samba - Nov 2015 - CTDB and glusterfs

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

I'm trying to setup a CTDB-Cluster together with GLusterFS. GlusterFS
is running great. CTDB can connect to the gluster-volume. I can store
files, using Windows or Linux, and set new acls on the commandline of
the cluster. BUT as soon as I try to set permissions via windows it
fails with "the request is not supported" I use "vfs objects
acl_xattr". When I create a second share with "vfs objects =
acl_tdb"
ist works, but I think storing ACLS in a TDB-file is no option for
large systems.

Here my setup:
Distribution: name it, I tried it. At the moment Debian 8 and Centos 7
Gluster-version: 7.6 from gluster.org
Samba-version: SerNet Samba 4.3.1

Here my smb.conf out of the regestry:
- ----------------
[global]
        workgroup = example
        netbios name = centos-c1
        security = ads
        realm = EXAMPLE.NET
        idmap config *:range = 10000-19999
        idmap config example:backend = rid
        idmap config example:range = 1000000-1999999
        winbind enum users = yes
        winbind enum groups = yes
        winbind use default domain = yes
        winbind refresh tickets = yes
        template shell = /bin/bash
        wins server = 192.168.56.254

[daten]
        path = /glusterfs/daten
        comment = Daten im Cluster
        guest ok = no
        read only = no
        browseable = yes
        store dos attributes = yes
        map acl inherit = yes
        vfs objects = acl_xattr

[daten2]
        path = /glusterfs/daten2
        comment = Daten im Cluster
        guest ok = no
        read only = no
        browseable = yes
        store dos attributes = yes
        map acl inherit = yes
        vfs objects = acl_tdb
- ----------------

Any help would be great

Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlZLAq0ACgkQ2JOGcNAHDTaujACeP/AaLubRBQo5/mhbodVMZd95
oBkAoIOkpmbu8aq+ik8Sh9Tw5TyW8JFK
=qTPq
-----END PGP SIGNATURE-----

On 17/11/15 10:34, Stefan Kania wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hello,
>
> I'm trying to setup a CTDB-Cluster together with GLusterFS. GlusterFS
> is running great. CTDB can connect to the gluster-volume. I can store
> files, using Windows or Linux, and set new acls on the commandline of
> the cluster. BUT as soon as I try to set permissions via windows it
> fails with "the request is not supported" I use "vfs objects
> acl_xattr". When I create a second share with "vfs objects =
acl_tdb"
> ist works, but I think storing ACLS in a TDB-file is no option for
> large systems.
>
> Here my setup:
> Distribution: name it, I tried it. At the moment Debian 8 and Centos 7
> Gluster-version: 7.6 from gluster.org
> Samba-version: SerNet Samba 4.3.1
>
>
As you require a subscription with Sernet to get Sernet Samba 4.3.1, 
wouldn't you be better asking them?

Rowland

We just analyzed the situation together,
and the solution is that in order to
access security.FOOBAR xattrs on the gluster
fuse mount, you have to specify the 'selinux'
mount option to the glusterfs fuse mount...
...THis is necassary even if selinux is disabled.

This sounds strange, but it currently is
the solution.

Note that the recommended way is to use
the glusterfs vfs module instead of the
fuse mount.

Cheers - Michael

On 2015-11-17 at 11:34 +0100, Stefan Kania wrote:
> Hello,
> 
> I'm trying to setup a CTDB-Cluster together with GLusterFS. GlusterFS
> is running great. CTDB can connect to the gluster-volume. I can store
> files, using Windows or Linux, and set new acls on the commandline of
> the cluster. BUT as soon as I try to set permissions via windows it
> fails with "the request is not supported" I use "vfs objects
> acl_xattr". When I create a second share with "vfs objects =
acl_tdb"
> ist works, but I think storing ACLS in a TDB-file is no option for
> large systems.
> 
> Here my setup:
> Distribution: name it, I tried it. At the moment Debian 8 and Centos 7
> Gluster-version: 7.6 from gluster.org
> Samba-version: SerNet Samba 4.3.1
> 
> Here my smb.conf out of the regestry:
> ----------------
> [global]
>         workgroup = example
>         netbios name = centos-c1
>         security = ads
>         realm = EXAMPLE.NET
>         idmap config *:range = 10000-19999
>         idmap config example:backend = rid
>         idmap config example:range = 1000000-1999999
>         winbind enum users = yes
>         winbind enum groups = yes
>         winbind use default domain = yes
>         winbind refresh tickets = yes
>         template shell = /bin/bash
>         wins server = 192.168.56.254
> 
> [daten]
>         path = /glusterfs/daten
>         comment = Daten im Cluster
>         guest ok = no
>         read only = no
>         browseable = yes
>         store dos attributes = yes
>         map acl inherit = yes
>         vfs objects = acl_xattr
> 
> [daten2]
>         path = /glusterfs/daten2
>         comment = Daten im Cluster
>         guest ok = no
>         read only = no
>         browseable = yes
>         store dos attributes = yes
>         map acl inherit = yes
>         vfs objects = acl_tdb
> ----------------
> 
> Any help would be great
> 
> Stefan
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20151117/2301abb8/signature.sig>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To show what we did here the entry in /etc/fstab:

