Re: [Samba] File permissions getting destroyed with M$ software on ZFS
Hi, Thanks for your input. B.t.w., I use security = ADS I tried hundreds of combinations of configurations and options, but it just won't work. It works rather ok if you limit it to the Unix permissions ( plain user and group permissions ) , but as soon as you try to put an ace referring to an AD group, it totally looses track. example 1: root# ls -l /pool2/gisdata drwxrwx---+ 4 ackerra gis4 Oct 5 10:58 d1 drwxrwx--- 3 ackerra gis3 Oct 5 12:01 d2 drwxrwxr-x 2 regio-gis10 gis2 Oct 5 11:55 d3 root # ls -lvd /pool2/gisdata/d1 drwxrwx---+ 4 ackerra gis4 Oct 5 10:58 d1 0:group:regio-users:list_directory/read_data/read_xattr/execute /read_attributes/read_acl:allow 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner/synchronize:file_inherit/dir_inherit:allow 2:group@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/execute/synchronize:file_inherit/dir_inherit:allow 3:group:regio-users:list_directory/read_data/read_xattr/execute /read_attributes/read_acl/synchronize:file_inherit/dir_inherit :allow I mount the share (/pool2/gisdata) on a XP workstation, being AD user 'regio-gis10', memeber of AD group 'regio-users' , having no unix account. In Windows explorer, I can see d2 and d3, but not d1 example 2: root # ls -lvd /pool2/gisdata/d2 drwxrwx--- 3 ackerra gis3 Oct 5 12:01 d2 0:owner@::deny 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 2:group@::deny 3:group@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/execute:allow 4:everyone@:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 5:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow One would think that an arbitrary AD user ( regio-gis10 in this case ) does not have access on the directory d2, no ? Well, it is not the case ... via samba I could create a directory dx in d2, being the AD user 'regio-gis10'. root # ls -l /pool2/gisdata/d2 total 3 drwxrwx--- 2 regio-gis10 gis2 Oct 5 12:01 dx So sometimes I get extra permissions, sometimes I get too few permissions, but it is never right ... wbinfo, net ads and getent commands all work perfectly, and give the accurate info though. smb.conf : [gisdata] path = /pool2/gisdata #admin users = ackerra force group = gis read only = no create mask = 0660 directory mask = 0770 force unknown acl user = yes acl check permissions = no inherit permissions = yes inherit acls = yes #map acl inherit = yes store dos attributes = yes easupport = yes map read only = no map archive = no map hidden = no map system = no vfs objects = zfsacl nfs4:acedup = merge nfs4:mode = special zfsacl: aceorder = dontcare samba version is solaris bundled version 3.0.35 rgrds, -- View this message in context: http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2955872.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File permissions getting destroyed with M$ software on ZFS
I had a lot of problems with this as well.I found it hard to find much documentation on the zfs module in samba from either samba or sun. (PS- A big thumbs down to Sun and the OpenSolaris crowd for apparently abandoning samba.) I am running Samba 3.0.x from Sun on two servers and samba 3.4.x compiled from source on the third. I eventually opened a support case with Sun which did help (somewhat.) Did you check the permissions of the parent directory? There may be an inheritance issue. Usually the following worked for me: chmod -R A- thedirectory chmod -R A=owner@:rwxpdDaARWcCos:allow ?thedirectory chmod -R A+group@:rwxpdDaARWcCos:allow ?thedirectory My share defintions looks like the following (the nfs4 and zfsacl options were recommended by sun tech support.) vfs objects = zfsacl inherit permissions = Yes inherit acls = Yes nfs4:acedup = merge nfs4:chown = yes nfs4: mode = special mapread only = no ea support = yes store dos attributes = yes create mask = 0770 force create mode = 0600 directory mask = 0775 force directory mode = 0600 zfsacl: acesort = dontcare PS. Are your samba shares on top of autofs shares? If so, you may also need to do the following. # chmod A+user:nobody:aRc:allow thedirectory So far it seems to work OK. On 10/04/2010 06:06 AM, RegioGis wrote: Hi, I see you use samba with zfs. But how on earth do you prevent the 'deny' aces from being the first in the ACL, and thus denying all access to the resource ? I'm able to add permissions via the MS UI ( I added an AD group 'regio-users' ) When I then create a file or folder via Samba, I get this on the Solaris box : root # ll -V db1.mdb -rw-rw+ 1 ackerra gis98304 Oct 4 11:49 db1.mdb group:regio-users:--x---:--:deny group:regio-users:r-x---a-Rs:--:allow owner@:--x---:--:deny owner@:rw-p---A-W-Co-:--:allow group@:--x---:--:deny group@:rw-p--:--:allow everyone@:rwxp---A-W-Co-:--:deny everyone@:--a-R-c--s:--:allow Thus denying all access to 'regio-users' How do you solve this ?( I defined the share exactly as you specified ) Rgrds, -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File permissions getting destroyed with M$ software on ZFS
