Bug 5023 - vfs_zfsacl need more handler/backend
vfs_zfsacl need more handler/backend
Status: RESOLVED FIXED
Product: Samba 3.2
Classification: Unclassified
Component: VFS Modules
3.2.0
Sparc Solaris
: P3 major
: ---
Assigned To: Michael Adam
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2007-10-18 03:35 UTC by Nicolas Dorfsman (mail address dead)
Modified: 2007-12-11 03:22 UTC (History)
2 users (show)

See Also:


Attachments
smbd log file (355.21 KB, text/plain)
2007-10-18 03:36 UTC, Nicolas Dorfsman (mail address dead)
no flags Details
Configuration File (3.16 KB, text/plain)
2007-10-18 03:37 UTC, Nicolas Dorfsman (mail address dead)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Nicolas Dorfsman (mail address dead) 2007-10-18 03:35:08 UTC
ZFS seems unusable even with zfsacl module.

  Let's show an example.

I have a directory with some acls :

[root@c92-ms168 /export/Test/MonDossier]$ ls -ldv .
dr-xr-xr-x+  2 AD\dorfsman AD\c92-utilisa. de c92-dep-toulo       3 Oct 18 10:27 .
     0:user:AD\dorfsman:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
     1:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:file_inherit/dir_inherit:allow

I'm trying to create a file from a PC. The file is created as "Nouveau Document texte.txt", but when I'm entering the real new name...access denied.  Take a look to new file's acls :

[root@c92-ms168 /export/Test/MonDossier]$ ls -lv Nouveau\ Document\ texte.txt 
-rwxr--r--+  1 AD\dorfsman AD\c92-utilisa. de c92-dep-toulo       0 Oct 18 10:27 Nouveau Document texte.txt
     0:user:AD\dorfsman::deny
     1:user:AD\dorfsman:read_data/write_data/append_data/read_xattr
         /write_xattr/execute/delete_child/read_attributes/write_attributes
         /delete/read_acl/synchronize:allow
     2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow
     3:owner@::deny
     4:owner@:read_data/write_data/append_data/write_xattr/execute
         /write_attributes/write_acl/write_owner:allow
     5:group@:write_data/append_data/execute:deny
     6:group@:read_data:allow
     7:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         /write_acl/write_owner:deny
     8:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow

In the logfile, some VFS calls are using solarisacl module...there's no equivalent in zfsacl module :

  file_set_dosmode: setting dos mode 0x20 on file MonDossier/Nouveau Document texte.txt
[2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(71)
  solarisacl_sys_acl_get_file called for file 'MonDossier/Nouveau Document texte.txt'.
  getting access acl
[2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(581)
  solaris_acl_get_file called for file 'MonDossier/Nouveau Document texte.txt'
[2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(591)
  acl GETACLCNT failed: Operation not applicable
[2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(608)
  solaris_acl_get_file failed.
[2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(93)
  solarisacl_sys_acl_get_file failed.

I'm going to attach the whole log file.
Comment 1 Nicolas Dorfsman (mail address dead) 2007-10-18 03:36:16 UTC
Created attachment 2942 [details]
smbd log file
Comment 2 Nicolas Dorfsman (mail address dead) 2007-10-18 03:37:38 UTC
Created attachment 2943 [details]
Configuration File
Comment 3 Michael Adam 2007-10-18 04:07:25 UTC
Hi Nicolas,

thanks for posting this bug report!

Incidentially, I am currently working on this very problem (with another filesystem backend) for a customer. The problem is the unsufficient separation of nfsv4 acl code from posix acls code. (The abstraction is not universally used.)

I will keep you up to date about my results.

Cheers - Michael
Comment 4 Nicolas Dorfsman (mail address dead) 2007-10-18 04:14:04 UTC
    Hi Michael,


(In reply to comment #3)
> Incidentially, I am currently working on this very problem (with another
> filesystem backend) for a customer. The problem is the unsufficient separation
> of nfsv4 acl code from posix acls code. (The abstraction is not universally
> used.)


Great !  

> I will keep you up to date about my results.

My first idea was to try to add some backend like SMB_VFS_OP_SYS_ACL_GET_FILE or SMB_VFS_OP_SYS_ACL_SET_FILE into vfs_zfsacl module.  But as a newbie in samba code, it's not easy to use all these structures between VFS functions !
Comment 5 Michael Adam 2007-11-07 08:23:59 UTC
Hi Nicolas,

I have put a fix for the issue upstream in a couple of commits.
Could you try revision 9dd18bb534bca6b5de6cad9580b48681b36c0832
from samba git-tree v3-2-test?

See: http://gitweb.samba.org/?p=samba.git;a=commit;h=9dd18bb534bca6b5de6cad9580b48681b36c0832

Can you access the git-repo or do you need a patch a specific version?

Cheers, Michael
Comment 6 Michael Adam 2007-11-07 08:31:50 UTC
Note: I have in the meantime also added support for automatic building of the zfsacl vfs module by specifying "--with-shared-modules=vfs_zfsacl" on the configure commandline.

Michael
Comment 7 Nicolas Dorfsman (mail address dead) 2007-11-07 08:35:50 UTC
   Hi Michael

(In reply to comment #5)
> Hi Nicolas,
> 
> I have put a fix for the issue upstream in a couple of commits.
> Could you try revision 9dd18bb534bca6b5de6cad9580b48681b36c0832
> from samba git-tree v3-2-test?
> 
> See:
> http://gitweb.samba.org/?p=samba.git;a=commit;h=9dd18bb534bca6b5de6cad9580b48681b36c0832
> 
> Can you access the git-repo or do you need a patch a specific version?

