Re: [Samba] acl_xattr access denied when adding permissions for another user
On Wed, Apr 06, 2011 at 08:50:57PM +0200, Thomas Nau wrote: > On 04/06/2011 07:28 PM, Jeremy Allison wrote: > > On Wed, Apr 06, 2011 at 10:21:41AM +0200, Thomas Nau wrote: > >> > >> We had issues in the past as ZFS and Windows have a different understanding > >> about how to sort ACLs. In combination with shared access to Excel > >> documents > >> this lead to people out locking themselves. I just thought having an > >> independent > >> ACL store would solve that problem for me :) > > > > ZFS shouldn't sort ACLs at all. I don't think any of the kernel > > code modifies the ACL order, that would change the meaining. > > Right, ZFS does not sort the ACLs but as far as I know Windows > and ZFS interpret them differently with respect to ordering. No ! They interpret them exactly the same, that was the reason NFSv4 added them and standardized them as being essentially identical to Windows ACLs. See here: http://blogs.sun.com/lisaweek/entry/nfsv4_and_zfs_acls for details. Unlilke POSIX processing, and like Windows processing, the entire list is walked to determine access, not the most specific match. > >> Are you using vfs_zfsacl and did you ever run into the problems I > >> mentioned? > > > > I'm not personally, but the Nexenta people are and they haven't > > reported bugs. > > Good enough for me :) :-). Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
On 04/06/2011 07:28 PM, Jeremy Allison wrote: > On Wed, Apr 06, 2011 at 10:21:41AM +0200, Thomas Nau wrote: >> >> We had issues in the past as ZFS and Windows have a different understanding >> about how to sort ACLs. In combination with shared access to Excel documents >> this lead to people out locking themselves. I just thought having an >> independent >> ACL store would solve that problem for me :) > > ZFS shouldn't sort ACLs at all. I don't think any of the kernel > code modifies the ACL order, that would change the meaining. Right, ZFS does not sort the ACLs but as far as I know Windows and ZFS interpret them differently with respect to ordering. > >> Are you using vfs_zfsacl and did you ever run into the problems I mentioned? > > I'm not personally, but the Nexenta people are and they haven't > reported bugs. Good enough for me :) Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
On Wed, Apr 06, 2011 at 10:21:41AM +0200, Thomas Nau wrote: > > We had issues in the past as ZFS and Windows have a different understanding > about how to sort ACLs. In combination with shared access to Excel documents > this lead to people out locking themselves. I just thought having an > independent > ACL store would solve that problem for me :) ZFS shouldn't sort ACLs at all. I don't think any of the kernel code modifies the ACL order, that would change the meaining. > Are you using vfs_zfsacl and did you ever run into the problems I mentioned? I'm not personally, but the Nexenta people are and they haven't reported bugs. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
Hi Jeremy On 04/06/2011 01:09 AM, Jeremy Allison wrote: > On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau wrote: >> Dear all >> We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the >> impression that the VFS module acl_xattr provides the best way >> of keeping Windows ACLs. We don't have concurrent NFS or local users >> so it's Windows only. >> >> The clients as well as the Samba server are members of an AD domain. >> Creating files/directories works as expected and also manipulating >> permissions for the initial user/group does not raise any problem. >> Trying to add permissions for an additional user (looked up in AD) >> fails with the Windows XP client side "permission denied" pop-up box. > > If you're using ZFS (which has native NFSv4 ACLs) why not use > the vfs_zfsacl module ? We had issues in the past as ZFS and Windows have a different understanding about how to sort ACLs. In combination with shared access to Excel documents this lead to people out locking themselves. I just thought having an independent ACL store would solve that problem for me :) Are you using vfs_zfsacl and did you ever run into the problems I mentioned? Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau wrote: > Dear all > We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the > impression that the VFS module acl_xattr provides the best way > of keeping Windows ACLs. We don't have concurrent NFS or local users > so it's Windows only. > > The clients as well as the Samba server are members of an AD domain. > Creating files/directories works as expected and also manipulating > permissions for the initial user/group does not raise any problem. > Trying to add permissions for an additional user (looked up in AD) > fails with the Windows XP client side "permission denied" pop-up box. If you're using ZFS (which has native NFSv4 ACLs) why not use the vfs_zfsacl module ? Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
I quick addition: >> Does "acl_xattr : ignore system acls" help? > > acl_xattr: ignore system acls = yes > > > I added > > acl_xattr: ignore system acls = yes > > but it makes things worse as I cannot even grant myself (the authenticated > user) full access anymore even though I already have the full rights inherited Seems that behavior was an artifact. I cleaned out the directories and started from scratch. Now I'm back to the original problem. I can manipulate my own rights but not add another user. Setting "acl_xattr : ignore system acls" doesn't change things Sorry for the confusion Thomsa -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
