[Samba] ACLs on a directory on GPFS
Jonathan Buzzard
jonathan at buzzard.me.uk
Fri Feb 1 03:13:45 MST 2013
On Thu, 2013-01-31 at 15:41 -0500, Andras Frankel wrote:
> Hello,
>
> I am using the vfs_gpfs samba module to map ACLs through samba. It works
> fine on files, but directory ACLs are ignored. Ex:
>
> getfacl /sb/share/myplace/
>
> file: sb/share/myplace/
> owner: root
> group: root
> user::rwx
> user:afrankel:rwx
> group::---
> mask::rwx
> other::---
>
> When I try to access this folder in Windows, I get permission denied.
> The same permissions on a files, I can open it / modify it without any
> problems.
>
Your basic problem is that you are using the Linux tools to look at the
ACL's on the GPFS file system.
You need to stop right there and use the GPFS tools instead aka
mmgetacl. You can change them with mmeditacl or mmputacl. Yes the tools
for manipulating ACL's on files and directories on a GPFS file system
from Linux suck; IBM's answer is that it works well on AIX but they
expected them to be set from Windows anyway.
> Here is my seetings :
>
> mmlsfs sb
>
> -D nfs4 File locking semantics in effect
> -k all ACL semantics in effect
I strongly recommend that you change your ACL semantics to NFSv4 only if
you intend to use rich permissions from Windows via Samba. Though if
there is anyone from IBM listening that would like to let me know what
Samba ACL schematics does I am all ears :-)
>
> /etc/samba/smb.conf :
> ---------------------
>
> clustering = yes
> fileid:mapping = fsname
> vfs objects = shadow_copy2 syncops gpfs fileid
> shadow:snapdir = .snapshots
> shadow:fixinodes =yes
> gpfs:sharemodes = Yes
> gpfs:leases = Yes
> posix locking = Yes
> kernel oplocks = Yes
> level2 oplocks = no
> force unknown acl user = Yes
> nfs4: mode = special
> nfs4: chown = yes
> nfs4: acedup = merge
>
> [share]
> read only = No
> browseable = yes
> path = /sb/share
> map acl inherit = yes
> inherit acls = no
> dos filemode = no
> create mask = 0770
> force create mode = 0770
> directory mask = 0777
>
The GPFS specific bits of a working smb.conf if you are trying to make a
file server. I presume that there is a AD based backend for
authentication and UID to SID mapping or it won't work properly.
# general options
vfs objects = shadow_copy2 fileid gpfs
unix extensions = no
mangled names = no
case sensitive = no
# store DOS attributes in extended attributes (vfs_gpfs then stores them
in the file system)
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
# the ctdb clustering and GPFS stuff
clustering = yes
ctdbd socket = /tmp/ctdb.socket
fileid : algorithm = fsname
gpfs : sharemodes = yes
gpfs : winattr = yes
force unknown acl user = yes
nfs4 : mode = special
nfs4 : chown = no
nfs4 : acedup = merge
# stuff necessary for guest logins to work where required
guest account = nobody
map to guest = bad user
# enable shadow copies
shadow : snapdir = /gpfs/.snapshots
shadow : basedir = /gpfs
shadow : fixinodes = yes
The a general purpose group share would look like
[mylab]
comment = Someones Lab common space
path = /gpfs/groups/mylab/common
read only = no
browseable = yes
create mask = 0770
directory mask = 0770
force group = mylab
valid users = @MYDOMAIN\mylab
> Versions :
>
> GPFS v3.4.0-18 on Linux.
> samba-3.5.10-114
>
Looks like you are using RHEL(6?) or a derivative. You need to upgrade
that Samba version for it to work
http://rhn.redhat.com/errata/RHBA-2012-0850.html
Not sure where you got your vfs_gpfs module from but 3.5.10 needs a
patch to the vfs_gpfs module to make Posix ACL's work properly, though
you probably only using NFSv4 ACL's anyway.
Also remember access via NFS will nuke any ACL's set so a space is
either NFS *or* SMB access only.
Final note is that RHEL6.4 will shift to a Samba 3.6 base (RHEL5.9 has
already done so) which has a *much* improved vfs_gpfs module. Upgrade as
soon as reasonably possible, noting that the idmapping has changed and
you will need to update your smb.conf for it work.
JAB.
--
Jonathan A. Buzzard Email: jonathan (at) buzzard.me.uk
Fife, United Kingdom.
More information about the samba
mailing list