Hum.... I should be able to understand how to patch with that.

News at the end of the week.

Nicolas
Comment 8 Michael Adam 2007-11-07 09:12:43 UTC
(In reply to comment #7)
>    Hi Michael
> 
> (In reply to comment #5)
> > Hi Nicolas,
> > 
> > I have put a fix for the issue upstream in a couple of commits.
> > Could you try revision 9dd18bb534bca6b5de6cad9580b48681b36c0832
> > from samba git-tree v3-2-test?
> > 
> > See:
> > http://gitweb.samba.org/?p=samba.git;a=commit;h=9dd18bb534bca6b5de6cad9580b48681b36c0832
> > 
> > Can you access the git-repo or do you need a patch a specific version?
> 
> Hum.... I should be able to understand how to patch with that.

Well, if you want to patch a given source tree, you will need several commits.

You will need at least these:

http://gitweb.samba.org/?p=samba.git;a=commit;h=9dd18bb534bca6b5de6cad9580b48681b36c0832
http://gitweb.samba.org/?p=samba.git;a=commit;h=c61b4222d30288add216fac4da3cfaa537f5cd01
http://gitweb.samba.org/?p=samba.git;a=commit;h=6f961a23de745aba5dcd4585b731e651b8cbeef4

and these preliminary patches will eliminate some build warnings:

http://gitweb.samba.org/?p=samba.git;a=commit;h=7b582af2107bed3b864bb408b5c9bcce4b8e4c72
http://gitweb.samba.org/?p=samba.git;a=commit;h=bf23c4ddff617dd3cd1e2d5cedb1b5c023356dc3

All those patches should be applied from bottom to top.
(i.e. they are listed newest first)

With git it is easy to get a bundle of a given snapshot with "git archive".

You can also simply check out the current git branch which incorporates the chanages.

Cheers, Michael
Comment 9 Michael Adam 2007-11-15 04:34:52 UTC
Hi Nicolas,

any news on this one?

Michael
Comment 10 Nicolas Dorfsman (mail address dead) 2007-11-15 04:40:24 UTC
Sorry Michael.  two things :
- I tried to install and use GIT : too many times spent on try to find a quickly usable Max OS X version
- Many other urgent thing, as usual.

So, this afternoon, I'd try with your indications to patch and compile.


Nicolas
Comment 11 Michael Adam 2007-11-15 05:06:29 UTC
Nicolas, no problem.

I have uploaded a current snapshot of the v3-2-test branch here:

http://samba.org/~obnox/snapshots/samba-v3-2-test.tar.gz

(created with git archive). So you need not fiddle with git too long for a start.

Michael
Comment 12 Michael Adam 2007-11-15 05:52:15 UTC
Note that with the snapshot, you have to run "./autogen.sh" before you can run ./configure  ...
Comment 13 Nicolas Dorfsman (mail address dead) 2007-11-19 03:33:51 UTC
Thanks Michael.

I have a issue with many shared libs...automake/make didn't build them. Any hint to have them build ? I could build them by make bin/xxx.so, but can't find any bulk build option.
Comment 14 Michael Adam 2007-11-22 03:47:42 UTC
(In reply to comment #13)
> Thanks Michael.
> 
> I have a issue with many shared libs...automake/make didn't build them. Any
> hint to have them build ? I could build them by make bin/xxx.so, but can't find
> any bulk build option.

Hmm, which shared libs do you mean?
Do you get build errors? Could you provide error messages here?

Usually, you should be building everything you need
should be as simple as follows:

# ./autogen.sh
# ./configure --prefix=/opt/samba/v3-2-test --with-shared-modules=vfs_zfsacl
# make
# make install

When this is not a fresh build, you might need to run "make clean"
(or "make proto") before running "make". 

Michael
Comment 15 Michael Adam 2007-11-22 03:49:09 UTC
By the way:

I have ported the patch to the v3-0-test tree and it has gone
into the new release 3.0.27a.

Michael
Comment 16 Nicolas Dorfsman (mail address dead) 2007-11-26 03:34:04 UTC
Hi Michael,

So.  I  downloaded 3.0.27a source tarball and compile it. Then I added vfs_zfsacl module from the test tarball you've made for me. 
After basic test cases, it seems to work fine ! 
Now, I asked to the Win admin to do further tests.

I'll come back to you.

Nicolas
Comment 17 Michael Adam 2007-11-26 09:59:01 UTC
Nicolas,

thanks for the feedback.
I am marking this bug as fixed.
Should the extended tests reveal more misbehaviour,
please feel free to reacitvate it.

Best, Michael
Comment 18 Nicolas Dorfsman (mail address dead) 2007-12-10 10:05:53 UTC
  Hi Michael,

Your fix is great...but I have "another" issue.
On the Windows ACL editor, when you're requesting to reset all permissions on child before applying new ACLs, windows/smbd put 000 on UNIX permissions bits.  AFAIK this should be ok...zfs/nfsv4 permissions have priority. But smbd is still interpreting UNIX permissions bits even if it shouldn't.

I'll take an eye on source code...but I'm sure you'd be quicker than me !


Comment 19 Volker Lendecke 2007-12-10 10:25:46 UTC
Can you please close this bug and open a new one with that new issue (which is known btw....)?

Thanks,

Volker
Comment 20 Nicolas Dorfsman (mail address dead) 2007-12-11 03:22:17 UTC
Ok. 

New bug created #5135 with test-case

https://bugzilla.samba.org/show_bug.cgi?id=5135