On 04/05/2011 01:02 PM, Volker Lendecke wrote: > On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau wrote: >> We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the >> impression that the VFS module acl_xattr provides the best way >> of keeping Windows ACLs. We don't have concurrent NFS or local users >> so it's Windows only. > > ZFS does NFSv4 ACLs which are quite close, albeit not > perfect. There's a zfs_acl module for Solaris, you might > also give that a try. We use that with another server for quite a while by now. I usually does a great job but in rare cases, reason unknown, either the module or the OS are messing up ACLs. I have to confess this is one of the real old Sun Samba (3.0.3?) versions and I haven't tried the latest. The only hint I got that the problem occurs mostly with moving folders or accesses by Microsoft Office tools >> The clients as well as the Samba server are members of an AD domain. >> Creating files/directories works as expected and also manipulating >> permissions for the initial user/group does not raise any problem. >> Trying to add permissions for an additional user (looked up in AD) >> fails with the Windows XP client side "permission denied" pop-up box. > > Does "acl_xattr : ignore system acls" help? acl_xattr: ignore system acls = yes I added acl_xattr: ignore system acls = yes but it makes things worse as I cannot even grant myself (the authenticated user) full access anymore even though I already have the full rights inherited Is there any additional data I can provide? Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] acl_xattr access denied when adding permissions for another user
On Tue, Apr 05, 2011 at 12:40:12PM +0200, Thomas Nau wrote: > We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the > impression that the VFS module acl_xattr provides the best way > of keeping Windows ACLs. We don't have concurrent NFS or local users > so it's Windows only. ZFS does NFSv4 ACLs which are quite close, albeit not perfect. There's a zfs_acl module for Solaris, you might also give that a try. > The clients as well as the Samba server are members of an AD domain. > Creating files/directories works as expected and also manipulating > permissions for the initial user/group does not raise any problem. > Trying to add permissions for an additional user (looked up in AD) > fails with the Windows XP client side "permission denied" pop-up box. Does "acl_xattr : ignore system acls" help? Volker -- SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen phone: +49-551-37-0, fax: +49-551-37-9 AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] acl_xattr access denied when adding permissions for another user
Dear all We run Samba 3.5.8 on a Solaris 11 box on top of ZFS We got the impression that the VFS module acl_xattr provides the best way of keeping Windows ACLs. We don't have concurrent NFS or local users so it's Windows only. The clients as well as the Samba server are members of an AD domain. Creating files/directories works as expected and also manipulating permissions for the initial user/group does not raise any problem. Trying to add permissions for an additional user (looked up in AD) fails with the Windows XP client side "permission denied" pop-up box. the share's config: [EA] # public fileserver share path = /smb/X comment= xattr ACL Test public = no writable = yes browseable = yes vfs objects= acl_xattr inherit permissions= yes inherit acls = yes On the server side the relevant parts of the logfile are [2011/04/05 12:18:16.331704, 2] lib/access.c:406(check_access) Allowed connection from (x.x.x.x) [2011/04/05 12:18:16.335694, 3] smbd/vfs.c:97(vfs_init_default) Initialising default vfs hooks [2011/04/05 12:18:16.335737, 5] smbd/vfs.c:87(smb_register_vfs) Successfully added vfs backend '/[Default VFS]/' [2011/04/05 12:18:16.335779, 5] smbd/vfs.c:87(smb_register_vfs) Successfully added vfs backend 'solarisacl' [2011/04/05 12:18:16.335802, 3] smbd/vfs.c:122(vfs_init_custom) Initialising custom vfs hooks from [/[Default VFS]/] Successfully loaded vfs module [/[Default VFS]/] with the new modules system [2011/04/05 12:18:16.335838, 3] smbd/vfs.c:122(vfs_init_custom) Initialising custom vfs hooks from [acl_xattr] [2011/04/05 12:18:16.335862, 5] smbd/vfs.c:162(vfs_init_custom) vfs module [acl_xattr] not loaded - trying to load... [2011/04/05 12:18:16.336548, 2] lib/module.c:64(do_smb_load_module) Module '/smb/sw/lib/vfs/acl_xattr.so' loaded [2011/04/05 12:18:16.336591, 5] smbd/vfs.c:87(smb_register_vfs) Successfully added vfs backend 'acl_xattr' Successfully loaded vfs module [acl_xattr] with the new modules system [2011/04/05 12:18:16.336945, 2] modules/vfs_acl_xattr.c:193(connect_acl_xattr) connect_acl_xattr: setting 'inherit acls = true' 'dos filemode = true' and 'force unknown acl user = true' for service EA [2011/04/05 12:18:16.337787, 1] smbd/service.c:1070(make_connection_snum) x.x.x.x (x.x.x.x) connect to service EA initially as user nau (uid=1, gid=1) (pid 23491) ... [2011/04/05 12:18:16.348517, 3] smbd/vfs.c:1038(check_reduced_name) check_reduced_name: D reduced to /smb/X/D [2011/04/05 12:18:16.350387, 5] smbd/posix_acls.c:1191(unpack_nt_owners) unpack_nt_owners: validating owner_sids. [2011/04/05 12:18:16.350434, 5] smbd/posix_acls.c:1238(unpack_nt_owners) unpack_nt_owners: owner_sids validated. [2011/04/05 12:18:16.351005, 2] smbd/posix_acls.c:2903(set_canon_ace_list) set_canon_ace_list: sys_acl_set_file type file failed for file D (Operation not applicable). [2011/04/05 12:18:16.351086, 3] smbd/posix_acls.c:3007(convert_canon_ace_to_posix_perms) convert_canon_ace_to_posix_perms: Too many ACE entries for file D to convert to posix perms. [2011/04/05 12:18:16.351114, 3] smbd/posix_acls.c:4109(set_nt_acl) set_nt_acl: failed to convert file acl to posix permissions for file D. [2011/04/05 12:18:20.872901, 1] smbd/service.c:1251(close_cnum) 134.60.1.35 (134.60.1.35) closed connection to service EA So why do I need POSIX ACLs at all? Any hints are greatly appreciated! Thomas -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
