The problem is that nfs clients that connect to my solaris 11 express server are not inheriting the acl''s that are set for the share. They create files that don''t have any acl assigned to them, just the normal unix file permissions. Can someone please provide some additional things to test so that I can get this sorted out. This is the output of a normal ls -al drwxrwxrwx+ 5 root root 11 2011-05-31 11:14 acltest Looking at the acl''s that are assigned to the share with ls -vd drwxrwxrwx+ 5 root root 11 May 31 11:14 /smallstore/acltest 0:user:root:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/write_xattr/execute /delete_child/read_attributes/write_attributes/delete/read_acl /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow 1:everyone@:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/write_xattr/execute /delete_child/read_attributes/write_attributes/delete/read_acl /synchronize:file_inherit/dir_inherit:allow The compact version is ls -Vd drwxrwxrwx+ 5 root root 11 May 31 11:14 /smallstore/acltest user:root:rwxpdDaARWcCos:fd-----:allow everyone@:rwxpdDaARWc--s:fd-----:allow The parent share has the following permissions drwxr-xr-x+ 5 root root 5 May 30 22:26 /smallstore/ user:root:rwxpdDaARWcCos:fd-----:allow everyone@:r-x---a-R-c---:fd-----:allow owner@:rwxpdDaARWcCos:fd-----:allow This is the acl for the files created by a ubuntu client. There is no acl inheritance occurring. -rw-r--r-- 1 1000 1000 0 May 31 22:20 /smallstore/acltest/ubuntu_file owner@:rw-p--aARWcCos:-------:allow group@:r-----a-R-c--s:-------:allow everyone@:r-----a-R-c--s:-------:allow This is the acl for files created by a user from a windows client. There is full acl inheritance. -rwxrwxrwx+ 1 ljw staff 0 May 31 22:22 /smallstore/acltest/windows_file user:root:rwxpdDaARWcCos:------I:allow everyone@:rwxpdDaARWc--s:------I:allow The acl inheritance is on at both the share and directory levels so it should be passing them to files that are created. smallstore aclinherit restricted default smallstore/acltest aclinherit passthrough local Again any help would be most appreciated. -- This message posted from opensolaris.org
On 6/1/11 12:51 AM, lance wilson wrote:> The problem is that nfs clients that connect to my solaris 11 express server are not inheriting the acl''s that are set for the share. They create files that don''t have any acl assigned to them, just the normal unix file permissions. Can someone please provide some additional things to test so that I can get this sorted out. > > This is the output of a normal ls -al > > drwxrwxrwx+ 5 root root 11 2011-05-31 11:14 acltest > > The compact version is ls -Vd > > drwxrwxrwx+ 5 root root 11 May 31 11:14 /smallstore/acltest > user:root:rwxpdDaARWcCos:fd-----:allow > everyone@:rwxpdDaARWc--s:fd-----:allow > > The parent share has the following permissions > drwxr-xr-x+ 5 root root 5 May 30 22:26 /smallstore/ > user:root:rwxpdDaARWcCos:fd-----:allow > everyone@:r-x---a-R-c---:fd-----:allow > owner@:rwxpdDaARWcCos:fd-----:allow > > This is the acl for the files created by a ubuntu client. There is no acl inheritance occurring. > > -rw-r--r-- 1 1000 1000 0 May 31 22:20 /smallstore/acltest/ubuntu_file > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allowLooks like the linux client did a chmod(2) after creating the file. what happens when you create a file locally in that directory on the solaris system?> > This is the acl for files created by a user from a windows client. There is full acl inheritance. > -rwxrwxrwx+ 1 ljw staff 0 May 31 22:22 /smallstore/acltest/windows_file > user:root:rwxpdDaARWcCos:------I:allow > everyone@:rwxpdDaARWc--s:------I:allow > > The acl inheritance is on at both the share and directory levels so it should be passing them to files that are created. > > smallstore aclinherit restricted default > smallstore/acltest aclinherit passthrough local > > Again any help would be most appreciated.
