ZFS seems unusable even with zfsacl module. Let's show an example. I have a directory with some acls : [root@c92-ms168 /export/Test/MonDossier]$ ls -ldv . dr-xr-xr-x+ 2 AD\dorfsman AD\c92-utilisa. de c92-dep-toulo 3 Oct 18 10:27 . 0:user:AD\dorfsman:list_directory/read_data/add_file/write_data /add_subdirectory/append_data/read_xattr/write_xattr/execute /delete_child/read_attributes/write_attributes/delete/read_acl /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow 1:everyone@:list_directory/read_data/read_xattr/execute/read_attributes /read_acl/synchronize:file_inherit/dir_inherit:allow I'm trying to create a file from a PC. The file is created as "Nouveau Document texte.txt", but when I'm entering the real new name...access denied. Take a look to new file's acls : [root@c92-ms168 /export/Test/MonDossier]$ ls -lv Nouveau\ Document\ texte.txt -rwxr--r--+ 1 AD\dorfsman AD\c92-utilisa. de c92-dep-toulo 0 Oct 18 10:27 Nouveau Document texte.txt 0:user:AD\dorfsman::deny 1:user:AD\dorfsman:read_data/write_data/append_data/read_xattr /write_xattr/execute/delete_child/read_attributes/write_attributes /delete/read_acl/synchronize:allow 2:everyone@:read_xattr/read_attributes/read_acl/synchronize:allow 3:owner@::deny 4:owner@:read_data/write_data/append_data/write_xattr/execute /write_attributes/write_acl/write_owner:allow 5:group@:write_data/append_data/execute:deny 6:group@:read_data:allow 7:everyone@:write_data/append_data/write_xattr/execute/write_attributes /write_acl/write_owner:deny 8:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize :allow In the logfile, some VFS calls are using solarisacl module...there's no equivalent in zfsacl module : file_set_dosmode: setting dos mode 0x20 on file MonDossier/Nouveau Document texte.txt [2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(71) solarisacl_sys_acl_get_file called for file 'MonDossier/Nouveau Document texte.txt'. getting access acl [2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(581) solaris_acl_get_file called for file 'MonDossier/Nouveau Document texte.txt' [2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(591) acl GETACLCNT failed: Operation not applicable [2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(608) solaris_acl_get_file failed. [2007/10/18 10:27:12, 10] modules/vfs_solarisacl.c:(93) solarisacl_sys_acl_get_file failed. I'm going to attach the whole log file.
Created attachment 2942 [details] smbd log file
Created attachment 2943 [details] Configuration File
Hi Nicolas, thanks for posting this bug report! Incidentially, I am currently working on this very problem (with another filesystem backend) for a customer. The problem is the unsufficient separation of nfsv4 acl code from posix acls code. (The abstraction is not universally used.) I will keep you up to date about my results. Cheers - Michael
Hi Michael, (In reply to comment #3) > Incidentially, I am currently working on this very problem (with another > filesystem backend) for a customer. The problem is the unsufficient separation > of nfsv4 acl code from posix acls code. (The abstraction is not universally > used.) Great ! > I will keep you up to date about my results. My first idea was to try to add some backend like SMB_VFS_OP_SYS_ACL_GET_FILE or SMB_VFS_OP_SYS_ACL_SET_FILE into vfs_zfsacl module. But as a newbie in samba code, it's not easy to use all these structures between VFS functions !
