samba - Mar 2012 - Samba to share NFSv4 + ACL mounted filesystems on NetApp storage

Hi,

We are running into a problem with a Samba setup and would like to
know if a current fix or workaround is at all possible.

Our setup is a NetApp filer serving NFS v4 that is mounted by
Solaris and Linux servers. On those servers we are using Samba to
create shares of those NFSv4 mounted filesystems. We are migrating
to this NFSv4 setup from an existing Solaris NFSv3+Posix ACL setup
that also had Samba shares on top of the NFSv3+ACL mounts.

In our setup, we are relying on NFSv4 ACL inheritance. Here's
an example of an ACL on a file (as created by a touch command):

root at system # ls -lVd test_sneppef.txt
-rw-r--r--+  1 root     root           0 Mar  6 13:49 test_sneppef.txt
       group:TRerp:r-x---a-R-c--s:------:allow
       group:TRerp:-w-p---A-W-Co-:------:deny
       group:TWerp:rwxp--aARWcC-s:------:allow
       group:TWerp:------------o-:------:deny
         user:Terp:rwxp--aARWcC-s:------:allow
         user:Terp:------------o-:------:deny
            owner@:rw-p--a-R-c--s:------:allow
            group@:r-----a-R-c--s:------:allow
         everyone@:r-----a-R-c--s:------:allow
            owner@:--x-----------:------:deny
            group@:-wxp----------:------:deny
         everyone@:-wxp----------:------:deny

In our Samba setup, we are making extensive use of the "force user"
and "force group" directives to force all files created under the
Samba
share to get the appropriate username/usergroup. Here's an example
share definition from smb.conf:

[testsiven]
        comment = NFSv4 test
        path = /NAS/trg_shr_sft_00/erp/siven
        valid users =  "prod\siven" "__empty__"
        write list = "prod\siven"
        force user = Terp
        force group = Terp

So, in summary, we are relying on NFSv4 ACL inherritance to
set the correct ACLs on all files and directories under a
given NFS mount.

The problem we are running into is that, when CIFS users are
creating files via the Samba shares, the NFSv4 ACLs get removed.
Here's an expamle of a file the was created from a Samba share:

root at system # ls -lVd test2-sneppef2.txt.txt
-rwxr--r--   1 Terp     Terp           0 Mar  6 13:59 test2-sneppef2.txt.txt
            owner@:rwxp--aA--cC-s:------:allow
            owner@:--------------:------:deny
            group@:-wxp---A---C--:------:deny
            group@:r-----a---c--s:------:allow
            group@:-wxp---A---C--:------:deny
         everyone@:r-----a---c--s:------:allow
         everyone@:-wxp---A---C--:------:deny

As you can see, there are no NFSv4 ACLs associated with the
file.

A wireshark packet trace revealed that, after having created/copied
the file, there's an NFSv4 setattr call the explicitly sets the
permissions on the newly created file, effectively wiping any
inherited ACLs on the NFSv4 export.

I guess what we are trying to achieve is somewhat out of the ordinary,
since we would like Samba not to set/rewrite any (NFSv4) ACLs that are
inherited during file creation. Or put a little differently:
we would like Samba not to wipe any existing ACLs on files and
directories in the NFSv4 mounted filesystems. I guess what
makes our case a little exceptional is that we don't care about
any ACL mapping between CIFS and NFSv4. We would like all
ACL handling to be done by the NetApp thanks to the NFSv4
ACL inherritance.

Is there any way to achieve this ?

Thanks in advance.

Filip

On 06/03/12 16:02, Filip Sneppe wrote:
> Hi,
>
> We are running into a problem with a Samba setup and would like to
> know if a current fix or workaround is at all possible.
>
> Our setup is a NetApp filer serving NFS v4 that is mounted by
> Solaris and Linux servers. On those servers we are using Samba to
> create shares of those NFSv4 mounted filesystems. We are migrating
> to this NFSv4 setup from an existing Solaris NFSv3+Posix ACL setup
> that also had Samba shares on top of the NFSv3+ACL mounts.
>
Hi

We are using Samba4 and nfs3.

