subject:"Re\: \[Samba\] File permissions getting destroyed with M$ software on ZFS"

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

2010-10-05 Thread RegioGis


Hi,

Thanks for your input. 
B.t.w., I use security = ADS
I tried hundreds of combinations of configurations and options, but it just
won't work.
It works rather ok if you limit it to the Unix permissions ( plain user and
group permissions ) , but as soon as you try to put an ace referring to an
AD group, it totally looses track.


example 1:

root# ls -l /pool2/gisdata
drwxrwx---+  4 ackerra  gis4 Oct  5 10:58 d1
drwxrwx---   3 ackerra  gis3 Oct  5 12:01 d2
drwxrwxr-x   2 regio-gis10 gis2 Oct  5 11:55 d3

root # ls -lvd /pool2/gisdata/d1
drwxrwx---+  4 ackerra  gis4 Oct  5 10:58 d1
 0:group:regio-users:list_directory/read_data/read_xattr/execute
 /read_attributes/read_acl:allow
 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
 /append_data/write_xattr/execute/write_attributes/write_acl
 /write_owner/synchronize:file_inherit/dir_inherit:allow
 2:group@:list_directory/read_data/add_file/write_data/add_subdirectory
 /append_data/execute/synchronize:file_inherit/dir_inherit:allow
 3:group:regio-users:list_directory/read_data/read_xattr/execute
 /read_attributes/read_acl/synchronize:file_inherit/dir_inherit
 :allow

I mount the share (/pool2/gisdata) on a XP workstation, being AD user
'regio-gis10', memeber of AD group 'regio-users' , having no unix account.
In Windows explorer, I can see d2 and d3, but not d1

example 2:

root # ls -lvd /pool2/gisdata/d2
drwxrwx---   3 ackerra  gis3 Oct  5 12:01 d2
 0:owner@::deny
 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
 /append_data/write_xattr/execute/write_attributes/write_acl
 /write_owner:allow
 2:group@::deny
 3:group@:list_directory/read_data/add_file/write_data/add_subdirectory
 /append_data/execute:allow
 4:everyone@:list_directory/read_data/add_file/write_data
 /add_subdirectory/append_data/write_xattr/execute/write_attributes
 /write_acl/write_owner:deny
 5:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow

One would think that an arbitrary AD user ( regio-gis10 in this case ) does
not have access on the directory d2, no ?
Well, it is not the case ... via samba I could create a directory dx in d2,
being the AD user 'regio-gis10'.

root # ls -l /pool2/gisdata/d2
total 3
drwxrwx---   2 regio-gis10 gis2 Oct  5 12:01 dx

So sometimes I get extra permissions, sometimes I get too few permissions,
but it is never right ...

wbinfo, net ads and getent commands all work perfectly, and give the
accurate info though.

smb.conf :
[gisdata]
path = /pool2/gisdata
#admin users = ackerra
force group = gis
read only = no
create mask = 0660
directory mask = 0770
force unknown acl user = yes
acl check permissions = no
inherit permissions = yes
inherit acls = yes
#map acl inherit = yes
store dos attributes = yes
easupport = yes
map read only = no
map archive = no
map hidden = no
map system = no
vfs objects = zfsacl
nfs4:acedup = merge
nfs4:mode = special
zfsacl: aceorder = dontcare

samba version is solaris bundled version 3.0.35

rgrds,



-- 
View this message in context: 
http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2955872.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

2010-10-04 Thread RegioGis


Please ignore previous message. I messed up some testing results 
I'm trying to clear out things straight first.


-- 
View this message in context: 
http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2954213.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

2010-10-04 Thread RegioGis


Hi,

I see you use samba with zfs. But how on earth do you prevent the 'deny'
aces from being the first in the ACL, and thus denying all access to the
resource ?

