[Samba] ACLs on a directory on GPFS

Jonathan Buzzard jonathan at buzzard.me.uk
Fri Feb 1 03:13:45 MST 2013 

On Thu, 2013-01-31 at 15:41 -0500, Andras Frankel wrote:
> Hello,
> 
> I am using the vfs_gpfs samba module to map ACLs through samba. It works
> fine on files, but directory ACLs are ignored. Ex:
> 
> getfacl /sb/share/myplace/
> 
> file: sb/share/myplace/
> owner: root
> group: root
> user::rwx
> user:afrankel:rwx
> group::---
> mask::rwx
> other::---
> 
> When I try to access this folder in Windows, I get permission denied.
> The same permissions on a files, I can open it / modify it without any
> problems.
> 

Your basic problem is that you are using the Linux tools to look at the
ACL's on the GPFS file system.

You need to stop right there and use the GPFS tools instead aka
mmgetacl. You can change them with mmeditacl or mmputacl. Yes the tools
for manipulating ACL's on files and directories on a GPFS file system
from Linux suck; IBM's answer is that it works well on AIX but they
expected them to be set from Windows anyway.

> Here is my seetings :
> 
>     mmlsfs sb
> 
> -D nfs4 File locking semantics in effect
> -k all ACL semantics in effect

I strongly recommend that you change your ACL semantics to NFSv4 only if
you intend to use rich permissions from Windows via Samba. Though if
there is anyone from IBM listening that would like to let me know what
Samba ACL schematics does I am all ears :-)

> 
> /etc/samba/smb.conf :
> ---------------------
> 
> clustering = yes
> fileid:mapping = fsname
> vfs objects = shadow_copy2 syncops gpfs fileid
> shadow:snapdir = .snapshots
> shadow:fixinodes =yes
> gpfs:sharemodes = Yes
> gpfs:leases = Yes
> posix locking = Yes
> kernel oplocks = Yes
> level2 oplocks = no
> force unknown acl user = Yes
> nfs4: mode = special
> nfs4: chown = yes
> nfs4: acedup = merge
> 
> [share]
> read only = No
> browseable = yes
> path = /sb/share
> map acl inherit = yes
> inherit acls = no
> dos filemode = no
> create mask = 0770
> force create mode = 0770
> directory mask = 0777
> 

The GPFS specific bits of a working smb.conf if you are trying to make a
file server. I presume that there is a AD based backend for
authentication and UID to SID mapping or it won't work properly.

# general options
	vfs objects = shadow_copy2 fileid gpfs
        unix extensions = no
        mangled names = no
        case sensitive = no

# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
	ea support = yes
	store dos attributes = yes
	map readonly = no
	map archive = no
	map system = no

# the ctdb clustering and GPFS stuff
	clustering = yes
	ctdbd socket = /tmp/ctdb.socket
        fileid : algorithm = fsname
        gpfs : sharemodes = yes
        gpfs : winattr = yes
        force unknown acl user = yes
        nfs4 : mode = special
        nfs4 : chown = no
        nfs4 : acedup = merge

# stuff necessary for guest logins to work where required
	guest account = nobody
	map to guest = bad user

# enable shadow copies
        shadow : snapdir = /gpfs/.snapshots
        shadow : basedir = /gpfs
        shadow : fixinodes = yes

The a general purpose group share would look like

[mylab]
	comment = Someones Lab common space
	path = /gpfs/groups/mylab/common
	read only = no
	browseable = yes
	create mask = 0770
	directory mask = 0770
	force group = mylab
	valid users = @MYDOMAIN\mylab


> Versions :
> 
> GPFS v3.4.0-18 on Linux.
> samba-3.5.10-114
> 

Looks like you are using RHEL(6?) or a derivative. You need to upgrade
that Samba version for it to work

   http://rhn.redhat.com/errata/RHBA-2012-0850.html

Not sure where you got your vfs_gpfs module from but 3.5.10 needs a
patch to the vfs_gpfs module to make Posix ACL's work properly, though
you probably only using NFSv4 ACL's anyway.

Also remember access via NFS will nuke any ACL's set so a space is
either NFS *or* SMB access only.

Final note is that RHEL6.4 will shift to a Samba 3.6 base (RHEL5.9 has
already done so) which has a *much* improved vfs_gpfs module. Upgrade as
soon as reasonably possible, noting that the idmapping has changed and
you will need to update your smb.conf for it work.


JAB.

-- 
Jonathan A. Buzzard                 Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.

More information about the samba mailing list