I have a zfs filesystem exported via samba. I can connect to the filesystem over CIFS from a Windows box, but I get an access denied when I try to create a file. I can create the file just fine from the Solaris prompt as the same user account. Does samba try to control permissions itself, or does it leave the file access permissions up to the underlying OS? This message posted from opensolaris.org
New tidbit of information... I have a user account USER belonging to two groups GROUP1 and GROUP2. GROUP1 is the primary group. If the ZFS folder is owned by ROOT:GROUP1, I can create the file through Samba. If the folder is owned by ROOT:GROUP2, the create fails. This same problem occurs with an ACL granting write permissions on the folder. Samba doesn''t seem to respect the ACL''s or other group permissions. This message posted from opensolaris.org
zfs-discuss-bounces at opensolaris.org wrote on 01/09/2007 10:59:08 AM:> I have a zfs filesystem exported via samba. I can connect to the > filesystem over CIFS from a Windows box, but I get an access denied > when I try to create a file. I can create the file just fine from > the Solaris prompt as the same user account. Does samba try to > control permissions itself, or does it leave the file access > permissions up to the underlying OS? >>From what I have read ACL support is going to be in Samba 3.0.24.-Wade
Root cause is in the acl(2) call. ZFS implementation team does not implemented backward compatibility of the SETACL/GETACL/GETACLCNT functions of this syscall. Only the extended functions ACE_SETACL/ACE_GETACL/ACE_GETACLCNT are implemented on ZFS. The old ones returns (errno == ENOTSUP) on ZFS (please see man page for details). Main reason for this extension is the fact the ZFS does not set ACLs as the masks of access rights but as the allow/deny-records list. Also the 4-th parameter of the acl(2) (syscall) is respects this fact. Because the bidirectional mapping between the masks and allow/deny lists is not mutually explicit only the correct way in samba is implement these new features on the level of conversion from/to the NTFS ACLs. NTFS ACLs are also the list of allow/deny records. For more details please see the IETF discussions concerning the NFSv4 (Solaris implementation of NFSv4 ACL is also simillar to ZFS ACL): http://www1.ietf.org/mail-archive/web/nfsv4/current/msg03268.html Currently the samba-3.0.25 will introduce the modular (.so) interface to plug the VFS modules handling the ACLs according the FS used. This message posted from opensolaris.org
Hi Jiri,> > Currently the samba-3.0.25 will introduce the modular > (.so) interface to plug the VFS modules handling the > ACLs according the FS used.Do you know - will the Samba/ZFS ACL be implemented in samba-3.0.26 ? Thanks, -- Leon This message posted from opensolaris.org
3.0.25rc1 was released 2 days ago so the "final version" will be available soon. vfs_zfsacl.c module was tested soon so I think it is a question of 2-3 weeks. This message posted from opensolaris.org
Just so I''m clear: You are waiting on the release of Samba 3.0.25 which allows vfs_* modules for ACLS. Then you will release vfs_zfsacl.c for Samba 3.0.25+ which would allow ACLS to work? Also I would love to beta test if needed -- I''ve been running Samba 3.0.25 from subversion just to try and get ACLS working... Jeb jebc at c4solutions.net This message posted from opensolaris.org
Have there been any new developments regarding the availability of vfs_zfsacl.c? Jeb, were you able to get a copy of Jiri''s work-in-progress? I need this ASAP (as I''m sure most everyone watching this thread does)... Thank you for your help. Roger Ripley rripley at rport.net This message posted from opensolaris.org
> Have there been any new developments regarding the > availability of vfs_zfsacl.c? Jeb, were you able to > get a copy of Jiri''s work-in-progress? I need this > ASAP (as I''m sure most everyone watching this thread > does)...me too... A.S.A.P.!!! [i]-- leon[/i] This message posted from opensolaris.org