I'm able to add permissions via the MS UI  ( I added an AD group
'regio-users' )
When I then create a file or folder via Samba, I get this on the Solaris box
:

root # ll -V db1.mdb
-rw-rw+  1 ackerra  gis98304 Oct  4 11:49 db1.mdb
group:regio-users:--x---:--:deny
group:regio-users:r-x---a-Rs:--:allow
owner@:--x---:--:deny
owner@:rw-p---A-W-Co-:--:allow
group@:--x---:--:deny
group@:rw-p--:--:allow
 everyone@:rwxp---A-W-Co-:--:deny
 everyone@:--a-R-c--s:--:allow

Thus denying all access to 'regio-users' 
How do you solve this ?( I defined the share exactly as you specified )

Rgrds,

-- 
View this message in context: 
http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2954071.html
Sent from the Samba - General mailing list archive at Nabble.com.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

2010-10-04 Thread Gaiseric Vandal

I had a lot of problems with this as well.I found it hard to find 
much documentation on the zfs module in samba from either samba or sun.


(PS-  A big thumbs down to Sun and the OpenSolaris crowd for apparently 
abandoning samba.)


I am running Samba 3.0.x from Sun on two servers and samba 3.4.x 
compiled from source on the third.  I eventually opened a support case 
with Sun which did help (somewhat.)



Did you check the permissions of the parent directory?  There may be an 
inheritance issue.   Usually the following worked for me:



chmod -R A- thedirectory
chmod -R A=owner@:rwxpdDaARWcCos:allow ?thedirectory
chmod -R A+group@:rwxpdDaARWcCos:allow ?thedirectory



My share defintions looks like the following (the nfs4 and zfsacl 
options were recommended by sun tech support.)


   vfs objects = zfsacl
inherit permissions = Yes
inherit acls = Yes
nfs4:acedup = merge
nfs4:chown = yes
nfs4: mode = special
mapread only = no
ea support = yes
store dos attributes = yes
create mask = 0770
force create mode = 0600
directory mask = 0775
force directory mode = 0600
zfsacl: acesort = dontcare





PS.  Are your samba shares on top of autofs shares?   If so, you may 
also need to do the following.


# chmod A+user:nobody:aRc:allow  thedirectory

So far it seems to work OK.


On 10/04/2010 06:06 AM, RegioGis wrote:

Hi,

I see you use samba with zfs. But how on earth do you prevent the 'deny'
aces from being the first in the ACL, and thus denying all access to the
resource ?

I'm able to add permissions via the MS UI  ( I added an AD group
'regio-users' )
When I then create a file or folder via Samba, I get this on the Solaris box
:

root # ll -V db1.mdb
-rw-rw+  1 ackerra  gis98304 Oct  4 11:49 db1.mdb
 group:regio-users:--x---:--:deny
 group:regio-users:r-x---a-Rs:--:allow
 owner@:--x---:--:deny
 owner@:rw-p---A-W-Co-:--:allow
 group@:--x---:--:deny
 group@:rw-p--:--:allow
  everyone@:rwxp---A-W-Co-:--:deny
  everyone@:--a-R-c--s:--:allow

Thus denying all access to 'regio-users' 
How do you solve this ?( I defined the share exactly as you specified )

Rgrds,

   


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

2010-10-01 Thread CJ Keist


 Well,
I think I got it fixed, but not sure if it is the correct way.  
This is what my share ens looks like now:


[ens]
comment = ENS Groups
path = /XKA2/admin/ENS
valid users = +admin
force group = admin
read only = No
create mask = 0770
force create mode = 0770
security mask = 0770
directory mask = 02770
inherit permissions = Yes
inherit acls = Yes
nt acl support = No
map archive = No
map readonly = permissions
store dos attributes = Yes
vfs objects = zfsacl
nfs4:acedup = merge
nfs4:mode = special


I changed nt acl support to No.


On 10/1/10 8:15 AM, CJ Keist wrote:

 All,
Running Samba 3.5.4 on Solaris 10 with ZFS file system.  I have 
issues where we have shared group folders.  In these folders a userA 
in GroupA create file just fine with the correct inherited permissions 
660.  Problem is when userB in GroupA reads and modifies that file, 
with M$ office apps, the permissions get whacked to 060+ and the file 
becomes read only by everyone.
   I did google this and found exactly someone else with the same 
problem with a fix! But the fix is not working for me, so looking for 
some more help and incite to this problem.


