-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I'm trying to setup a CTDB-Cluster together with GLusterFS. GlusterFS is running great. CTDB can connect to the gluster-volume. I can store files, using Windows or Linux, and set new acls on the commandline of the cluster. BUT as soon as I try to set permissions via windows it fails with "the request is not supported" I use "vfs objects acl_xattr". When I create a second share with "vfs objects = acl_tdb" ist works, but I think storing ACLS in a TDB-file is no option for large systems. Here my setup: Distribution: name it, I tried it. At the moment Debian 8 and Centos 7 Gluster-version: 7.6 from gluster.org Samba-version: SerNet Samba 4.3.1 Here my smb.conf out of the regestry: - ---------------- [global] workgroup = example netbios name = centos-c1 security = ads realm = EXAMPLE.NET idmap config *:range = 10000-19999 idmap config example:backend = rid idmap config example:range = 1000000-1999999 winbind enum users = yes winbind enum groups = yes winbind use default domain = yes winbind refresh tickets = yes template shell = /bin/bash wins server = 192.168.56.254 [daten] path = /glusterfs/daten comment = Daten im Cluster guest ok = no read only = no browseable = yes store dos attributes = yes map acl inherit = yes vfs objects = acl_xattr [daten2] path = /glusterfs/daten2 comment = Daten im Cluster guest ok = no read only = no browseable = yes store dos attributes = yes map acl inherit = yes vfs objects = acl_tdb - ---------------- Any help would be great Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlZLAq0ACgkQ2JOGcNAHDTaujACeP/AaLubRBQo5/mhbodVMZd95 oBkAoIOkpmbu8aq+ik8Sh9Tw5TyW8JFK =qTPq -----END PGP SIGNATURE-----
On 17/11/15 10:34, Stefan Kania wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, > > I'm trying to setup a CTDB-Cluster together with GLusterFS. GlusterFS > is running great. CTDB can connect to the gluster-volume. I can store > files, using Windows or Linux, and set new acls on the commandline of > the cluster. BUT as soon as I try to set permissions via windows it > fails with "the request is not supported" I use "vfs objects > acl_xattr". When I create a second share with "vfs objects = acl_tdb" > ist works, but I think storing ACLS in a TDB-file is no option for > large systems. > > Here my setup: > Distribution: name it, I tried it. At the moment Debian 8 and Centos 7 > Gluster-version: 7.6 from gluster.org > Samba-version: SerNet Samba 4.3.1 > >As you require a subscription with Sernet to get Sernet Samba 4.3.1, wouldn't you be better asking them? Rowland
We just analyzed the situation together, and the solution is that in order to access security.FOOBAR xattrs on the gluster fuse mount, you have to specify the 'selinux' mount option to the glusterfs fuse mount... ...THis is necassary even if selinux is disabled. This sounds strange, but it currently is the solution. Note that the recommended way is to use the glusterfs vfs module instead of the fuse mount. Cheers - Michael On 2015-11-17 at 11:34 +0100, Stefan Kania wrote:> Hello, > > I'm trying to setup a CTDB-Cluster together with GLusterFS. GlusterFS > is running great. CTDB can connect to the gluster-volume. I can store > files, using Windows or Linux, and set new acls on the commandline of > the cluster. BUT as soon as I try to set permissions via windows it > fails with "the request is not supported" I use "vfs objects > acl_xattr". When I create a second share with "vfs objects = acl_tdb" > ist works, but I think storing ACLS in a TDB-file is no option for > large systems. > > Here my setup: > Distribution: name it, I tried it. At the moment Debian 8 and Centos 7 > Gluster-version: 7.6 from gluster.org > Samba-version: SerNet Samba 4.3.1 > > Here my smb.conf out of the regestry: > ---------------- > [global] > workgroup = example > netbios name = centos-c1 > security = ads > realm = EXAMPLE.NET > idmap config *:range = 10000-19999 > idmap config example:backend = rid > idmap config example:range = 1000000-1999999 > winbind enum users = yes > winbind enum groups = yes > winbind use default domain = yes > winbind refresh tickets = yes > template shell = /bin/bash > wins server = 192.168.56.254 > > [daten] > path = /glusterfs/daten > comment = Daten im Cluster > guest ok = no > read only = no > browseable = yes > store dos attributes = yes > map acl inherit = yes > vfs objects = acl_xattr > > [daten2] > path = /glusterfs/daten2 > comment = Daten im Cluster > guest ok = no > read only = no > browseable = yes > store dos attributes = yes > map acl inherit = yes > vfs objects = acl_tdb > ---------------- > > Any help would be great > > Stefan > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151117/2301abb8/signature.sig>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To show what we did here the entry in /etc/fstab: knoten-01:/gv0 /glusterfs glusterfs defaults,_netdev,acl,selinux 0 0 Am 17.11.2015 um 18:22 schrieb Michael Adam:> We just analyzed the situation together, and the solution is that > in order to access security.FOOBAR xattrs on the gluster fuse > mount, you have to specify the 'selinux' mount option to the > glusterfs fuse mount... ...THis is necassary even if selinux