At your suggestion I created a file locally and these were correct, in that they
inherited the acl that was applied to the top level.
-rwxrwxrwx+ 1 testuid testgid 0 Jun 1 21:04 localtest
user:root:rwxpdDaARWcCos:------I:allow
everyone@:rwxpdDaARWc--s:------I:allow
So it would appear that the nfs server or client is not getting the
acl''s.
Forgot to add that this is on a zfs folder that is being shared by cifs and nfs.
--
This message posted from opensolaris.org
On 06/ 2/11 09:18 AM, lance wilson wrote:> At your suggestion I created a file locally and these were correct, in that they inherited the acl that was applied to the top level. > > -rwxrwxrwx+ 1 testuid testgid 0 Jun 1 21:04 localtest > user:root:rwxpdDaARWcCos:------I:allow > everyone@:rwxpdDaARWc--s:------I:allow > > So it would appear that the nfs server or client is not getting the acl''s. > Forgot to add that this is on a zfs folder that is being shared by cifs and nfs.What happens when a Solaris client creates a file? -- Ian.
On Wed, Jun 01, 2011 at 07:42:24AM -0600, Mark Shellenbaum wrote:> > Looks like the linux client did a chmod(2) after creating the file.I bet this is it, and this seems to have been ignored in the later thread.> what happens when you create a file locally in that directory on the > solaris system?No, what happens when you touch(1) the file from the client in question without the rest of the application behaviour that follows, and then what happens when you chmod(1) it? Can you observe the client application behaviour, via truss or equivalent? -- Dan. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 194 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110602/7d06dc9c/attachment.bin>
2011/6/1 lance wilson <lance.wilson at gmail.com>:> The problem is that nfs clients that connect to my solaris 11 express server are not inheriting the acl''s that are set for the share. They create files that don''t have any acl assigned to them, just the normal unix file permissions. Can someone please provide some additional things to test so that I can get this sorted out.Expected behaviour. <http://mail.opensolaris.org/pipermail/zfs-discuss/2010-September/045120.html> -f
someone knows how to solve this problem? i have this bug too. -- This message posted from opensolaris.org
Hi, Set the zfs properties aclmode *and* aclinherit properties to passthrough for the dataset you''re writing to. This works for me having both Windows clients using cifs, and Linux clients using nfs. Regards, Siggi On 06/01/2011 08:51 AM, lance wilson wrote:> The problem is that nfs clients that connect to my solaris 11 express server are not inheriting the acl''s that are set for the share. They create files that don''t have any acl assigned to them, just the normal unix file permissions. Can someone please provide some additional things to test so that I can get this sorted out. > > This is the output of a normal ls -al > > drwxrwxrwx+ 5 root root 11 2011-05-31 11:14 acltest > > Looking at the acl''s that are assigned to the share with ls -vd > > drwxrwxrwx+ 5 root root 11 May 31 11:14 /smallstore/acltest > 0:user:root:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow > 1:everyone@:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /synchronize:file_inherit/dir_inherit:allow > > The compact version is ls -Vd > > drwxrwxrwx+ 5 root root 11 May 31 11:14 /smallstore/acltest > user:root:rwxpdDaARWcCos:fd-----:allow > everyone@:rwxpdDaARWc--s:fd-----:allow > > The parent share has the following permissions > drwxr-xr-x+ 5 root root 5 May 30 22:26 /smallstore/ > user:root:rwxpdDaARWcCos:fd-----:allow > everyone@:r-x---a-R-c---:fd-----:allow > owner@:rwxpdDaARWcCos:fd-----:allow > > This is the acl for the files created by a ubuntu client. There is no acl inheritance occurring. > > -rw-r--r-- 1 1000 1000 0 May 31 22:20 /smallstore/acltest/ubuntu_file > owner@:rw-p--aARWcCos:-------:allow > group@:r-----a-R-c--s:-------:allow > everyone@:r-----a-R-c--s:-------:allow > > This is the acl for files created by a user from a windows client. There is full acl inheritance. > -rwxrwxrwx+ 1 ljw staff 0 May 31 22:22 /smallstore/acltest/windows_file > user:root:rwxpdDaARWcCos:------I:allow > everyone@:rwxpdDaARWc--s:------I:allow > > The acl inheritance is on at both the share and directory levels so it should be passing them to files that are created. > > smallstore aclinherit restricted default > smallstore/acltest aclinherit passthrough local > > Again any help would be most appreciated.
