[Samba] zfs acls and MS office applications

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Oct 21 07:30:16 MDT 2009 

I ran into the following two related problems with samba 3.0.xx and 
Solaris 10 and ZFS

1.  With Word, Excel or PowerPoint 2003 you could save the document 
maybe 4 times but on the 5th time you wouldn't be able to save the file 
-  or worse it would disappear.

The issue seemed to be that for the first 4 saves, the MS App would 
merely modify the document.  But with the 5th save it writes the 
document out in full to a new file and deletes the old.    Also, rather 
than allowing the new file to just inherit file permissions, the app 
will explicitly set the ACE's.   Visual Studio does this as well.


ZFS inheritance is ignored if Windows inheritance is used.



2.  On unix level, you might "chmod 770 somefile" to allow anyone in the 
group to access the file.     "Other" is not explicitly permitted but 
not explictly denied.   So the in effect "everyone else" does not have 
access.

But in Windows, this "other is not explicitly" permitted can be 
interpreted as "everyone is explicitly denied."    Something similar can 
happen with group perms.   Although supposedly the correct ACE ordering 
shd have avoided this.

Nt.

I used the samba packages bundled with Solaris.   They have the zfs 
module backported from newer samba versions.  If I compiled Samba 3.0.x 
from scratch I did not get zfs support and the winbind functionality was 
broken.

However, Sun doesn't do a great job of documenting any of this.




On 10/20/09 22:01, Tom Lieuallen wrote:
>
> I'm trying to use zfs acls in solaris 10.  I've looked at past posts 
> regarding this and some online help, but am stuck.  I'm currently 
> using samba 3.3.9; I've had the same problem with 3.3.7.  samba is 
> compiled and running as an Active Directory member server (compiled 
> with ldap and kerberos).  The zfs disk is local.  I'm not using 
> winbind.  I compiled with zfsacl module.
>
> Permissions appear just fine in solaris.  Plus I can read/write with 
> notepad and use other applications such as acrobat.  However, 
> Microsoft Office 2007 won't open or save files.  I haven't tried other 
> versions of Office; they're not handy.
>
> The following is the configuration for the share:
>
> [testzfs]
>     comment  = test
>     path     = /moe2
>     browseable = true
>     public   = false
>     writable = true
>     inherit permissions = yes
>     acl check permissions = False
>     vfs objects = zfsacl
>     inherit acls = yes
>     nfs4: mode = simple
>     nfs4: acedup = merge
>     zfsacl: acesort = dontcare
>     map archive = no
>     map hidden = no
>     map read only = no
>     map system = no
>
> The zfs permissions I'm testing look like this.  This is for the 
> parent directory; files within have the same permissions (sans the 
> inheritance).
>
>
> moe-lh /moe2/office/student_workers 546# ls -vd .
> drwxrws---+  2 toml     cefac          5 Oct 20 18:36 ./
>      0:group:cefac:list_directory/read_data/add_file/write_data
>          
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
>          
> /write_acl/write_owner:file_inherit/dir_inherit/inherit_only:allow
>      1:group:cefac:list_directory/read_data/add_file/write_data
>          
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
>          /write_acl/write_owner:allow
>      2:group:ceoffstu:list_directory/read_data/add_file/write_data
>          
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
>          
> /write_acl/write_owner:file_inherit/dir_inherit/inherit_only:allow
>      3:group:ceoffstu:list_directory/read_data/add_file/write_data
>          
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
>          /write_acl/write_owner:allow
>      4:group:ceoffstu:list_directory/read_data/add_file/write_data
>          
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
>          /write_acl/write_owner:allow
>      5:owner@::deny
>      
> 6:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
>          /append_data/write_xattr/execute/write_attributes/write_acl
>          /write_owner:allow
>      7:group@::deny
>      
> 8:group@:list_directory/read_data/add_file/write_data/add_subdirectory
>          /append_data/execute:allow
>      9:everyone@:list_directory/read_data/add_file/write_data
>          
> /add_subdirectory/append_data/write_xattr/execute/write_attributes
>          /write_acl/write_owner:deny
>      10:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
>
>
> thank you
>
> Tom Lieuallen
> Oregon State University

More information about the samba mailing list