The Samba-Bugzilla – Bug 5653
default ZFS/NFSv4 ACL is not correctly ordered to be used on Win
Last modified: 2009-04-16 05:52:24 UTC
please see the 5652
Created attachment 3447 [details]
options added to zfsacl module controling the ordering of the ACEs
The following module options to the source/modules/vfs_zfsacl.c was added:
addressing prefix: "vfszfsacl:"
option name: "acesort"
settings: "dontcare", "ntfs" ("ntfs" is default)
effect: when the ZFS/NFSv4 ACL is converted into the NTFS ACL if "dontcare" is set it leaving the ACEs in ACL as nor where "ntfs" is set conversion is placing the deny ACEs before the other ACE types in ACL and also does not placing the zero-mask ACEs into the NTFS ACL
"ntfs ordering": BAD HACK - BAD IDEA - not required - see 5652
Is there any reason not to add this patch to samba? In testing viability of using zfs acls I'm now running into the ace ordering error messages and it is quite distracting for our users.
ACL reordering changes semantics. Samba should never change ACL semantics on the way from disk to client.
does not ordering the "deny" ACEs fist can lead to serious security issue as discussed on #5652
Created attachment 4014 [details]
(f)chmod() acmm blocking on ZFS
This patch adds blocking of the (f)chmod() calls on the ZFS. chmod() call is returning the siles on ZFS back under the POSIX control. It does mean the 6 special ACEs is added into the ACL making it unusable under Windows (NTFS does not require POSIX.
Possibility of sorting of the ACEs in ACL from the previous diff is left but its default behavior is turned to "dontcare". It can workaround the problem of the warning messages in Win Explorer on shares running on older zpool releases does not supporting the "aclmode=passthrough" property (zpools created on Solaris Nevada builds < 88 or Solaris 10 update 5 and below which can not be zpool-upgraded for some reasons).
Attached diff was tested on Solaris Nevada b110 with samba-3.0.34 . Problem is fixed by the blocking of the (f)chmod() call on ZFS.
ACL sorting can induce another problems. One for anothers is:
ZFS is adding the "everyone@:W::deny" rule into the ACL by default. So if such rule is reordered to take place before any "allow" rule without removing the "W"-flag manually all "Extended File Attributes" can not be write-accessed by "everyone@" ...it means really by everyone even by file owner. If the samba (S)-option "ea support = yes" is set and smbd can not write the Extended File Attributes the DOS-attributes are written into the POSIX-mask instead (doing chmod()) in this case. chmod()-call will cause the POSIX-mask is transformed into the 6 special-ACEs added to the end of the ACL of the file.
...such nice case of the circular dependencies is called "perpetuum debile" in Czech nerd's slang :-)
Bug is better to be closed and no one of the proposed attachments should rather be applied. Here is no programmatic way to automatize such task faultlessly.
Documentation issue should be raised instead. Users migrating to ZFS are usually surprised by the number of parameters to control to setup the samba share there and their effort can fail too simply.
Jiri, can you tell us how the in-kernel cifs does it?
CIFS kernel is running above the "idmap" service. "idmap" is mapping the SIDs to ephemeral uid/gid-s (uid/gid > 2G). Such mapping is not permanent by default so the mapping tuples (A_OWNERSID, A_GROUPSID) are stored via the getattrat/setattrat (fgetattr(3C)) interface as XDR-encoded packed nvlists. i.e. the dirs and files can associated info in "Extended File Attributes":
-bash-3.2# runat /samba/homes/barbusin/ ls -l
-r--r--r-- 1 root root 84 Apr 10 18:57 SUNWattr_ro
-rw-r--r-- 1 root root 408 Apr 10 18:57 SUNWattr_rw
-bash-3.2# runat /samba/homes/barbusin/hi.txt ls -l
-r--r--r-- 1 root root 84 Apr 14 12:47 SUNWattr_ro
-rw-r--r-- 1 root root 408 Apr 14 12:47 SUNWattr_rw
-rw-rw---- 1 SMBSETUP\barbucha SMBSETUP\domain users 4 Apr 14 12:47 user.DOSATTRIB
... SUNWattr_r? "Extended File Attributes" are storing such info. For better understand-ability I have listed the file created by samba having the "ea support = yes" set to see the "File Extended Attributes" set by samba (DOS-flags on file).
acl(2) interface can contain also info about the file owner is determined by the SID (see: ACL_SID_FMT -formating option in /usr/include/sys/acl.h) but this interface is evolving.
That's not what I really am interested in. How does the in-kernel CIFS solve the ACL ordering issue? :-)