samba - Jan 2013 - ACLs on a directory on GPFS

Hello,

I am using the vfs_gpfs samba module to map ACLs through samba. It works
fine on files, but directory ACLs are ignored. Ex:

getfacl /sb/share/myplace/

file: sb/share/myplace/
owner: root
group: root
user::rwx
user:afrankel:rwx
group::---
mask::rwx
other::---

When I try to access this folder in Windows, I get permission denied.
The same permissions on a files, I can open it / modify it without any
problems.

Here is my seetings :

    mmlsfs sb

-D nfs4 File locking semantics in effect
-k all ACL semantics in effect

/etc/samba/smb.conf :
---------------------

clustering = yes
fileid:mapping = fsname
vfs objects = shadow_copy2 syncops gpfs fileid
shadow:snapdir = .snapshots
shadow:fixinodes =yes
gpfs:sharemodes = Yes
gpfs:leases = Yes
posix locking = Yes
kernel oplocks = Yes
level2 oplocks = no
force unknown acl user = Yes
nfs4: mode = special
nfs4: chown = yes
nfs4: acedup = merge

[share]
read only = No
browseable = yes
path = /sb/share
map acl inherit = yes
inherit acls = no
dos filemode = no
create mask = 0770
force create mode = 0770
directory mask = 0777

Versions :

GPFS v3.4.0-18 on Linux.
samba-3.5.10-114

Did anybody else has experienced this? Note that if I replace 'gpfs'
module with 'acl_xattr' modules, it seems to work fine. Can I use samba
on gpfs without the GPFS module?

Thanks,

Andras

On Thu, 2013-01-31 at 15:41 -0500, Andras Frankel wrote:
> Hello,
> 
> I am using the vfs_gpfs samba module to map ACLs through samba. It works
> fine on files, but directory ACLs are ignored. Ex:
> 
> getfacl /sb/share/myplace/
> 
> file: sb/share/myplace/
> owner: root
> group: root
> user::rwx
> user:afrankel:rwx
> group::---
> mask::rwx
> other::---
> 
> When I try to access this folder in Windows, I get permission denied.
> The same permissions on a files, I can open it / modify it without any
> problems.
> 
Your basic problem is that you are using the Linux tools to look at the
ACL's on the GPFS file system.

You need to stop right there and use the GPFS tools instead aka
mmgetacl. You can change them with mmeditacl or mmputacl. Yes the tools
for manipulating ACL's on files and directories on a GPFS file system
from Linux suck; IBM's answer is that it works well on AIX but they
expected them to be set from Windows anyway.
> Here is my seetings :
> 
>     mmlsfs sb
> 
> -D nfs4 File locking semantics in effect
> -k all ACL semantics in effect
I strongly recommend that you change your ACL semantics to NFSv4 only if
you intend to use rich permissions from Windows via Samba. Though if
there is anyone from IBM listening that would like to let me know what
Samba ACL schematics does I am all ears :-)
> 
> /etc/samba/smb.conf :
> ---------------------
> 
> clustering = yes
> fileid:mapping = fsname
> vfs objects = shadow_copy2 syncops gpfs fileid
> shadow:snapdir = .snapshots
> shadow:fixinodes =yes
> gpfs:sharemodes = Yes
> gpfs:leases = Yes
> posix locking = Yes
> kernel oplocks = Yes
> level2 oplocks = no
> force unknown acl user = Yes
> nfs4: mode = special
> nfs4: chown = yes
> nfs4: acedup = merge
> 
> [share]
> read only = No
> browseable = yes
> path = /sb/share
> map acl inherit = yes
> inherit acls = no
> dos filemode = no
> create mask = 0770
> force create mode = 0770
> directory mask = 0777
> 
The GPFS specific bits of a working smb.conf if you are trying to make a
file server. I presume that there is a AD based backend for
authentication and UID to SID mapping or it won't work properly.