The following are the two URLs I found which looked like a fix to my 
problem:


http://lists.samba.org/archive/samba/2008-November/145094.html
https://bugzilla.samba.org/show_bug.cgi?id=6050

I have implemented those settings, but I still see the problem of the 
file permissions getting whacked.


Here is my conf file:

[global]
workgroup = ENGR_DOM
server string = Samba Server
interfaces = e1000g0, lo0
bind interfaces only = Yes
security = DOMAIN
passdb backend = smbpasswd
client NTLMv2 auth = Yes
map untrusted to domain = Yes
log level = 1
log file = /var/log/samba/logs/log.%m
name resolve order = host bcast
unix extensions = No
max open files = 1
load printers = No
domain master = No
dns proxy = No
lock spin time = 3
veto oplock files = 
/*.doc/*.DOC/*.docx/*.DOCX/*.xlsx/*.XLSX/*.xls/*.XLS/*.ppt/*.PPT/*.pst/*.PST/*.mdb/*.MDB/*.ldb/*.LDB/*.vsd/*.VSD/*.dwg/*.DWG/*.cdr/*.CDR/

strict locking = No

[homes]
comment = Home Directories
read only = No
create mask = 0640
directory mask = 0751
force directory mode = 0751
directory security mask = 0750
inherit permissions = Yes
inherit owner = Yes
browseable = No
level2 oplocks = No
vfs objects = zfsacl
nfs4:acedup = merge
nfs4:mode = special

[ens]
comment = ENS Groups
path = /XKA2/admin/ENS
valid users = +admin
force group = admin
read only = No
create mask = 0770
directory mask = 02770
inherit permissions = Yes
inherit acls = Yes
map archive = No
map readonly = permissions
vfs objects = zfsacl
nfs4:acedup = merge
nfs4:mode = special

The issue is in the ENS share.  I also have the ZFS file system 
aclmode and aclinherit set to passthrough, see output of zfs get all:


kame % zfs get all fsdata/admin/ENS
NAME  PROPERTY  VALUE  SOURCE
fsdata/admin/ENS  type  filesystem -
fsdata/admin/ENS  creation  Mon Mar 15 14:47 2010  -
fsdata/admin/ENS  used  73.6G  -
fsdata/admin/ENS  available 9.35T  -
fsdata/admin/ENS  referenced73.6G  -
fsdata/admin/ENS  compressratio 1.15x  -
fsdata/admin/ENS  mounted   yes-
fsdata/admin/ENS  quota none   default
fsdata/admin/ENS  reservation   none   default
fsdata/admin/ENS  recordsize64K
inherited from fsdata/admin
fsdata/admin/ENS  mountpoint/XKA2/admin/ENS
inherited from fsdata
fsdata/admin/ENS  sharenfs  rw,anon=0  
inherited from fsdata/admin

fsdata/admin/ENS  checksum  on default
fsdata/admin/ENS  compression   on 
inherited from fsdata
fsdata/admin/ENS  atime off
inherited from fsdata

fsdata/admin/ENS  devices   on default
fsdata/admin/ENS  exec  on default
fsdata/admin/ENS  setuidon default
fsdata/admin/ENS  readonly  offdefault
fsdata/admin/ENS  zoned offdefault
fsdata/admin/ENS  snapdir   hidden default
fsdata/admin/ENS  aclmode   passthrough
inherited from fsdata/admin
fsdata/admin/ENS  aclinheritpassthrough
inherited from fsdata/admin

fsdata/admin/ENS  canmount  on default
fsdata/admin/ENS  shareiscsi

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

Re: [Samba] File permissions getting destroyed with M$ software on ZFS

5 matches

Site Navigation

Mail list logo

Footer information