Hi,
We are running into a problem with a Samba setup and would like to
know if a current fix or workaround is at all possible.
Our setup is a NetApp filer serving NFS v4 that is mounted by
Solaris and Linux servers. On those servers we are using Samba to
create shares of those NFSv4 mounted filesystems. We are migrating
to this NFSv4 setup from an existing Solaris NFSv3+Posix ACL setup
that also had Samba shares on top of the NFSv3+ACL mounts.
In our setup, we are relying on NFSv4 ACL inheritance. Here's
an example of an ACL on a file (as created by a touch command):
root@system # ls -lVd test_sneppef.txt
-rw-r--r--+ 1 root root 0 Mar 6 13:49 test_sneppef.txt
group:TRerp:r-x---a-R-c--s:------:allow
group:TRerp:-w-p---A-W-Co-:------:deny
group:TWerp:rwxp--aARWcC-s:------:allow
group:TWerp:------------o-:------:deny
user:Terp:rwxp--aARWcC-s:------:allow
user:Terp:------------o-:------:deny
owner@:rw-p--a-R-c--s:------:allow
group@:r-----a-R-c--s:------:allow
everyone@:r-----a-R-c--s:------:allow
owner@:--x-----------:------:deny
group@:-wxp----------:------:deny
everyone@:-wxp----------:------:deny
In our Samba setup, we are making extensive use of the "force user"
and "force group" directives to force all files created under the Samba
share to get the appropriate username/usergroup. Here's an example
share definition from smb.conf:
[testsiven]
comment = NFSv4 test
path = /NAS/trg_shr_sft_00/erp/siven
valid users = "prod\siven" "__empty__"
write list = "prod\siven"
force user = Terp
force group = Terp
So, in summary, we are relying on NFSv4 ACL inherritance to
set the correct ACLs on all files and directories under a
given NFS mount.
The problem we are running into is that, when CIFS users are
creating files via the Samba shares, the NFSv4 ACLs get removed.
Here's an expamle of a file the was created from a Samba share:
root@system # ls -lVd test2-sneppef2.txt.txt
-rwxr--r-- 1 Terp Terp 0 Mar 6 13:59 test2-sneppef2.txt.txt
owner@:rwxp--aA--cC-s:------:allow
owner@:--------------:------:deny
group@:-wxp---A---C--:------:deny
group@:r-----a---c--s:------:allow
group@:-wxp---A---C--:------:deny
everyone@:r-----a---c--s:------:allow
everyone@:-wxp---A---C--:------:deny
As you can see, there are no NFSv4 ACLs associated with the
file.
A wireshark packet trace revealed that, after having created/copied
the file, there's an NFSv4 setattr call the explicitly sets the
permissions on the newly created file, effectively wiping any
inherited ACLs on the NFSv4 export.
I guess what we are trying to achieve is somewhat out of the ordinary,
since we would like Samba not to set/rewrite any (NFSv4) ACLs that are
inherited during file creation. Or put a little differently:
we would like Samba not to wipe any existing ACLs on files and
directories in the NFSv4 mounted filesystems. I guess what
makes our case a little exceptional is that we don't care about
any ACL mapping between CIFS and NFSv4. We would like all
ACL handling to be done by the NetApp thanks to the NFSv4
ACL inherritance.
Is there any way to achieve this ?
Thanks in advance.
Filip
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