# general options
	vfs objects = shadow_copy2 fileid gpfs
        unix extensions = no
        mangled names = no
        case sensitive = no

# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
	ea support = yes
	store dos attributes = yes
	map readonly = no
	map archive = no
	map system = no

# the ctdb clustering and GPFS stuff
	clustering = yes
	ctdbd socket = /tmp/ctdb.socket
        fileid : algorithm = fsname
        gpfs : sharemodes = yes
        gpfs : winattr = yes
        force unknown acl user = yes
        nfs4 : mode = special
        nfs4 : chown = no
        nfs4 : acedup = merge

# stuff necessary for guest logins to work where required
	guest account = nobody
	map to guest = bad user

# enable shadow copies
        shadow : snapdir = /gpfs/.snapshots
        shadow : basedir = /gpfs
        shadow : fixinodes = yes

The a general purpose group share would look like

[mylab]
	comment = Someones Lab common space
	path = /gpfs/groups/mylab/common
	read only = no
	browseable = yes
	create mask = 0770
	directory mask = 0770
	force group = mylab
	valid users = @MYDOMAIN\mylab

> Versions :
> 
> GPFS v3.4.0-18 on Linux.
> samba-3.5.10-114
> 
Looks like you are using RHEL(6?) or a derivative. You need to upgrade
that Samba version for it to work

   http://rhn.redhat.com/errata/RHBA-2012-0850.html

Not sure where you got your vfs_gpfs module from but 3.5.10 needs a
patch to the vfs_gpfs module to make Posix ACL's work properly, though
you probably only using NFSv4 ACL's anyway.

Also remember access via NFS will nuke any ACL's set so a space is
either NFS *or* SMB access only.

Final note is that RHEL6.4 will shift to a Samba 3.6 base (RHEL5.9 has
already done so) which has a *much* improved vfs_gpfs module. Upgrade as
soon as reasonably possible, noting that the idmapping has changed and
you will need to update your smb.conf for it work.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

No, that didn't change anything. Still can't access directories (it
works fine with files.)

On 02/01/2013 01:27 AM, Pacher Dragos wrote:
> Does it work if you remove the
> map acl inherit = yes
> ?
> 
No, that didn't change anything. Still can't access directories (it
works fine with files.)


What is happening if I use acl_xattr module instead of cfs_gpfs module?
 Is there a risk of data corruption due to lack of gpfs locking?

Thanks,

Andras
> 
> On Thu, Jan 31, 2013 at 10:41 PM, Andras Frankel
> <Andras.Frankel at mcgill.ca <mailto:Andras.Frankel at
mcgill.ca>> wrote:
> 
>     Hello,
> 
>     I am using the vfs_gpfs samba module to map ACLs through samba. It
works
>     fine on files, but directory ACLs are ignored. Ex:
> 
>     getfacl /sb/share/myplace/
> 
>     file: sb/share/myplace/
>     owner: root
>     group: root
>     user::rwx
>     user:afrankel:rwx
>     group::---
>     mask::rwx
>     other::---
> 
>     When I try to access this folder in Windows, I get permission denied.
>     The same permissions on a files, I can open it / modify it without any
>     problems.
> 
>     Here is my seetings :
> 
>         mmlsfs sb
> 
>     -D nfs4 File locking semantics in effect
>     -k all ACL semantics in effect
> 
>     /etc/samba/smb.conf :
>     ---------------------
> 
>     clustering = yes
>     fileid:mapping = fsname
>     vfs objects = shadow_copy2 syncops gpfs fileid
>     shadow:snapdir = .snapshots
>     shadow:fixinodes =yes
>     gpfs:sharemodes = Yes
>     gpfs:leases = Yes
>     posix locking = Yes
>     kernel oplocks = Yes
>     level2 oplocks = no
>     force unknown acl user = Yes
>     nfs4: mode = special
>     nfs4: chown = yes
>     nfs4: acedup = merge
> 
>     [share]
>     read only = No
>     browseable = yes
>     path = /sb/share
>     map acl inherit = yes
>     inherit acls = no
>     dos filemode = no
>     create mask = 0770
>     force create mode = 0770
>     directory mask = 0777
> 
>     Versions :
> 
>     GPFS v3.4.0-18 on Linux.
>     samba-3.5.10-114
> 
>     Did anybody else has experienced this? Note that if I replace
'gpfs'
>     module with 'acl_xattr' modules, it seems to work fine. Can I
use samba
>     on gpfs without the GPFS module?
> 
>     Thanks,
> 
>     Andras
>     --
>     To unsubscribe from this list go to the following URL and read the
>     instructions:  https://lists.samba.org/mailman/options/samba
> 
>