zfs discuss - Jan 2011 - Changed ACL behavior in snv_151 ?

Hi,

I''m sharing file systems using a smb and nfs, and since I''ve
upgraded to snv_151, when I do a chmod from an NFS client, I lose all the NFSv4
ACLs.
Here''s what I see on a Solaris nfs client:

$ ls -lVd ACLtest/
drwxrwx---+  4 root     bsse-it        5 Nov 19 14:03 ACLtest/
             user:ryanj:rwxpdDaARWcCos:fd-----:allow
             user:noddy:rwxpdDaARWcCos:fd-----:allow
                 owner@:rwxp--aARWcCos:-------:allow
                 group@:rwxp--a-R-c--s:-------:allow
              everyone@:------a-R-c--s:-------:allow
$ chmod 770 ACLtest/
$ ls -lVd ACLtest/
drwxrwx---   4 root     bsse-it        5 Nov 19 14:03 ACLtest/
                 owner@:rwxp--aARWcCos:-------:allow
                 group@:rwxp--a-R-c--s:-------:allow
              everyone@:------a-R-c--s:-------:allow

Same happens from a Linux or Solaris client
I have aclinherit set to  passthrough

Anyone any ideas?
On a snv_134 system, the ACLs are retained.

Regards
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110125/0b185afc/attachment.html>

John,

welcome onboard!

2011/1/25 Ryan  John <john.ryan at bsse.ethz.ch>:
> I?m sharing file systems using a smb and nfs, and since I?ve upgraded to
> snv_151, when I do a chmod from an NFS client, I lose all the NFSv4 ACLs.
<http://opensolaris.org/jive/thread.jspa?threadID=134162>

I''d summarize as follows:
in order to play nice with Windows ACL semantics via builtin CIFS,
they choose the approach of throwing away ACLs on chmod(). Makes
Windows happy, others not so.

-f

Which chmod are you using? (check your PATH)

----- Reply message -----
From: "Ryan  John" <john.ryan at bsse.ethz.ch>
To: "zfs-discuss at opensolaris.org" <zfs-discuss at
opensolaris.org>
Subject: [zfs-discuss] Changed ACL behavior in snv_151 ?
Date: Tue, Jan 25, 2011 13:31
Hi,

I?m sharing file systems using a smb and nfs, and since I?ve upgraded to
snv_151, when I do a chmod from an NFS client, I lose all the NFSv4 ACLs.
Here?s what I see on a Solaris nfs client:

$ ls -lVd ACLtest/
drwxrwx---+  4 root     bsse-it        5 Nov 19 14:03 ACLtest/
user:ryanj:rwxpdDaARWcCos:fd-----:allow
user:noddy:rwxpdDaARWcCos:fd-----:allow
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow
$ chmod 770 ACLtest/
$ ls -lVd ACLtest/
drwxrwx---   4 root     bsse-it        5 Nov 19 14:03 ACLtest/
owner@:rwxp--aARWcCos:-------:allow
group@:rwxp--a-R-c--s:-------:allow
everyone@:------a-R-c--s:-------:allow

Same happens from a Linux or Solaris client
I have aclinherit set to  passthrough

Anyone any ideas?
On a snv_134 system, the ACLs are retained.

Regards
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110125/b4c587c3/attachment.html>

I?m using /usr/bin/chmod

From: phil.harman at gmail.com [mailto:phil.harman at gmail.com]
Sent: 25 January 2011 14:50
To: Ryan John; zfs-discuss at opensolaris.org
Subject: Re: [zfs-discuss] Changed ACL behavior in snv_151 ?

Which chmod are you using? (check your PATH)
----- Reply message -----
From: "Ryan John" <john.ryan at bsse.ethz.ch>
To: "zfs-discuss at opensolaris.org" <zfs-discuss at
opensolaris.org>
Subject: [zfs-discuss] Changed ACL behavior in snv_151 ?
Date: Tue, Jan 25, 2011 13:31

Hi,

I?m sharing file systems using a smb and nfs, and since I?ve upgraded to
snv_151, when I do a chmod from an NFS client, I lose all the NFSv4 ACLs.
Here?s what I see on a Solaris nfs client:

$ ls -lVd ACLtest/
drwxrwx---+  4 root     bsse-it        5 Nov 19 14:03 ACLtest/
             user:ryanj:rwxpdDaARWcCos:fd-----:allow
             user:noddy:rwxpdDaARWcCos:fd-----:allow
                 owner@:rwxp--aARWcCos:-------:allow
                 group@:rwxp--a-R-c--s:-------:allow
              everyone@:------a-R-c--s:-------:allow
$ chmod 770 ACLtest/
$ ls -lVd ACLtest/
drwxrwx---   4 root     bsse-it        5 Nov 19 14:03 ACLtest/
                 owner@:rwxp--aARWcCos:-------:allow
                 group@:rwxp--a-R-c--s:-------:allow
              everyone@:------a-R-c--s:-------:allow

Same happens from a Linux or Solaris client
I have aclinherit set to  passthrough

Anyone any ideas?
On a snv_134 system, the ACLs are retained.

