[Samba] Samba 4 CTDB setting Permission from Windows

Stefan Kania stefan at kania-online.de
Tue Jan 13 04:14:54 MST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Davor,

Am 12.01.2015 um 19:44 schrieb Davor Vusir:
> 2015-01-12 17:47 GMT+01:00 Stefan Kania <stefan at kania-online.de>: 
> Am 11.01.2015 um 19:10 schrieb Davor Vusir:
>>>> Hi Stefan!
>>>> 
>>>> 2015-01-09 17:27 GMT+01:00 Stefan Kania
>>>> <stefan at kania-online.de>: Hello everybody,
>>>> 
>>>> I try to set up a GlusterFS together with CTDB. The OS on
>>>> all systems is Debian wheezy. No backports aktiv. All
>>>> Samba-packages are from Sernet (samba 4.14) My setup is the
>>>> following:
>>>> 
>>>> ------------ GlusterFS: ------------ Node1: 192.168.57.101
>>>> Node2: 192.168.57.102
>>>> 
>>>> Two nodes each with one disk. The disks are formated. The
>>>> disks are mounted. GlusterFS ist running without any errors.
>>>> 
>>>> Version of Gluster: ii  glusterfs-server  3.5.0-1 amd64
>>>> clustered file-system (server package)
>>>> 
>>>> -------------- CTDB-Cluster: -------------- I mounted the
>>>> GlusterFS over the network to my samba 4 CTDB-nodes:
>>>> 
>>>> CTDB-Version: ii  ctdb 1.0.114.9-2   amd64        Clustered
>>>> TDB
>>>> 
>>>> Gluster on the clients: ii  glusterfs-client 3.5.0-1 amd64 
>>>> clustered file-system (client package)
>>>> 
>>>> 
>>>> Network for Gluster communication CTDB-node1: 192.168.57.201 
>>>> CTDB-node2: 192.168.57.202 Network for heartbeat
>>>> communication: CTDB-node1: 192.168.56.201 CTDB-node2:
>>>> 192.168.56.201
>>>> 
>>>> Mountoptions on both CTDB-nodes in /etc/fstab: san1:/gv0
>>>> /GL-lokal glusterfs defaults,_netdev,acl 0 0
>>>> 
>>>> 
>>>>> You should add user_xattr to the list. I found this thread
>>>>> quite interesting: 
>>>>> http://samba.2283325.n4.nabble.com/samba4-with-glusterfs-td4647897.html
>>>>
>>>>>
>>>>
>>>>> 
The Cluster is working fine as you can see here: ---------------
>>>> root at fs1:~# ctdb status Number of nodes:2 pnn:0
>>>> 192.168.57.201   OK (THIS NODE) pnn:1 192.168.57.202   OK
>>>> Generation:1420468989 Size:2 hash:0 lmaster:0 hash:1
>>>> lmaster:1 Recovery mode:NORMAL (0) Recovery master:1
>>>> ---------------
>>>> 
>>>> On the commandline I can change permissions and ACLs with
>>>> setfacl, I can set and reset default ACLs.
>>>> 
>>>> Here are my smb.conf-settings from the registry:
>>>> ------------- root at fs1:/glusterfs# net registry export
>>>> 'hklm\software\samba' /dev/stdout Windows Registry Editor
>>>> Version 5.00
>>>> 
>>>> [HKLM\software\samba]
>>>> 
>>>> [HKLM\software\samba\smbconf]
>>>> 
>>>> [HKLM\software\samba\smbconf\global] "workgroup"="samba-ad" 
>>>> "netbios name"="cluster-fs" "security"="ads" 
>>>> "realm"="SAMBA-AD.LOKAL" "idmap config
>>>> *:range"="1000000-1999999" "idmap config
>>>> samba-ad:backend"="rid" "idmap config 
>>>> samba-ad:range"="1000000-1999999"
>>>> 
>>>>> The "*:range" and "samba-ad:range" must not overlap.
>>>> 
>>>> "winbind enum users"="yes" "winbind enum groups"="yes"
>>>> "winbind use default domain"="yes" "store dos
>>>> attributes"="yes" "map acl inherit"="yes" "template
>>>> shell"="/bin/bash" "winbind refresh tickets"="yes" "wins
>>>> server"="192.168.123.205" "vfs objects"="acl_xattr" "template
>>>> homedir"="/GL-lokal/daten/home/%U"
>>>> 
>>>>> I would move "store dos attributes"="yes", "map acl 
>>>>> inherit"="yes" and "vfs objects"="acl_xattr" to every
>>>>> [share] section. Some time ago, when I had a combined AD DC
>>>>> and fileserver, where the various shares were configured on
>>>>> top MD/LVM/ext4, I never got the ACL-stuff to work before I
>>>>> moved these settings to the [share] section.
>>>> 
>>>>> Here is a snippet from my smb.conf: [Common] path =
>>>>> /data/common comment = "Company wide files." read only =
>>>>> No
>>>> 
>>>>> map acl inherit = Yes store dos attributes = Yes nt acl
>>>>> support = Yes
>>>> 
>>>>> write cache size = 32768
>>>> 
>>>>> vfs objects = recycle acl_xattr acl_xattr:ignore system acl
>>>>> = yes recycle:keeptree = yes recycle:versions = yes
>>>>> recycle:maxsize = 1073741824
>>>> 
>>>>> csc policy = disable
>>>> 
>>>> , [HKLM\software\samba\smbconf\daten] "comment"="Daten im
>>>> Cluster" "guest ok"="no" "read only"="no" "browseable"="yes"
>>>> "hide unreadable"="yes" "path"="/GL-lokal/daten"
>>>> 
>>>> [HKLM\software\samba\smbconf\users] "comment"="home-dir"
>>>> "guest ok"="no" "read only"="no" "browseable"="no" "create
>>>> mask"="700" "directory mask"="700"
>>>> "path"="/GL-lokal/daten/home"
>>>> 
>>>> 
>>>>> You don't need guest ok"="no", "browseable"="no", "create 
>>>>> mask"="700" or "directory mask"="700". Just "read
>>>>> only"="no". All permissions are set from Windows.
>>>> 
> That dosn't matter alt all for my problem, but you are right
> 
>>>> [HKLM\software\samba\smbconf\profile] "comment"="Servergesp. 
>>>> Profile" "guest ok"="no" "read only"="no" "browseable"="no" 
>>>> "profile acls"="yes" "path"="/GL-lokal/daten/profile"
>>>> 
>>>> 
>>>>> Same here. Use this as a guide for the roaming profiles
>>>>> share: 
>>>>> http://msdn.microsoft.com/en-us/library/cc757013(v=ws.10).aspx.
>>>>>
>>>>> 
Don't forget to add 'csc policy = no' to the share definition
>>>>> block.
>>>> 
> 
> In GlusterFS 3.5 there is no mount-option "*xattr*" any more. The 
> howto on the official webpage said it's always mountet with xattr.
> If you set the option the filesystem will not mount at all, because
> of an unknown option
> 
>>>> [HKLM\software\samba\smbconf\linux] "comment"="Linux-acl"
>>>> "guest ok"="no" "read only"="no" "path"="/GL-lokal/linux/"
>>>> 
>>>> [HKLM\software\samba\smbconf\linux2] "comment"="Linux-acl2"
>>>> "guest ok"="no" "read only"="no" "path"="/GL-lokal/linux2/"
>>>> 
>>>> [HKLM\software\samba\Group Policy] ;Local Variables:
>>>> ;coding: UTF-8 ;End: ----------------
>>>> 
>>>> The Cluster is Domainmember:
>>>> 
>>>> root at fs1:~# net rpc testjoin Join to 'SAMBA-AD' is OK
>>>> 
>>>> 
>>>> If I add aditional permissions as Domainadministrator to any
>>>> file or directory via Windows-explorer it works.
>>>> 
>>>> BUT when I try to remove permissions or reset the inheritance
>>>> of filesystempermission on a file or directory I'll get an 
>>>> errormessage. the following picture shows the error: 
>>>> http://www.bilder-upload.eu/show.php?file=1613a0-1420819849.png
>>>>
>>>> 
It's german but I think it's windows and it will look the same in
>>>> all languages. For this picture I try to remove the
>>>> filepermission inheritance from a dictory to start with new
>>>> set of permissions in this subdirectory
>>>> 
>>>> 
>>>>> Remove all ACLs with setfacl and run chown -R 
>>>>> administrator:'Domain Admins' /path/to/sambashare (or
>>>>> whichever user and group you have assigned as file server
>>>>> admin) (and restart Samba).
>>>> 
> Thats what I did several times in different combinations. Removing 
> everyting, set everything from Linux and look what will happen on 
> Windows. With the same setup of Samba BUT using a local filesystem,
> everything works. I think I try to use GlusterFS 3.6, but I think
> the problem is not Gluster.
> 
> 
>> Found this
>> https://lalatendumohanty.wordpress.com/2014/02/11/using-glusterfs-with-samba-and-samba-vfs-plugin-for-glusterfs-on-fedora-20/.
>>
>> 
It might be of interest.
That's a very interesting link. I would like to test it, BUT I use the
SerNet packages for debian and the vfs object "glusterfs" is not
shipped with the packages. Let's see if I can get it.

Stefan

> 
>> Regards Davor
> 
> Stefan
> 
> 
> 
>>>>> Regards Davor
>>>> 
>>>> I didn't get any errormessages in any logfile. Even with
>>>> loglevel set to 10 ther is no error in any logfile :-(
>>>> 
>>>> Because there are no error-messages in any logfile, I don't
>>>> know where to look. I think as long as I can't reset
>>>> permissions from Windows this combination is not usable :-(
>>>> To bad, because GlusterFS works very good.
>>>> 
>>>> I hope, someone can give me a hint.
>>>> 
>>>> Stefan
>>>> 
>>>>> -- To unsubscribe from this list go to the following URL
>>>>> and read the instructions:
>>>>> https://lists.samba.org/mailman/options/samba
> 

- -- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren. Signieren Sie ihre
E-Mail. Weiter Informationen unter http://www.gnupg.org

Mein Schlüssel liegt auf

hkp://subkeys.pgp.net

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlS0/hwACgkQ2JOGcNAHDTZyRQCfYkG9wRHP8RHCFyU8j1AFXSE5
XiMAn1HWBGwsLvMhcXSSIYBwvZ1zGqwg
=aROm
-----END PGP SIGNATURE-----

More information about the samba mailing list