is > disabled. > > This sounds strange, but it currently is the solution. > > Note that the recommended way is to use the glusterfs vfs module > instead of the fuse mount. > > Cheers - Michael > > On 2015-11-17 at 11:34 +0100, Stefan Kania wrote: >> Hello, >> >> I'm trying to setup a CTDB-Cluster together with GLusterFS. >> GlusterFS is running great. CTDB can connect to the >> gluster-volume. I can store files, using Windows or Linux, and >> set new acls on the commandline of the cluster. BUT as soon as I >> try to set permissions via windows it fails with "the request is >> not supported" I use "vfs objects = acl_xattr". When I create a >> second share with "vfs objects = acl_tdb" ist works, but I think >> storing ACLS in a TDB-file is no option for large systems. >> >> Here my setup: Distribution: name it, I tried it. At the moment >> Debian 8 and Centos 7 Gluster-version: 7.6 from gluster.org >> Samba-version: SerNet Samba 4.3.1 >> >> Here my smb.conf out of the regestry: ---------------- [global] >> workgroup = example netbios name = centos-c1 security = ads realm >> = EXAMPLE.NET idmap config *:range = 10000-19999 idmap config >> example:backend = rid idmap config example:range >> 1000000-1999999 winbind enum users = yes winbind enum groups >> yes winbind use default domain = yes winbind refresh tickets >> yes template shell = /bin/bash wins server = 192.168.56.254 >> >> [daten] path = /glusterfs/daten comment = Daten im Cluster guest >> ok = no read only = no browseable = yes store dos attributes >> yes map acl inherit = yes vfs objects = acl_xattr >> >> [daten2] path = /glusterfs/daten2 comment = Daten im Cluster >> guest ok = no read only = no browseable = yes store dos >> attributes = yes map acl inherit = yes vfs objects = acl_tdb >> ---------------- >> >> Any help would be great >> >> Stefan >> >> -- To unsubscribe from this list go to the following URL and read >> the instructions: https://lists.samba.org/mailman/options/samba >> >>- -- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre E-Mail. Weiter Informationen unter http://www.gnupg.org Mein Schlüssel liegt auf hkp://subkeys.pgp.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlZLZi4ACgkQ2JOGcNAHDTauJACgmsSzBVQqA7qUWJIWfHeFZAdh 1QgAoIYvCWJEY3200KhCJW1RoQagiWlq =32b0 -----END PGP SIGNATURE-----
On 2015-11-17 at 18:22 +0100, Michael Adam wrote:> We just analyzed the situation together, > and the solution is that in order to > access security.FOOBAR xattrs on the gluster > fuse mount, you have to specify the 'selinux' > mount option to the glusterfs fuse mount... > ...THis is necassary even if selinux is disabled. > > This sounds strange, but it currently is > the solution. > > Note that the recommended way is to use > the glusterfs vfs module instead of the > fuse mount.Note that meanwhile we have uploaded samba packages again at https://download.gluster.org/pub/gluster/glusterfs/samba/ for CentOS and RHEL flavors. These match the glusterfs community packages under https://download.gluster.org/pub/gluster/glusterfs/3.7/LATEST/ (currently https://download.gluster.org/pub/gluster/glusterfs/3.7/3.7.6/) The Samba packages ship a matching glusterfs vfs module, i.e. you don't need to mount the volume you want to share with Samba with fuse any more. Michael> Cheers - Michael > > On 2015-11-17 at 11:34 +0100, Stefan Kania wrote: > > Hello, > > > > I'm trying to setup a CTDB-Cluster together with GLusterFS. GlusterFS > > is running great. CTDB can connect to the gluster-volume. I can store > > files, using Windows or Linux, and set new acls on the commandline of > > the cluster. BUT as soon as I try to set permissions via windows it > > fails with "the request is not supported" I use "vfs objects > > acl_xattr". When I create a second share with "vfs objects = acl_tdb" > > ist works, but I think storing ACLS in a TDB-file is no option for > > large systems. > > > > Here my setup: > > Distribution: name it, I tried it. At the moment Debian 8 and Centos 7 > > Gluster-version: 7.6 from gluster.org > > Samba-version: SerNet Samba 4.3.1 > > > > Here my smb.conf out of the regestry: > > ---------------- > > [global] > > workgroup = example > > netbios name = centos-c1 > > security = ads > > realm = EXAMPLE.NET > > idmap config *:range = 10000-19999 > > idmap config example:backend = rid > > idmap config example:range = 1000000-1999999 > > winbind enum users = yes > > winbind enum groups = yes > > winbind use default domain = yes > > winbind refresh tickets = yes > > template shell = /bin/bash > > wins server = 192.168.56.254 > > > > [daten] > > path = /glusterfs/daten > > comment = Daten im Cluster > > guest ok = no > > read only = no > > browseable = yes > > store dos attributes = yes > > map acl inherit = yes > > vfs objects = acl_xattr > > > > [daten2] > > path = /glusterfs/daten2 > > comment = Daten im Cluster > > guest ok = no > > read only = no > > browseable = yes > > store dos attributes = yes > > map acl inherit = yes > > vfs objects = acl_tdb > > ---------------- > > > > Any help would be great > > > > Stefan > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba> -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20151221/a1f66870/signature.sig>