[Samba] zfs acls and MS office applications

I'm trying to use zfs acls in solaris 10. I've looked at past posts
regarding this and some online help, but am stuck. I'm currently using
samba 3.3.9; I've had the same problem with 3.3.7. samba is compiled
and running as an Active Directory member server (compiled with ldap and
kerberos). The zfs disk is local. I'm not using winbind. I compiled
with zfsacl module.

Permissions appear just fine in solaris. Plus I can read/write with
notepad and use other applications such as acrobat. However, Microsoft
Office 2007 won't open or save files. I haven't tried other versions of
Office; they're not handy.

The following is the configuration for the share:

[testzfs]
comment = test
path = /moe2
browseable = true
public = false
writable = true
inherit permissions = yes
acl check permissions = False
vfs objects = zfsacl
inherit acls = yes
nfs4: mode = simple
nfs4: acedup = merge
zfsacl: acesort = dontcare
map archive = no
map hidden = no
map read only = no
map system = no

The zfs permissions I'm testing look like this. This is for the parent
directory; files within have the same permissions (sans the inheritance).


moe-lh /moe2/office/student_workers 546# ls -vd .
drwxrws---+ 2 toml cefac 5 Oct 20 18:36 ./
0:group:cefac:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:file_inherit/dir_inherit/inherit_only:allow
1:group:cefac:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:allow
2:group:ceoffstu:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:file_inherit/dir_inherit/inherit_only:allow
3:group:ceoffstu:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:allow
4:group:ceoffstu:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:allow
5:owner@::deny
6:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
7:group@::deny
8:group@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/execute:allow
9:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/write_xattr/execute/write_attributes
/write_acl/write_owner:deny
10:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow


thank you

Tom Lieuallen
Oregon State University
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

I ran into the following two related problems with samba 3.0.xx and
Solaris 10 and ZFS

1. With Word, Excel or PowerPoint 2003 you could save the document
maybe 4 times but on the 5th time you wouldn't be able to save the file
- or worse it would disappear.

The issue seemed to be that for the first 4 saves, the MS App would
merely modify the document. But with the 5th save it writes the
document out in full to a new file and deletes the old. Also, rather
than allowing the new file to just inherit file permissions, the app
will explicitly set the ACE's. Visual Studio does this as well.


ZFS inheritance is ignored if Windows inheritance is used.



2. On unix level, you might "chmod 770 somefile" to allow anyone in the
group to access the file. "Other" is not explicitly permitted but
not explictly denied. So the in effect "everyone else" does not have
access.

But in Windows, this "other is not explicitly" permitted can be
interpreted as "everyone is explicitly denied." Something similar can
happen with group perms. Although supposedly the correct ACE ordering
shd have avoided this.

Nt.

I used the samba packages bundled with Solaris. They have the zfs
module backported from newer samba versions. If I compiled Samba 3.0.x
from scratch I did not get zfs support and the winbind functionality was
broken.

However, Sun doesn't do a great job of documenting any of this.




On 10/20/09 22:01, Tom Lieuallen wrote:
>
> I'm trying to use zfs acls in solaris 10. I've looked at past posts
> regarding this and some online help, but am stuck. I'm currently
> using samba 3.3.9; I've had the same problem with 3.3.7. samba is
> compiled and running as an Active Directory member server (compiled
> with ldap and kerberos). The zfs disk is local. I'm not using
> winbind. I compiled with zfsacl module.
>
> Permissions appear just fine in solaris. Plus I can read/write with
> notepad and use other applications such as acrobat. However,
> Microsoft Office 2007 won't open or save files. I haven't tried other
> versions of Office; they're not handy.
>
> The following is the configuration for the share:
>
> [testzfs]
> comment = test
> path = /moe2
> browseable = true
> public = false
> writable = true
> inherit permissions = yes
> acl check permissions = False
> vfs objects = zfsacl
> inherit acls = yes
> nfs4: mode = simple
> nfs4: acedup = merge
> zfsacl: acesort = dontcare
> map archive = no
> map hidden = no
> map read only = no
> map system = no
>
> The zfs permissions I'm testing look like this. This is for the
> parent directory; files within have the same permissions (sans the
> inheritance).
>
>
> moe-lh /moe2/office/student_workers 546# ls -vd .
> drwxrws---+ 2 toml cefac 5 Oct 20 18:36 ./
> 0:group:cefac:list_directory/read_data/add_file/write_data
>
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
>
> /write_acl/write_owner:file_inherit/dir_inherit/inherit_only:allow
> 1:group:cefac:list_directory/read_data/add_file/write_data
>
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
> /write_acl/write_owner:allow
> 2:group:ceoffstu:list_directory/read_data/add_file/write_data
>
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
>
> /write_acl/write_owner:file_inherit/dir_inherit/inherit_only:allow
> 3:group:ceoffstu:list_directory/read_data/add_file/write_data
>
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
> /write_acl/write_owner:allow
> 4:group:ceoffstu:list_directory/read_data/add_file/write_data
>
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
> /write_acl/write_owner:allow
> 5:owner@::deny
>
> 6:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
> /append_data/write_xattr/execute/write_attributes/write_acl
> /write_owner:allow
> 7:group@::deny
>
> 8:group@:list_directory/read_data/add_file/write_data/add_subdirectory
> /append_data/execute:allow
> 9:everyone@:list_directory/read_data/add_file/write_data
>
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
> /write_acl/write_owner:deny
> 10:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
>
>
> thank you
>
> Tom Lieuallen
> Oregon State University

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba