samba - Aug 2023 - GlusterFS, move files, Samba ACL...

On Mon, 28 Aug 2023 15:34:13 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
> 
> A little strange things, but i'm hitting my head on the wall...
> 
> 
> I needed to 'enlarge' my main filesystem (XFS backed-up), that
> contain my main samba share and a brick for a GFS share; i've setup a
> new volume (for the VM), formatted XFS, move all the file taking care
> to umount and stop GFS (so, syncing the brick, not the GFS
> filesystem) using --acls and -attrs rsync options.
> 
> All went well, all the share work as expected, apart the GFS one:
> folder appears with correct permission, files are not accessible from
> samba; i've tried from a unix user in console and works as expected.
> 
> If (from windows) i create new files, permissions are OK. Only
> preexistent files (files, not folders!) are inaccessible.
> 
> In samba the share is:
I wish people wouldn't do this, if you are going to post a share,
please post the global section as well.
> 
>  [FVG]
> 	comment = Regionale (FVG)
> 	volume = FVG
> 	path = /
> 	browseable = yes 
> 	writeable = yes  
> 	map acl inherit = yes
> 	store dos attributes = yes
> 	inherit permissions = yes
> 	vfs objects = recycle full_audit glusterfs
Do you have a 'vfs objects' line in global with 'acl_xattr' in
it,
because if you have, the line above turns it off.
 
> 	glusterfs:volume = gv0
> 	kernel share modes = no
> 	recycle:repository = .cestino/%U
> 	recycle:keeptree = yes
> 	recycle:versions = yes
> 	recycle:exclude=*.TMP,*.tmp,*.temp,*.o,*.obj,~$*
> 	full_audit:prefix = %S|%d|%I|%M|%u
> 	full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink full_audit:failure = none
> 
> 
> gluster version 3.8.8-1+deb9u1, samba version
> 4.10.18+dfsg-0.1stretch1 .
I have to ask, why are you still using Debian stretch ?
Hasn't anyone told you it is now EOL ?

Rowland

Mandi! Rowland Penny via samba
  In chel di` si favelave...
>> In samba the share is:
> I wish people wouldn't do this, if you are going to post a share,
> please post the global section as well.
Sorry.

# Global parameters
[global]
	log file = /var/log/samba/log.%M
	map to guest = Bad User
	netbios aliases = CUPSSV FILESV HOMESV
	ntlm auth = mschapv2-and-ntlmv2-only
	panic action = /usr/share/samba/panic-action %d
	printcap name = cups
	realm = AD.FVG.LNF.IT
	security = ADS
	socket options = TCP_NODELAY TCP_KEEPIDLE=240 TCP_KEEPCNT=4 TCP_KEEPINTVL=15
	syslog = 0
	username map = /etc/samba/user.map
	usershare max shares = 0
	winbind offline logon = Yes
	winbind use default domain = Yes
	wins support = Yes
	workgroup = LNFFVG
	spoolss: architecture = Windows x64
	rpc_daemon:spoolssd = fork
	rpc_server:spoolss = external
	idmap config lnffvg : unix_primary_group = yes
	idmap config lnffvg : unix_nss_info = yes
	idmap config lnffvg : schema_mode = rfc2307
	idmap config lnffvg : range = 10000-49999
	idmap config lnffvg : backend = ad
	idmap config * : range = 5000-9999
	idmap config * : backend = tdb

[...]

[FVG]
	comment = Regionale (FVG)
	inherit permissions = Yes
	kernel share modes = No
	map acl inherit = Yes
	path = /
	read only = No
	vfs objects = recycle full_audit glusterfs
	volume = FVG
	full_audit:failure = none
	full_audit:success = mkdir rmdir read pread write pwrite rename unlink
	full_audit:prefix = %S|%d|%I|%M|%u
	recycle:exclude = *.TMP,*.tmp,*.temp,*.o,*.obj,~$*
	recycle:versions = yes
	recycle:keeptree = yes
	recycle:repository = .cestino/%U
	glusterfs:volume = gv0

>>       vfs objects = recycle full_audit glusterfs
> Do you have a 'vfs objects' line in global with 'acl_xattr'
in it,
> because if you have, the line above turns it off.
No, i don't have it; as just stated, i'm using direct mapping in XFS
POSIX
extended ACL, so i don't need acl_xattr, so it is OK that is disabled.

>> gluster version 3.8.8-1+deb9u1, samba version
>> 4.10.18+dfsg-0.1stretch1 .
> I have to ask, why are you still using Debian stretch ?
> Hasn't anyone told you it is now EOL ?
yes. Life is complex, Rowland....


Anyway, i've not changed the samba configuration, and ACL seems to work as
expected in POSIX environment (eg, user 'gaio' does not open files in
windows, but if i logon to the server, i can safely open it in terminal).


The really strange things are that:

1) only preexistant files have the trouble; if i create a file ex novo, it
 worked.

2) only files are inaccessible, folders works as expected...


And no a single complain on logs, also...

-- 
  Il ministro dei temporali in un tripudio di tromboni
  auspicava democrazia con la tovaglia sulle mani
  e le mani sui coglioni				(F. De Andre`)