# Samba 3.4.6: set_process_capability errors filling syslog

## m_sandwich

I just upgraded Samba from 3.2.15 to 3.4.6, and my syslog is filling up with the following errors:

```

Jun  2 05:59:26 milne smbd[13717]: [2010/06/02 05:59:26,  0, effective(1021, 100), real(0, 0)] lib/system.c:651(set_process_capability)

Jun  2 05:59:26 milne smbd[13717]:   set_process_capability: prctl PR_SET_SECUREBITS failed with error Invalid argument

```

I am unable to find any specifics about this error online, except for this man page:

http://www.kernel.org/doc/man-pages/online/pages/man7/capabilities.7.html

Can anyone tell me what this might be from?  If it is an actual error, I'd obviously like to get to the root of it.  If it is benign, it is still filling my logs up, and I would like to find a way to quell this particular message.

Thanks ahead of time!

```

# uname -a

Linux milne 2.6.28-hardened-r9 #2 SMP Tue Dec 29 12:53:05 PST 2009 x86_64 Intel(R) Xeon(R) CPU E5405 @ 2.00GHz GenuineIntel GNU/Linux

```

```

# emerge --info samba

Portage 2.1.8.3 (hardened/linux/amd64/10.0, gcc-4.3.4, glibc-2.10.1-r1, 2.6.28-hardened-r9 x86_64)

=================================================================

                        System Settings

=================================================================

System uname: Linux-2.6.28-hardened-r9-x86_64-Intel-R-_Xeon-R-_CPU_E5405_@_2.00GHz-with-gentoo-1.12.13

Timestamp of tree: Tue, 01 Jun 2010 22:45:01 +0000

distcc 3.1 x86_64-pc-linux-gnu [disabled]

ccache version 2.4 [enabled]

app-shells/bash:     4.0_p37

dev-java/java-config: 1.3.7-r1, 2.1.10

dev-lang/python:     2.6.5-r2, 3.1.2-r3

dev-util/ccache:     2.4-r7

sys-apps/baselayout: 1.12.13

sys-apps/sandbox:    1.6-r2

sys-devel/autoconf:  2.65

sys-devel/automake:  1.7.9-r1, 1.9.6-r3, 1.10.3, 1.11.1

sys-devel/binutils:  2.18-r3

sys-devel/gcc:       3.4.6-r2, 4.3.4

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.2.6b

virtual/os-headers:  2.6.30-r1

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=nocona -O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/lib64/fax /var/spool/fax/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=nocona -O2 -pipe"

DISTDIR="/usr/portage/distfiles"

EMERGE_DEFAULT_OPTS="--buildpkg --with-bdeps=y"

FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv usersandbox"

GENTOO_MIRRORS="http://gentoo.llarian.net/ # http://gentoo.arcticnetwork.ca/source/ http://gentoo.osuosl.org/ http://gentoo.mirrors.tera-byte.com/"

LDFLAGS="-Wl,-O1"

LINGUAS="en_US en"

MAKEOPTS="-j9"

PKGDIR="/usr/portage/packages/x86_64-pc-linux-gnu"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/portage/local/layman/sunrise /usr/local/portage"

SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"

USE="acl amd64 apache2 async bash-completion bcmath berkdb bzip2 caps cli cracklib crypt ctype cups cxx discard-path dovecot-sasl dri emacs expat extras fam fastbuild faxonly flatfile foomaticdb force-cgi-redirect ftp gcj gd gdbm glibc-omitfp gpm hardened horde iconv imap imlib iproute2 jbig jpeg jpeg2k justify largeterminal ldap libg++ libwww logrotate maildir mailtrain managesieve mhash mmx modules mudflap multilib multislot multitarget ncurses noauthunix nonfsv4 nptl nptlonly offensive openmp passfile pcre pdo perl pg-vacuumdelay php pic png posix postgres ppds pppd python readline reflection samba session sieve simplexml soap sockets spell spl sse sse2 ssl suhosin svnserve sysfs syslog tcpd tiff tokenizer tools unicode urandom vhosts xml xorg xsl zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_anon authn_default authn_file      authz_default authz_host authz_owner authz_user autoindex cache dav      dav_fs dav_lock deflate dir disk_cache env expires file_cache filter      headers ident include info log_config logio mem_cache mime mime_magic      negotiation rewrite setenvif so speling status" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS

=================================================================

                        Package Settings

=================================================================

net-fs/samba-3.4.6 was built with the following:

USE="acl ads caps client cups fam ldap (multilib) netapi pam readline server smbclient syslog winbind -addns -aio -avahi -cluster -debug -doc -examples -ldb -quota -smbsharemodes -swat"

```

```

# cat /etc/samba/smb.conf

[global]

        workgroup = JENSEN

        server string = ""

        interfaces = 10.90.10.100, 127.0.0.1

        bind interfaces only = Yes

        passdb backend = ldapsam

        check password script = /usr/local/sbin/crackcheck -s

        username map = /etc/samba/smbusers

        client NTLMv2 auth = Yes

        client lanman auth = No

        client plaintext auth = No

        log file = /var/log/samba/%m.log

        max log size = 50

        debug uid = Yes

        smb ports = 139

        time server = Yes

        deadtime = 15

        socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 IPTOS_LOWDELAY

        printcap cache time = 30

        show add printer wizard = Yes

        load printers = Yes

        printing = cups

        printcap name = cups

        add user script = /usr/sbin/smbldap-useradd -m -a '%u'

        delete user script = /usr/sbin/smbldap-userdel '%u'

        add group script = /usr/sbin/smbldap-groupadd -p '%g'

        delete group script = /usr/sbin/smbldap-groupdel '%g'

        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'

        delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'

        set primary group script = /usr/sbin/smbldap-usermod -g '%u' '%g'

        add machine script = /usr/sbin/smbldap-useradd -w '%u'

        logon script = %U.bat

        logon path =

        logon drive = P:

        domain logons = Yes

        os level = 65

        preferred master = Yes

        domain master = Yes

        wins server = 10.90.10.231

        ldap admin dn = cn=Manager,dc=jensenmaritime,dc=com

        ldap group suffix = ou=groups

        ldap machine suffix = ou=machines,ou=users

        ldap passwd sync = Yes

        ldap suffix = ou=accounts,dc=jensenmaritime,dc=com

        ldap ssl = no

        ldap user suffix = ou=users

        hosts allow = 10.0.0.0/8, 127.0.0.0/8

        kernel oplocks = Yes

<SNIP>

```

----------

## JanSteen

Same thing here. For me, those errors disappeared after recompiling the kernel: Under the heading  *Quote:*   

> Security Options

  I originally had everything turned off; I don't know which one exactly solved the problem, but it could well have been one of

```
 

  Security hooks for pathname based access control

  File POSIX Capabilities

```

Could that be it for you as well?

----------

## m_sandwich

JanSteen, good call!  While I haven't confirmed this will fix it, I'm almost certain it will.

I just noticed that I have the USE flag "caps" for Samba, which requires  File POSIX Capabilities.

Of course this all boils down to not having the proper kernel support, which I did not have (although I thought I did).

I'm a bit annoyed at myself that I didn't figure this out on my own!

Thanks again,

Scot

----------