We're currently fighting a similar battle over of the nfs list about the 
incompatibility-with-everything-else'ness of nfs4 acls. It is not even 
possible to get group rw from a 0022 mounted umask. For this reason we 
have had to return to nfs3 and keep our posix acls which samba seems to 
respect. It is unfortunate that the nfs4 dev's have not listened to end 
users. The main aim seems to be to push to nfs4.1 at all costs.

The reply to this post says it all:
http://www.spinics.net/lists/linux-nfs/msg27790.html

'The NFSv4 protocol does not support POSIX ACLs. It has its own
implementation of ACLs that is much more windows-like (yet not exactly
either)'

Maybe you could add an extra voice there?

Cheers and good luck,
Steve

On Tue, Mar 06, 2012 at 04:02:54PM +0100, Filip Sneppe
wrote:
> A wireshark packet trace revealed that, after having created/copied
> the file, there's an NFSv4 setattr call the explicitly sets the
> permissions on the newly created file, effectively wiping any
> inherited ACLs on the NFSv4 export.
Can you relate that to a smbd strace? Maybe "nt acl support = no"
helps?

Volker

On Tue, Mar 06, 2012 at 04:02:54PM +0100, Filip Sneppe
wrote:
> Hi,
> 
> We are running into a problem with a Samba setup and would like to
> know if a current fix or workaround is at all possible.
> 
> Our setup is a NetApp filer serving NFS v4 that is mounted by
> Solaris and Linux servers. On those servers we are using Samba to
> create shares of those NFSv4 mounted filesystems. We are migrating
> to this NFSv4 setup from an existing Solaris NFSv3+Posix ACL setup
> that also had Samba shares on top of the NFSv3+ACL mounts.
> 
> In our setup, we are relying on NFSv4 ACL inheritance. Here's
> an example of an ACL on a file (as created by a touch command):
> 
> root at system # ls -lVd test_sneppef.txt
> -rw-r--r--+  1 root     root           0 Mar  6 13:49 test_sneppef.txt
>        group:TRerp:r-x---a-R-c--s:------:allow
>        group:TRerp:-w-p---A-W-Co-:------:deny
>        group:TWerp:rwxp--aARWcC-s:------:allow
>        group:TWerp:------------o-:------:deny
>          user:Terp:rwxp--aARWcC-s:------:allow
>          user:Terp:------------o-:------:deny
>             owner@:rw-p--a-R-c--s:------:allow
>             group@:r-----a-R-c--s:------:allow
>          everyone@:r-----a-R-c--s:------:allow
>             owner@:--x-----------:------:deny
>             group@:-wxp----------:------:deny
>          everyone@:-wxp----------:------:deny
> 
> In our Samba setup, we are making extensive use of the "force
user"
> and "force group" directives to force all files created under the
Samba
> share to get the appropriate username/usergroup. Here's an example
> share definition from smb.conf:
> 
> [testsiven]
>         comment = NFSv4 test
>         path = /NAS/trg_shr_sft_00/erp/siven
>         valid users =  "prod\siven" "__empty__"
>         write list = "prod\siven"
>         force user = Terp
>         force group = Terp
> 
> So, in summary, we are relying on NFSv4 ACL inherritance to
> set the correct ACLs on all files and directories under a
> given NFS mount.
> 
> The problem we are running into is that, when CIFS users are
> creating files via the Samba shares, the NFSv4 ACLs get removed.
> Here's an expamle of a file the was created from a Samba share:
> 
> root at system # ls -lVd test2-sneppef2.txt.txt
> -rwxr--r--   1 Terp     Terp           0 Mar  6 13:59
test2-sneppef2.txt.txt
>             owner@:rwxp--aA--cC-s:------:allow
>             owner@:--------------:------:deny
>             group@:-wxp---A---C--:------:deny
>             group@:r-----a---c--s:------:allow
>             group@:-wxp---A---C--:------:deny
>          everyone@:r-----a---c--s:------:allow
>          everyone@:-wxp---A---C--:------:deny
> 
> As you can see, there are no NFSv4 ACLs associated with the
> file.
Try using the Samba NFSv4 ACL mapping module for Solaris.
vfs_solarisacl.