Same here, needed ASAP. It''s a shame Jiri can''t release his work-in-progress code, I''ve asked for a prerelease (even untested) version several times. :( This message posted from opensolaris.org
Hi Jiri,> 3.0.25rc1 was released 2 days ago so the "final > version" will be available soon. vfs_zfsacl.c module > was tested soon so I think it is a question of 2-3 > weeks.3 weeks after you posted this...can I ask you to update the community about the availability of vfs_zfsacl.c module? Even the alpha version can help me a lot. Thanks in advance, Steve This message posted from opensolaris.org
I hope it will be released soon. I asked Jiri about it and didn''t get a negative reply so I am optimistic now. Steve This message posted from opensolaris.org
May be this link could help you? http://www.nabble.com/VFS-module-handling-ACL-on-ZFS-t3730348.html This message posted from opensolaris.org
> May be this link could help you? > > http://www.nabble.com/VFS-module-handling-ACL-on-ZFS-t3730348.html >Looks exactly what we need. It''s strange it wasn''t posted to zfs-discuss. SO many people were waiting for this code. Thanks, Dmitry. This message posted from opensolaris.org
Leon Koll <leon.is.here at gmail.com> wrote:> > May be this link could help you? > > > > http://www.nabble.com/VFS-module-handling-ACL-on-ZFS-t3730348.html > > > > Looks exactly what we need. It''s strange it wasn''t posted to zfs-discuss. SO many people were waiting for this code.The NFSv4 ACLs are bitwise identical to NTFS, why is there a need to convert? J?rg -- EMail:joerg at schily.isdn.cs.tu-berlin.de (home) J?rg Schilling D-13353 Berlin js at cs.tu-berlin.de (uni) schilling at fokus.fraunhofer.de (work) Blog: http://schily.blogspot.com/ URL: http://cdrecord.berlios.de/old/private/ ftp://ftp.berlios.de/pub/schily
Hello, So I downloaded this module and integrated it into my samba 3.0.25 source directory, reconfigured, and did a clean build and install. Problem is, it doesn''t appear that the zfsacl "plugin" was installed anywhere. Forgive me if this is a newbie question, but how do I get smbd to use that module? Thanks, Bill This message posted from opensolaris.org
I would also like to use this module. This bug http://bugs.opensolaris.org/view_bug.do?bug_id=6561700 leads me to believe it can be used with the current version of Samba. Do I need to rebuild Samba? If so, does anybody have pointers on doing that? I''m not having any luck trying to build 3.2.0 with ads/krb5 support. Thanks in advance! This message posted from opensolaris.org
On 8/22/07, Peter Baumgartner <sgt.hulka at gmail.com> wrote:> > I would also like to use this module. This bug > http://bugs.opensolaris.org/view_bug.do?bug_id=6561700 leads me to believe > it can be used with the current version of Samba. > > Do I need to rebuild Samba? If so, does anybody have pointers on doing > that? I''m not having any luck trying to build 3.2.0 with ads/krb5 support.Some more info: I''ve installed krb5_lib and krb5_lib_dev from blastwave and when running configure on samba 3.2.0, I get: checking whether krb5_mk_error takes 3 arguments MIT or 9 Heimdal... yes configure: WARNING: krb5_mk_req_extended not found in -lkrb5 configure: WARNING: no CREATE_KEY_FUNCTIONS detected configure: WARNING: no GET_ENCTYPES_FUNCTIONS detected configure: WARNING: no KT_FREE_FUNCTION detected configure: WARNING: no KRB5_VERIFY_CHECKSUM_FUNCTION detected configure: error: krb5 libs don''t have all features required for Active Directory support Here is my configure command: LD_LIBRARY_PATH="/opt/csw/lib:/usr/lib" LDFLAGS="-L/opt/csw/lib -R/opt/csw/lib" CPPFLAGS="-I/opt/csw/include" CFLAGS="-I/opt/csw/include -DHAS_LDAP" LIBS="-lldap" ./configure --with-ads --with-ldap --with-krb5 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20070822/81ecfcd0/attachment.html>