Hi! But in 28 version of zfs there is no aclmode option at all (i use oi_148). Also tried set this options to passthrough in oi_151 which has aclmode, but this not working for me.>From Windows (cifs) - no problem, all acl''s inherited correctly.But from Linux (nfs) - acl user names inherited correctly, but permissions not inherited as i wish. Maybe i need to set another properties, or permissions? Like that: $ /bin/ls -lV /rpool/test total 6 drwxrwsrwx+ 2 2147483650 staff 3 Jul 17 17:33 cifs_folder user:2147483650:rwxpdDaARWcCos:fd----I:allow group@:rwxpdDaARWcCos:fd----I:allow owner@:rwxpdDaARWcCos:fd----I:allow everyone@:rwxpdDaARWcCos:fd----I:allow drwxrwxr-x+ 2 500 staff 3 Jul 17 17:36 nfs_folder user:2147483650:rwxpdDaARWcCos:fd----I:allow owner@:rwxp--aARWcCos:-------:allow group@:rwxp--a-R-c--s:-------:allow everyone@:r-x---a-R-c--s:-------:allow Thanks!> Hi, > > Set the zfs properties aclmode *and* aclinherit > properties to > passthrough for the dataset you''re writing to. > > This works for me having both Windows clients using > cifs, and Linux > clients using nfs. > > > > Regards, > Siggi >-- This message posted from opensolaris.org
Hi, Ok, I''ve done this with success on NexentaStor 3.0.5, using zpool version 26. I know the aclmode was removed at some point after this, but then put back in later. (Search the list for details.) I''ve got the acl''s below set on the top level directory. I put my users requirering access in the group_with_write_access. I found that the nfs anonymous account requires the "read attributes" access for Linux clients to be able to mount the folder. This folder is also shared with kerberos (sec=krb5). A:fdg:group_with_write_access at my.nfs4.id:rwadxtTnNcy A::nfsanonymous at my.nfs4.id:ty A:fd:root at my.nfs4.id:rwaDdxtTnNcCoy A:fdni:root at my.nfs4.id:rwaDdxTNCoy Rgds, Siggi On 07/17/2011 03:37 PM, anikin anton wrote:> Hi! > But in 28 version of zfs there is no aclmode option at all (i use oi_148). > Also tried set this options to passthrough in oi_151 which has aclmode, but this not working for me. > From Windows (cifs) - no problem, all acl''s inherited correctly. > But from Linux (nfs) - acl user names inherited correctly, but permissions not inherited as i wish. > Maybe i need to set another properties, or permissions? > Like that: > $ /bin/ls -lV /rpool/test > total 6 > drwxrwsrwx+ 2 2147483650 staff 3 Jul 17 17:33 cifs_folder > user:2147483650:rwxpdDaARWcCos:fd----I:allow > group@:rwxpdDaARWcCos:fd----I:allow > owner@:rwxpdDaARWcCos:fd----I:allow > everyone@:rwxpdDaARWcCos:fd----I:allow > drwxrwxr-x+ 2 500 staff 3 Jul 17 17:36 nfs_folder > user:2147483650:rwxpdDaARWcCos:fd----I:allow > owner@:rwxp--aARWcCos:-------:allow > group@:rwxp--a-R-c--s:-------:allow > everyone@:r-x---a-R-c--s:-------:allow > > Thanks! > > >> Hi, >> >> Set the zfs properties aclmode *and* aclinherit >> properties to >> passthrough for the dataset you''re writing to. >> >> This works for me having both Windows clients using >> cifs, and Linux >> clients using nfs. >> >> >> >> Regards, >> Siggi >>