zfs discuss - Mar 2009 - multi-protocol (cifs/nfs) access to same files - help please

Hello,

New here, and I''m not sure if this is the correct mailing list to post
this question or not.

Anyway, we are having some questions about multi-protocol (CIFS/NFS) access to
the same files specifically when not using AD or LDAP.


Summary:
Accessing the same folder from CIFS or NFS when working in a workgroup
configuration (no domain authentication) works fine using cifs user
"smb" and nfs user "root". Files can be written from both
windows and unix clients. From the unix client, if root has given permissions to
a folder, one can write files when logged in as any nis user or local user. From
the windows client, I haven''t tried yet to login as a different user
and try to write once the share is mapped using the smb user.

Here are the odd things I found, I don''t know if it''s a config
issue, user error or bug yet:
=> if a file is written by cifs, then modified from nfs, I don''t
know what to do to make it accessible by cifs again (see test4 below)
=> if a file is created by nfs, it can be read but cannot be written to from
windows, even when posix permissions are set to 777. (see test5 below)


Nexenta configuration
================No specific workgroup
No AD or LDAP configuration
Acls on folder bigmirror/big: local users smb and nfs, owner@ have full access,
everyone@ and group@ (root) are denied write access

owner@  Allow:list_directory, read_data, add_file, write_data, add_subdirectory,
append_data, write_xattr, execute, write_attributes, write_acl, write_owner
group@  Allow:list_directory, read_data, execute        Deny:add_file,
write_data, add_subdirectory, append_data
everyone@        Allow:list_directory, read_data, read_xattr, execute,
read_attributes, read_acl, synchronize   Deny:add_file, write_data,
add_subdirectory, append_data, write_xattr, write_attributes, write_acl,
write_owner
user:nfs        Allow:list_directory, read_data, add_file, write_data,
add_subdirectory, append_data, read_xattr, write_xattr, execute, delete_child,
write_attributes, write_acl, write_owner
user:smb        Allow:list_directory, read_data, add_file, write_data,
add_subdirectory, append_data, read_xattr, write_xattr, execute, delete_child,
write_attributes, write_acl, write_owner

CIFS share (named big) has anonymous access enable
NFS share has anonymous access enable, and root field is set to
<ip>:<ip> which are the 2 interfaces on a unix client, so that root
shows up as "root" and not "4294967294" (nfs nobody)
No identity mapping yet

Tests
====Test1: mount the nfs share from unix client 10.2.15.33 as root and create a
directory
[root at c33r15-rhel4 leo4]# mkdir testdir2
[root at c33r15-rhel4 leo4]# ls -l
total 1
drwxr-xr-x  2 root root 2 Mar 20 16:04 testdir2

Test2: connect to the cifs share from a windows client using user smb, default
password, and write a directory
ths ahre shows up under default workgroup "Workgroup" when browsing
\\<ip>\big

new directory "cifsdircreatedbysmb" created
when viewing Security tab, ACEs are smb (LEOPARD-4\smb) and SYSTEM, none of the
permissions are checked.
when going to Advanced, it shows that smb and SYSTEM (whatever this is) have
full control, and owner is smb

smb can write the file "cifsfilecreatedbysmb" under the folder
"cifsdircreatedbysmb"

Here''s how the permissions show from the unix client:
[root at c33r15-rhel4 leo4]# ls -l
total 5
d---------  2 61001 bin  3 Mar 20 16:26 cifsdircreatedbysmb
[root at c33r15-rhel4 leo4]# ls -l cifsdircreatedbysmb
total 1
----------  1 61001 bin 0 Mar 20 16:25 cifsfilecreatedby smb.txt
[root at c33r15-rhel4 leo4]#

Test3: create directory from unix client as root and access from windows
new directory "nfsdircreatebyroot"
[root at c33r15-rhel4 leo4]# ls -l
total 5
d---------  2 61001 bin  3 Mar 20 16:26 cifsdircreatedbysmb
drwxrwxrwx  2 root  root 3 Mar 20 16:14 nfsdircreatebyroot
drwxr-xr-x  2 root  root 2 Mar 20 16:04 testdir2
>From windows client, when viewing Security tab, ACEs are Everyone, root
(LEOPARD-4\root), S-1-5-21-10.... (some SID, maybe maps to smb user?), none of
the permissions are checked.
when going to Advanced, it shows that those 3 users are denied and allowed some
permissions, need to click on Edit to find out which ones. Only shows that
Everyone is denied "Write attributes, Write Extended atributes, Change
permissions and Change ownership". Root is allowed "Traverse, List
folder, Create files, Create folders, Write attributes, Write extended
attributes, Change permissions, Take ownership". The SID is allowed
"Traverse, List folder, Create files, Create folders". Everyone is
allowed ""Traverse, List folder, Read attributes, Read extended
attributes, Create files, Create folders, Read permissions"

Test4: create file from windows and write to it from
unix
>From unix, give world access to "nfsdircreatebyroot"
[root at c33r15-rhel4 leo4]# chmod 777
nfsdircreatebyroot
>From windows, create file "cifsfilecreatedbysmb" under
"nfsdircreatebyroot".
>From unix, vi the file and write to it
[root at c33r15-rhel4 leo4]# cd nfsdircreatebyroot/
[root at c33r15-rhel4 nfsdircreatebyroot]# vi cifsfilecreatedbysmb.txt
[root at c33r15-rhel4 nfsdircreatebyroot]# cat cifsfilecreatedbysmb.txt
writing from nfs by root
[root at c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
----------  1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt

Once this is done, the file can no longer be viewed from Windows, gets access
denied. After being accessed from nfx, I assume the security blob is now nfs. (I
don''t know what security style Nexenta has on file systems, I would
assume it''s mixed by default?)
Properties show that Everyone is denied write access, and owner smb has only
special permissions. Among those, he can change permissions, so he can allow
full control to himself. But even after this change, smb still cannot read the
file from Windows.
>From unix I can change ownership and permissions on the file
 [root at c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
----------  1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[root at c33r15-rhel4 nfsdircreatebyroot]#
[root at c33r15-rhel4 nfsdircreatebyroot]# chown root cifsfilecreatedbysmb.txt
[root at c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
----------  1 root bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[root at c33r15-rhel4 nfsdircreatebyroot]# chgrp root cifsfilecreatedbysmb.txt
[root at c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
----------  1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[root at c33r15-rhel4 nfsdircreatebyroot]# chmod 755 cifsfilecreatedbysmb.txt
[root at c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
-rwxr-xr-x  1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[root at c33r15-rhel4 nfsdircreatebyroot]#

Still cannot view it from windows.

Add an id mapping rule between winuser:smb at matrix.lab (matrix.lab is still
the default domain name for the appliance, even though we''re not joined
to it) and unixuser:root

No changes, still cannot view the file from windows

=> if a file is written by cifs, then modified from nfs, I don''t
know what to do to make it accessible by cifs again


Test5: create file from unix and access it from windows
[root at c33r15-rhel4 leo4]# cd cifsdircreatedbysmb
[root at c33r15-rhel4 cifsdircreatedbysmb]# vi nfsfilecreatedbyroot.txt
[root at c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
[root at c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 1
-rw-r--r--  1 root  root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
[root at c33r15-rhel4 cifsdircreatedbysmb]#

I was able to view it from windows but could not save it after writting to it,
had to save to a new file. When looking at Security tab, it says: Unable to
display information.
>From unix:
[root at c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 2
-rw-r--r--  1 root  root  0 Mar 20 17:07 nfsfilecreatedbyroot.txt
----------  1 61001 bin  28 Mar 20 17:09 nfsfilecreatedbyroot_wriitenbysmb.txt
[root at c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
[root at c33r15-rhel4 cifsdircreatedbysmb]# cat
nfsfilecreatedbyroot_wriitenbysmb.txt
writing from windows by smb
[root at c33r15-rhel4 cifsdircreatedbysmb]#

Changing permissions so that Everyone can write to the file now:
[root at c33r15-rhel4 cifsdircreatedbysmb]# chmod 777 nfsfilecreatedbyroot.txt
[root at c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 2
-rwxrwxrwx  1 root  root  0 Mar 20 17:07 nfsfilecreatedbyroot.txt
----------  1 61001 bin  28 Mar 20 17:09 nfsfilecreatedbyroot_wriitenbysmb.txt

No changes from windows side.

=> if a file is created by nfs, it can be read but cannot be written to from
windows, even when posix permissions are set to 777.

Test6: create a file from unix client as a local nis user (qacifs7077,
don''t get fooled by the name)
[root at c33r15-rhel4 cifsdircreatedbysmb]# su qacifs7077
bash-3.00$ pwd
/mnt/leo4/cifsdircreatedbysmb
bash-3.00$ cd ..
bash-3.00$ ls -l
total 5
d---------  2 61001 bin  4 Mar 20 17:09 cifsdircreatedbysmb
drwxrwxrwx  2 root  root 3 Mar 20 16:14 nfsdircreatebyroot
drwxr-xr-x  2 root  root 2 Mar 20 16:04 testdir2
bash-3.00$ cd nfsdircreatebyroot/
bash-3.00$ touch nfsfilecreatedbynisuser
bash-3.00$ ls -l
total 2
-rwxr-xr-x  1 root       root   26 Mar 20 16:14 cifsfilecreatedbysmb.txt
-rw-r--r--  1 qacifs7077 group1  0 Mar 20 17:25 nfsfilecreatedbynisuser
bash-3.00$
>From windows, when looking at Security tab, it says: Unable to display
information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20090330/1ea8b990/attachment.html>