Regards
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20110125/976f1d9f/attachment-0001.html>

> -----Original Message-----
> From: Frank Lahm [mailto:franklahm at googlemail.com] 
> Sent: 25 January 2011 14:50
> To: Ryan John
> Cc: zfs-discuss at opensolaris.org
> Subject: Re: [zfs-discuss] Changed ACL behavior in snv_151 ?
> John,
> welcome onboard!
> 2011/1/25 Ryan  John <john.ryan at bsse.ethz.ch>:
>> I?m sharing file systems using a smb and nfs, and since I?ve upgraded
to
>> snv_151, when I do a chmod from an NFS client, I lose all the NFSv4
ACLs.
> <http://opensolaris.org/jive/thread.jspa?threadID=134162>
> I''d summarize as follows:
> in order to play nice with Windows ACL semantics via builtin CIFS,
> they choose the approach of throwing away ACLs on chmod(). Makes
> Windows happy, others not so.
> -f
Hi Frank,

This really breaks our whole setup.
Under snv_134 our users were happy with Windows ACLs, and NFSv3 and NFSv4 Linux
clients.
They all worked very well together. The only problem we had with the deny ACLs,
was when using the MacOS "Finder"

I don''t think there''s a way we can tell our users not to do a
chmod.

Was it a result of PSARC/2009/029 ?
http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum
If so, I think that was implemented around snv_137.
This would also mean it''s the same in Illumos.

Regards
John

We are working on a change to illumos (and NexentaStor) to revive
acl_mode... lots and lots of people have had very bad experiences as a
result of that particular change.

	- Garrett

On Thu, 2011-01-27 at 07:32 +0000, Ryan John wrote:
> > -----Original Message-----
> > From: Frank Lahm [mailto:franklahm at googlemail.com] 
> > Sent: 25 January 2011 14:50
> > To: Ryan John
> > Cc: zfs-discuss at opensolaris.org
> > Subject: Re: [zfs-discuss] Changed ACL behavior in snv_151 ?
> 
> > John,
> 
> > welcome onboard!
> 
> > 2011/1/25 Ryan  John <john.ryan at bsse.ethz.ch>:
> >> I?m sharing file systems using a smb and nfs, and since I?ve
upgraded to
> >> snv_151, when I do a chmod from an NFS client, I lose all the
NFSv4 ACLs.
> 
> > <http://opensolaris.org/jive/thread.jspa?threadID=134162>
> 
> > I''d summarize as follows:
> > in order to play nice with Windows ACL semantics via builtin CIFS,
> > they choose the approach of throwing away ACLs on chmod(). Makes
> > Windows happy, others not so.
> 
> > -f
> Hi Frank,
> 
> This really breaks our whole setup.
> Under snv_134 our users were happy with Windows ACLs, and NFSv3 and NFSv4
Linux clients.
> They all worked very well together. The only problem we had with the deny
ACLs, was when using the MacOS "Finder"
> 
> I don''t think there''s a way we can tell our users not to
do a chmod.
> 
> Was it a result of PSARC/2009/029 ?
http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum
> If so, I think that was implemented around snv_137.
> This would also mean it''s the same in Illumos.
> 
> Regards
> John
> 
> _______________________________________________
> zfs-discuss mailing list
> zfs-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

2011/1/27 Ryan  John <john.ryan at bsse.ethz.ch>:
>> -----Original Message-----
>> From: Frank Lahm [mailto:franklahm at googlemail.com]
>> Sent: 25 January 2011 14:50
>> To: Ryan John
>> Cc: zfs-discuss at opensolaris.org
>> Subject: Re: [zfs-discuss] Changed ACL behavior in snv_151 ?
>
>> John,
>
>> welcome onboard!
>
>> 2011/1/25 Ryan ?John <john.ryan at bsse.ethz.ch>:
>>> I?m sharing file systems using a smb and nfs, and since I?ve
upgraded to
>>> snv_151, when I do a chmod from an NFS client, I lose all the NFSv4
ACLs.
>
>> <http://opensolaris.org/jive/thread.jspa?threadID=134162>
>
>> I''d summarize as follows:
>> in order to play nice with Windows ACL semantics via builtin CIFS,
>> they choose the approach of throwing away ACLs on chmod(). Makes
>> Windows happy, others not so.
>
> This really breaks our whole setup.
> Under snv_134 our users were happy with Windows ACLs, and NFSv3 and NFSv4
Linux clients.
> They all worked very well together. The only problem we had with the deny
ACLs, was when using the MacOS "Finder"
You could try Netatalk for access from Macs. The OS X AFP VFS plugin
is far more forgiving then the CIFS one, making AFP still the file
sharing protocol of choice for Macs.
We''ve implemented a workaround for this chmod() vs ACL problem in
(afair) Netatlk 2.1.5. For easy-to-use ACL support, you could give the
just released 2.2-beta1 a try.
> Was it a result of PSARC/2009/029 ?
http://arc.opensolaris.org/caselog/PSARC/2010/029/20100126_mark.shellenbaum
Afair, yes.
> If so, I think that was implemented around snv_137.
Yes.

-f

2011/1/27 Garrett D''Amore <garrett at
nexenta.com>:
> We are working on a change to illumos (and NexentaStor) to revive
> acl_mode... lots and lots of people have had very bad experiences as a
> result of that particular change.
We had to put a chmod() wrapper into our app (Netatalk) to work around
that. Good to hear your planning to tackle this OS side.

-f