Hi, I see you use samba with zfs. But how on earth do you prevent the 'deny' aces from being the first in the ACL, and thus denying all access to the resource ? I'm able to add permissions via the MS UI ( I added an AD group 'regio-users' ) When I then create a file or folder via Samba, I get this on the Solaris box : root # ll -V db1.mdb -rw-rw+ 1 ackerra gis98304 Oct 4 11:49 db1.mdb group:regio-users:--x---:--:deny group:regio-users:r-x---a-Rs:--:allow owner@:--x---:--:deny owner@:rw-p---A-W-Co-:--:allow group@:--x---:--:deny group@:rw-p--:--:allow everyone@:rwxp---A-W-Co-:--:deny everyone@:--a-R-c--s:--:allow Thus denying all access to 'regio-users' How do you solve this ?( I defined the share exactly as you specified ) Rgrds, -- View this message in context: http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2954071.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File permissions getting destroyed with M$ software on ZFS
Please ignore previous message. I messed up some testing results I'm trying to clear out things straight first. -- View this message in context: http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2954213.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] File permissions getting destroyed with M$ software on ZFS
Well, I think I got it fixed, but not sure if it is the correct way. This is what my share ens looks like now: [ens] comment = ENS Groups path = /XKA2/admin/ENS valid users = +admin force group = admin read only = No create mask = 0770 force create mode = 0770 security mask = 0770 directory mask = 02770 inherit permissions = Yes inherit acls = Yes nt acl support = No map archive = No map readonly = permissions store dos attributes = Yes vfs objects = zfsacl nfs4:acedup = merge nfs4:mode = special I changed "nt acl support" to No. On 10/1/10 8:15 AM, CJ Keist wrote: All, Running Samba 3.5.4 on Solaris 10 with ZFS file system. I have issues where we have shared group folders. In these folders a userA in GroupA create file just fine with the correct inherited permissions 660. Problem is when userB in GroupA reads and modifies that file, with M$ office apps, the permissions get whacked to 060+ and the file becomes read only by everyone. I did google this and found exactly someone else with the same problem with a fix! But the fix is not working for me, so looking for some more help and incite to this problem. The following are the two URLs I found which looked like a fix to my problem: http://lists.samba.org/archive/samba/2008-November/145094.html https://bugzilla.samba.org/show_bug.cgi?id=6050 I have implemented those settings, but I still see the problem of the file permissions getting whacked. Here is my conf file: [global] workgroup = ENGR_DOM server string = Samba Server interfaces = e1000g0, lo0 bind interfaces only = Yes security = DOMAIN passdb backend = smbpasswd client NTLMv2 auth = Yes map untrusted to domain = Yes log level = 1 log file = /var/log/samba/logs/log.%m name resolve order = host bcast unix extensions = No max open files = 1 load printers = No domain master = No dns proxy = No lock spin time = 3 veto oplock files = /*.doc/*.DOC/*.docx/*.DOCX/*.xlsx/*.XLSX/*.xls/*.XLS/*.ppt/*.PPT/*.pst/*.PST/*.mdb/*.MDB/*.ldb/*.LDB/*.vsd/*.VSD/*.dwg/*.DWG/*.cdr/*.CDR/ strict locking = No [homes] comment = Home Directories read only = No create mask = 0640 directory mask = 0751 force directory mode = 0751 directory security mask = 0750 inherit permissions = Yes inherit owner = Yes browseable = No level2 oplocks = No vfs objects = zfsacl nfs4:acedup = merge nfs4:mode = special [ens] comment = ENS Groups path = /XKA2/admin/ENS valid users = +admin force group = admin read only = No create mask = 0770 directory mask = 02770 inherit permissions = Yes inherit acls = Yes map archive = No map readonly = permissions vfs objects = zfsacl nfs4:acedup = merge nfs4:mode = special The issue is in the ENS share. I also have the ZFS file system aclmode and aclinherit set to passthrough, see output of zfs get all: kame % zfs get all fsdata/admin/ENS NAME PROPERTY VALUE SOURCE fsdata/admin/ENS type filesystem - fsdata/admin/ENS creation Mon Mar 15 14:47 2010 - fsdata/admin/ENS used 73.6G - fsdata/admin/ENS available 9.35T - fsdata/admin/ENS referenced73.6G - fsdata/admin/ENS compressratio 1.15x - fsdata/admin/ENS mounted yes- fsdata/admin/ENS quota none default fsdata/admin/ENS reservation none default fsdata/admin/ENS recordsize64K inherited from fsdata/admin fsdata/admin/ENS mountpoint/XKA2/admin/ENS inherited from fsdata fsdata/admin/ENS sharenfs rw,anon=0 inherited from fsdata/admin fsdata/admin/ENS checksum on default fsdata/admin/ENS compression on inherited from fsdata fsdata/admin/ENS atime off inherited from fsdata fsdata/admin/ENS devices on default fsdata/admin/ENS exec on default fsdata/admin/ENS setuidon default fsdata/admin/ENS readonly offdefault fsdata/admin/ENS zoned offdefault fsdata/admin/ENS snapdir hidden default fsdata/admin/ENS aclmode passthrough inherited from fsdata/admin fsdata/admin/ENS aclinheritpassthrough inherited from fsdata/admin fsdata/admin/ENS canmount on default fsdata/admin/ENS shareiscsi
[Samba] File permissions getting destroyed with M$ software on ZFS
All, Running Samba 3.5.4 on Solaris 10 with ZFS file system. I have issues where we have shared group folders. In these folders a userA in GroupA create file just fine with the correct inherited permissions 660. Problem is when userB in GroupA reads and modifies that file, with M$ office apps, the permissions get whacked to 060+ and the file becomes read only by everyone. I did google this and found exactly someone else with the same problem with a fix! But the fix is not working for me, so looking for some more help and incite to this problem. The following are the two URLs I found which looked like a fix to my problem: http://lists.samba.org/archive/samba/2008-November/145094.html https://bugzilla.samba.org/show_bug.cgi?id=6050 I have implemented those settings, but I still see the problem of the file permissions getting whacked. Here is my conf file: [global] workgroup = ENGR_DOM server string = Samba Server interfaces = e1000g0, lo0 bind interfaces only = Yes security = DOMAIN passdb backend = smbpasswd client NTLMv2 auth = Yes map untrusted to domain = Yes log level = 1 log file = /var/log/samba/logs/log.%m name resolve order = host bcast unix extensions = No max open files = 1 load printers = No domain master = No dns proxy = No lock spin time = 3 veto oplock files = /*.doc/*.DOC/*.docx/*.DOCX/*.xlsx/*.XLSX/*.xls/*.XLS/*.ppt/*.PPT/*.pst/*.PST/*.mdb/*.MDB/*.ldb/*.LDB/*.vsd/*.VSD/*.dwg/*.DWG/*.cdr/*.CDR/ strict locking = No [homes] comment = Home Directories read only = No create mask = 0640 directory mask = 0751 force directory mode = 0751 directory security mask = 0750 inherit permissions = Yes inherit owner = Yes browseable = No level2 oplocks = No vfs objects = zfsacl nfs4:acedup = merge nfs4:mode = special [ens] comment = ENS Groups path = /XKA2/admin/ENS valid users = +admin force group = admin read only = No create mask = 0770 directory mask = 02770 inherit permissions = Yes inherit acls = Yes map archive = No map readonly = permissions vfs objects = zfsacl nfs4:acedup = merge nfs4:mode = special The issue is in the ENS share. I also have the ZFS file system aclmode and aclinherit set to passthrough, see output of zfs get all: kame % zfs get all fsdata/admin/ENS NAME PROPERTY VALUE SOURCE fsdata/admin/ENS type filesystem - fsdata/admin/ENS creation Mon Mar 15 14:47 2010 - fsdata/admin/ENS used 73.6G - fsdata/admin/ENS available 9.35T - fsdata/admin/ENS referenced73.6G - fsdata/admin/ENS compressratio 1.15x - fsdata/admin/ENS mounted yes- fsdata/admin/ENS quota none default fsdata/admin/ENS reservation none default fsdata/admin/ENS recordsize64Kinherited from fsdata/admin fsdata/admin/ENS mountpoint/XKA2/admin/ENSinherited from fsdata fsdata/admin/ENS sharenfs rw,anon=0 inherited from fsdata/admin fsdata/admin/ENS checksum on default fsdata/admin/ENS compression on inherited from fsdata fsdata/admin/ENS atime offinherited from fsdata fsdata/admin/ENS devices on default fsdata/admin/ENS exec on default fsdata/admin/ENS setuidon default fsdata/admin/ENS readonly offdefault fsdata/admin/ENS zoned offdefault fsdata/admin/ENS snapdir hidden default fsdata/admin/ENS aclmode passthroughinherited from fsdata/admin fsdata/admin/ENS aclinheritpassthroughinherited from fsdata/admin fsdata/admin/ENS canmount on default fsdata/admin/ENS shareiscsioffdefault fsdata/admin/ENS xattr on default fsdata/admin/ENS copies1 default fsdata/admin/ENS version 4 - fsdata/admin/ENS utf8only off- fsdata/admin/ENS normalization none - fsdata/admin/ENS casesensitivity sensitive - fsdata/admin/ENS vscan offdefault fsdata/admin/ENS nbmandoffdefault fsdata/admin/ENS sharesmb offdefault fsdata/admi