knoten-01:/gv0 /glusterfs glusterfs defaults,_netdev,acl,selinux 0 0

Am 17.11.2015 um 18:22 schrieb Michael Adam:
> We just analyzed the situation together, and the solution is that
> in order to access security.FOOBAR xattrs on the gluster fuse
> mount, you have to specify the 'selinux' mount option to the
> glusterfs fuse mount... ...THis is necassary even if selinux is
> disabled.
> 
> This sounds strange, but it currently is the solution.
> 
> Note that the recommended way is to use the glusterfs vfs module
> instead of the fuse mount.
> 
> Cheers - Michael
> 
> On 2015-11-17 at 11:34 +0100, Stefan Kania wrote:
>> Hello,
>> 
>> I'm trying to setup a CTDB-Cluster together with GLusterFS.
>> GlusterFS is running great. CTDB can connect to the
>> gluster-volume. I can store files, using Windows or Linux, and
>> set new acls on the commandline of the cluster. BUT as soon as I
>> try to set permissions via windows it fails with "the request is
>> not supported" I use "vfs objects = acl_xattr". When I
create a
>> second share with "vfs objects = acl_tdb" ist works, but I
think
>> storing ACLS in a TDB-file is no option for large systems.
>> 
>> Here my setup: Distribution: name it, I tried it. At the moment
>> Debian 8 and Centos 7 Gluster-version: 7.6 from gluster.org 
>> Samba-version: SerNet Samba 4.3.1
>> 
>> Here my smb.conf out of the regestry: ---------------- [global] 
>> workgroup = example netbios name = centos-c1 security = ads realm
>> = EXAMPLE.NET idmap config *:range = 10000-19999 idmap config
>> example:backend = rid idmap config example:range >>
1000000-1999999 winbind enum users = yes winbind enum groups >> yes
winbind use default domain = yes winbind refresh tickets >> yes template
shell = /bin/bash wins server = 192.168.56.254
>> 
>> [daten] path = /glusterfs/daten comment = Daten im Cluster guest
>> ok = no read only = no browseable = yes store dos attributes >>
yes map acl inherit = yes vfs objects = acl_xattr
>> 
>> [daten2] path = /glusterfs/daten2 comment = Daten im Cluster 
>> guest ok = no read only = no browseable = yes store dos
>> attributes = yes map acl inherit = yes vfs objects = acl_tdb 
>> ----------------
>> 
>> Any help would be great
>> 
>> Stefan
>> 
>> -- To unsubscribe from this list go to the following URL and read
>> the instructions:  https://lists.samba.org/mailman/options/samba
>> 
>> 

- -- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iEYEARECAAYFAlZLZi4ACgkQ2JOGcNAHDTauJACgmsSzBVQqA7qUWJIWfHeFZAdh
1QgAoIYvCWJEY3200KhCJW1RoQagiWlq
=32b0
-----END PGP SIGNATURE-----

On 2015-11-17 at 18:22 +0100, Michael Adam wrote:
> We just analyzed the situation together,
> and the solution is that in order to
> access security.FOOBAR xattrs on the gluster
> fuse mount, you have to specify the 'selinux'
> mount option to the glusterfs fuse mount...
> ...THis is necassary even if selinux is disabled.
> 
> This sounds strange, but it currently is
> the solution.
> 
> Note that the recommended way is to use
> the glusterfs vfs module instead of the
> fuse mount.
Note that meanwhile we have uploaded samba packages
again at
https://download.gluster.org/pub/gluster/glusterfs/samba/
for CentOS and RHEL flavors.
These match the glusterfs community packages under
https://download.gluster.org/pub/gluster/glusterfs/3.7/LATEST/
(currently
https://download.gluster.org/pub/gluster/glusterfs/3.7/3.7.6/)

The Samba packages ship a matching glusterfs vfs module,
i.e. you don't need to mount the volume you want to share
with Samba with fuse any more.

Michael
> Cheers - Michael
> 
> On 2015-11-17 at 11:34 +0100, Stefan Kania wrote:
> > Hello,
> > 
> > I'm trying to setup a CTDB-Cluster together with GLusterFS.
GlusterFS
> > is running great. CTDB can connect to the gluster-volume. I can store
> > files, using Windows or Linux, and set new acls on the commandline of
> > the cluster. BUT as soon as I try to set permissions via windows it
> > fails with "the request is not supported" I use "vfs
objects > > acl_xattr". When I create a second share with "vfs
objects = acl_tdb"
> > ist works, but I think storing ACLS in a TDB-file is no option for
> > large systems.
> > 
> > Here my setup:
> > Distribution: name it, I tried it. At the moment Debian 8 and Centos 7
> > Gluster-version: 7.6 from gluster.org
> > Samba-version: SerNet Samba 4.3.1
> > 
> > Here my smb.conf out of the regestry:
> > ----------------
> > [global]
> >         workgroup = example
> >         netbios name = centos-c1
> >         security = ads
> >         realm = EXAMPLE.NET
> >         idmap config *:range = 10000-19999
> >         idmap config example:backend = rid
> >         idmap config example:range = 1000000-1999999
> >         winbind enum users = yes
> >         winbind enum groups = yes
> >         winbind use default domain = yes
> >         winbind refresh tickets = yes
> >         template shell = /bin/bash
> >         wins server = 192.168.56.254
> > 
> > [daten]
> >         path = /glusterfs/daten
> >         comment = Daten im Cluster
> >         guest ok = no
> >         read only = no
> >         browseable = yes
> >         store dos attributes = yes
> >         map acl inherit = yes
> >         vfs objects = acl_xattr
> > 
> > [daten2]
> >         path = /glusterfs/daten2
> >         comment = Daten im Cluster
> >         guest ok = no
> >         read only = no
> >         browseable = yes
> >         store dos attributes = yes
> >         map acl inherit = yes
> >         vfs objects = acl_tdb
> > ----------------
> > 
> > Any help would be great
> > 
> > Stefan
> > 
> > -- 
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba

> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20151221/a1f66870/signature.sig>