Hi Nicolas, I have put a fix for the issue upstream in a couple of commits. Could you try revision 9dd18bb534bca6b5de6cad9580b48681b36c0832 from samba git-tree v3-2-test? See: http://gitweb.samba.org/?p=samba.git;a=commit;h=9dd18bb534bca6b5de6cad9580b48681b36c0832 Can you access the git-repo or do you need a patch a specific version? Cheers, Michael
Note: I have in the meantime also added support for automatic building of the zfsacl vfs module by specifying "--with-shared-modules=vfs_zfsacl" on the configure commandline. Michael
Hi Michael (In reply to comment #5) > Hi Nicolas, > > I have put a fix for the issue upstream in a couple of commits. > Could you try revision 9dd18bb534bca6b5de6cad9580b48681b36c0832 > from samba git-tree v3-2-test? > > See: > http://gitweb.samba.org/?p=samba.git;a=commit;h=9dd18bb534bca6b5de6cad9580b48681b36c0832 > > Can you access the git-repo or do you need a patch a specific version? Hum.... I should be able to understand how to patch with that. News at the end of the week. Nicolas
(In reply to comment #7) > Hi Michael > > (In reply to comment #5) > > Hi Nicolas, > > > > I have put a fix for the issue upstream in a couple of commits. > > Could you try revision 9dd18bb534bca6b5de6cad9580b48681b36c0832 > > from samba git-tree v3-2-test? > > > > See: > > http://gitweb.samba.org/?p=samba.git;a=commit;h=9dd18bb534bca6b5de6cad9580b48681b36c0832 > > > > Can you access the git-repo or do you need a patch a specific version? > > Hum.... I should be able to understand how to patch with that. Well, if you want to patch a given source tree, you will need several commits. You will need at least these: http://gitweb.samba.org/?p=samba.git;a=commit;h=9dd18bb534bca6b5de6cad9580b48681b36c0832 http://gitweb.samba.org/?p=samba.git;a=commit;h=c61b4222d30288add216fac4da3cfaa537f5cd01 http://gitweb.samba.org/?p=samba.git;a=commit;h=6f961a23de745aba5dcd4585b731e651b8cbeef4 and these preliminary patches will eliminate some build warnings: http://gitweb.samba.org/?p=samba.git;a=commit;h=7b582af2107bed3b864bb408b5c9bcce4b8e4c72 http://gitweb.samba.org/?p=samba.git;a=commit;h=bf23c4ddff617dd3cd1e2d5cedb1b5c023356dc3 All those patches should be applied from bottom to top. (i.e. they are listed newest first) With git it is easy to get a bundle of a given snapshot with "git archive". You can also simply check out the current git branch which incorporates the chanages. Cheers, Michael
Hi Nicolas, any news on this one? Michael
Sorry Michael. two things : - I tried to install and use GIT : too many times spent on try to find a quickly usable Max OS X version - Many other urgent thing, as usual. So, this afternoon, I'd try with your indications to patch and compile. Nicolas
Nicolas, no problem. I have uploaded a current snapshot of the v3-2-test branch here: http://samba.org/~obnox/snapshots/samba-v3-2-test.tar.gz (created with git archive). So you need not fiddle with git too long for a start. Michael
Note that with the snapshot, you have to run "./autogen.sh" before you can run ./configure ...
Thanks Michael. I have a issue with many shared libs...automake/make didn't build them. Any hint to have them build ? I could build them by make bin/xxx.so, but can't find any bulk build option.
(In reply to comment #13) > Thanks Michael. > > I have a issue with many shared libs...automake/make didn't build them. Any > hint to have them build ? I could build them by make bin/xxx.so, but can't find > any bulk build option. Hmm, which shared libs do you mean? Do you get build errors? Could you provide error messages here? Usually, you should be building everything you need should be as simple as follows: # ./autogen.sh # ./configure --prefix=/opt/samba/v3-2-test --with-shared-modules=vfs_zfsacl # make # make install When this is not a fresh build, you might need to run "make clean" (or "make proto") before running "make". Michael
By the way: I have ported the patch to the v3-0-test tree and it has gone into the new release 3.0.27a. Michael
Hi Michael, So. I downloaded 3.0.27a source tarball and compile it. Then I added vfs_zfsacl module from the test tarball you've made for me. After basic test cases, it seems to work fine ! Now, I asked to the Win admin to do further tests. I'll come back to you. Nicolas
Nicolas, thanks for the feedback. I am marking this bug as fixed. Should the extended tests reveal more misbehaviour, please feel free to reacitvate it. Best, Michael
Hi Michael, Your fix is great...but I have "another" issue. On the Windows ACL editor, when you're requesting to reset all permissions on child before applying new ACLs, windows/smbd put 000 on UNIX permissions bits. AFAIK this should be ok...zfs/nfsv4 permissions have priority. But smbd is still interpreting UNIX permissions bits even if it shouldn't. I'll take an eye on source code...but I'm sure you'd be quicker than me !
Can you please close this bug and open a new one with that new issue (which is known btw....)? Thanks, Volker
Ok. New bug created #5135 with test-case https://bugzilla.samba.org/show_bug.cgi?id=5135