfattr Output
root@fs:/ifs/fs/shares-other/schliessanlage/Moh/Dokumentationen/MPH-EuG/9_ZUKO/9.1 Zuko UG2# setfattr -n user.test -v "hallo" "/ifs/fs/shares-other/schliessanlage/Moh/Dokumentationen/MPH-EuG/9_ZUKO/9.1 Zuko UG2/test.txt"
setfattr: /ifs/fs/shares-other/schliessanlage/Moh/Dokumentationen/MPH-EuG/9_ZUKO/9.1 Zuko UG2/test.txt: Die Operation wird nicht unterstützt
This confirms that extended attributes are not supported on the Isilon mount.
Analysis of Samba Configuration
To review the effective Samba configuration, run:
testparm -s -v --section-name="NAME_DER_FREIGABE"
Example output:
[schliessanlage]
create mask = 0770
directory mask = 0770
force create mode = 0770
force directory mode = 0770
force group = schliessanlage-fileaccess
include = /etc/samba/shares.conf.d/microscopy-facility
inherit acls = Yes
map acl inherit = Yes
path = /mnt/isilon/shares-other/schliessanlage
read only = No
valid users = +schliessanlage-fileaccess +it
vfs objects = acl_xattr
Important:
vfs objects = acl_xattr
Expected setfattr Output (Working System)
root@ucs5primary:/mnt/test-share# ls -lah
total 12K
drwxr-xr-x 2 root root 4.0K Apr 13 14:17 .
drwxr-xr-x 3 root root 4.0K Apr 13 13:12 ..
-rw-r--r-- 1 root root 18 Apr 13 13:14 20250915_Sicherheitsbeleuchtung_UG2.txt
root@ucs5primary:/mnt/test-share# setfattr -n user.test -v "neu" "/mnt/test-share/20250915_Sicherheitsbeleuchtung_UG2.txt"
root@ucs5primary:/mnt/test-share# getfattr -d 20250915_Sicherheitsbeleuchtung_UG2.txt
# file: 20250915_Sicherheitsbeleuchtung_UG2.txt
user.test="neu"
Solution
Possible Solution for Dell Isilon – Configuration for NFSv4
Below is a structured step-by-step guide for a basic NFSv4 configuration on Dell Isilon (OneFS).
The information is based on the official Dell documentation:
https://www.dell.com/support/kbdoc/en-us/000023023/isilon-how-to-set-up-a-basic-nfsv4-configuration
The steps are prepared so they can be directly applied in a UCS/Samba environment.
Goal of the Configuration
The goal is to provide a working NFSv4 setup with correct ACL behavior.
Important:
- NFSv4 requires domain-based identities (
user@domain) - Incorrect or missing configuration leads to non-functional ACLs
Important Rule (according to Dell)
Non-standard configurations should be avoided, as they often break NFSv4 ACL functionality.
The configuration should stay as close to default as possible.
1. Check current NFSv4 configuration
isi nfs settings zone view
Typical default values:
NFSv4 Domain: localhost
NFSv4 Replace Domain: Yes
NFSv4 No Domain: No
NFSv4 No Domain UIDs: Yes
NFSv4 No Names: No
NFSv4 Allow Numeric IDs: Yes
2. Configure NFSv4 domain
Problem without domain
- Files appear as
nobody:nobody - ACLs do not work
Command to fix that:
isi nfs settings zone modify --nfsv4-domain=<your-domain>
Example:
isi nfs settings zone modify --nfsv4-domain=example.local
3. Verify domain mapping behavior
isi nfs settings zone modify --nfsv4-replace-domain=true
Meaning:
- The server replaces domain parts with the configured NFSv4 domain
Default is Yes and should be kept.
4. Ensure domain names are used
Critical setting: No Names
If enabled:
--nfsv4-no-names=true
Only UID/GID is used (no user@domain)
Result: ACLs will not work
Correct configuration:
isi nfs settings zone modify --nfsv4-no-names=false
5. Disable domain stripping
Option: No Domain
If enabled:
- Domain information is removed
- Causes ACL issues
Correct configuration:
isi nfs settings zone modify --nfsv4-no-domain=false
6. Handling of numeric IDs
--nfsv4-allow-numeric-ids
Default:
Yes
Meaning:
- Allows fallback to UID/GID if name resolution fails
Can remain unchanged
7. Root user behavior (important for UCS)
Typical behavior:
- Root appears as
root:wheelinstead ofroot:root
Reason:
0:0 → root:wheel
Options:
- Adjust GID on client
- or configure mapping on Isilon
8. Verify configuration
isi nfs settings zone view
Typical Symptoms and Causes
| Symptom | Cause |
|---|---|
| nobody:nobody | Domain not set |
| root:wheel | Default Isilon mapping |
| ACL not working | Missing domain / wrong config |
| UID/GID only | Incorrect NFSv4 settings |
Conclusion
The issue is caused by using NFSv3 on external storage, which does not support required Samba features such as extended attributes.
To resolve the issue:
- Use NFSv4 instead of NFSv3
- Configure a valid NFSv4 domain
- Ensure domain-based identity mapping is active
- Keep configuration close to defaults
Only then:
- User identities are resolved correctly
- ACL handling works as expected
- Samba can store Windows file attributes successfully