[Samba] ACLs on a directory on GPFS

Andras Frankel Andras.Frankel at mcgill.ca
Fri Feb 1 09:25:59 MST 2013 

Jonathan,

Thanks I tried your suggestion, but still no luck.

I created a new directory myplace2, I used mmeditacl to set the ACLs :

mmgetacl myplace2/
#owner:root
#group:root
user::rwxc
group::----
other::----
mask::rwxc
user:afrankel:rwxc

Same thing, permission denied.

I even changed my fs settings to posix :

 mmlsfs sb
flag                value                    description
------------------- ------------------------
-----------------------------------
 -D                 posix                    File locking semantics in
effect
 -k                 posix                    ACL semantics in effect

Did the same thing (I created myplace3, same permission through
mmeditacl, restart samba, still no access.)

The strange thing is that it works fine with files.  Only directories
give me trouble.

Andras


On 02/01/2013 05:13 AM, Jonathan Buzzard wrote:
> On Thu, 2013-01-31 at 15:41 -0500, Andras Frankel wrote:
>> Hello,
>>
>> I am using the vfs_gpfs samba module to map ACLs through samba. It works
>> fine on files, but directory ACLs are ignored. Ex:
>>
>> getfacl /sb/share/myplace/
>>
>> file: sb/share/myplace/
>> owner: root
>> group: root
>> user::rwx
>> user:afrankel:rwx
>> group::---
>> mask::rwx
>> other::---
>>
>> When I try to access this folder in Windows, I get permission denied.
>> The same permissions on a files, I can open it / modify it without any
>> problems.
>>
> 
> Your basic problem is that you are using the Linux tools to look at the
> ACL's on the GPFS file system.
> 
> You need to stop right there and use the GPFS tools instead aka
> mmgetacl. You can change them with mmeditacl or mmputacl. Yes the tools
> for manipulating ACL's on files and directories on a GPFS file system
> from Linux suck; IBM's answer is that it works well on AIX but they
> expected them to be set from Windows anyway.
> 
>> Here is my seetings :
>>
>>     mmlsfs sb
>>
>> -D nfs4 File locking semantics in effect
>> -k all ACL semantics in effect
> 
> I strongly recommend that you change your ACL semantics to NFSv4 only if
> you intend to use rich permissions from Windows via Samba. Though if
> there is anyone from IBM listening that would like to let me know what
> Samba ACL schematics does I am all ears :-)
> 
>>
>> /etc/samba/smb.conf :
>> ---------------------
>>
>> clustering = yes
>> fileid:mapping = fsname
>> vfs objects = shadow_copy2 syncops gpfs fileid
>> shadow:snapdir = .snapshots
>> shadow:fixinodes =yes
>> gpfs:sharemodes = Yes
>> gpfs:leases = Yes
>> posix locking = Yes
>> kernel oplocks = Yes
>> level2 oplocks = no
>> force unknown acl user = Yes
>> nfs4: mode = special
>> nfs4: chown = yes
>> nfs4: acedup = merge
>>
>> [share]
>> read only = No
>> browseable = yes
>> path = /sb/share
>> map acl inherit = yes
>> inherit acls = no
>> dos filemode = no
>> create mask = 0770
>> force create mode = 0770
>> directory mask = 0777
>>
> 
> The GPFS specific bits of a working smb.conf if you are trying to make a
> file server. I presume that there is a AD based backend for
> authentication and UID to SID mapping or it won't work properly.
> 
> # general options
> 	vfs objects = shadow_copy2 fileid gpfs
>         unix extensions = no
>         mangled names = no
>         case sensitive = no
> 
> # store DOS attributes in extended attributes (vfs_gpfs then stores them
> in the file system)
> 	ea support = yes
> 	store dos attributes = yes
> 	map readonly = no
> 	map archive = no
> 	map system = no
> 
> # the ctdb clustering and GPFS stuff
> 	clustering = yes
> 	ctdbd socket = /tmp/ctdb.socket
>         fileid : algorithm = fsname
>         gpfs : sharemodes = yes
>         gpfs : winattr = yes
>         force unknown acl user = yes
>         nfs4 : mode = special
>         nfs4 : chown = no
>         nfs4 : acedup = merge
> 
> # stuff necessary for guest logins to work where required
> 	guest account = nobody
> 	map to guest = bad user
> 
> # enable shadow copies
>         shadow : snapdir = /gpfs/.snapshots
>         shadow : basedir = /gpfs
>         shadow : fixinodes = yes
> 
> The a general purpose group share would look like
> 
> [mylab]
> 	comment = Someones Lab common space
> 	path = /gpfs/groups/mylab/common
> 	read only = no
> 	browseable = yes
> 	create mask = 0770
> 	directory mask = 0770
> 	force group = mylab
> 	valid users = @MYDOMAIN\mylab
> 
> 
>> Versions :
>>
>> GPFS v3.4.0-18 on Linux.
>> samba-3.5.10-114
>>
> 
> Looks like you are using RHEL(6?) or a derivative. You need to upgrade
> that Samba version for it to work
> 
>    http://rhn.redhat.com/errata/RHBA-2012-0850.html
> 
> Not sure where you got your vfs_gpfs module from but 3.5.10 needs a
> patch to the vfs_gpfs module to make Posix ACL's work properly, though
> you probably only using NFSv4 ACL's anyway.
> 
> Also remember access via NFS will nuke any ACL's set so a space is
> either NFS *or* SMB access only.
> 
> Final note is that RHEL6.4 will shift to a Samba 3.6 base (RHEL5.9 has
> already done so) which has a *much* improved vfs_gpfs module. Upgrade as
> soon as reasonably possible, noting that the idmapping has changed and
> you will need to update your smb.conf for it work.
> 
> 
> JAB.
>

More information about the samba mailing list