Topic
4 replies Latest Post - ‏2013-02-06T20:00:47Z by SystemAdmin
SystemAdmin
SystemAdmin
2092 Posts
ACCEPTED ANSWER

Pinned topic Directory ACLs on SAMBA on GPFS

‏2013-01-31T19:18:56Z |
Hello,

I am using the vfs_gpfs samba module to map ACLs through samba. It works fine on files, but directory ACLs are ignored. Ex:

getfacl /sb/share/myplace/

  1. file: sb/share/myplace/
  2. owner: root
  3. group: root
user::rwx
user:afrankel:rwx
group::---
mask::rwx
other::---

When I try to access this folder in Windows, I get permission denied. The same permissions on a files, I can open it / modify it without any problems.

Here is my seetings :

  1. mmlsfs sb
-D nfs4 File locking semantics in effect
-k all ACL semantics in effect

/etc/samba/smb.conf :
clustering = yes
fileid:mapping = fsname
vfs objects = shadow_copy2 syncops gpfs fileid
shadow:snapdir = .snapshots
shadow:fixinodes =yes
gpfs:sharemodes = Yes
gpfs:leases = Yes
posix locking = Yes
kernel oplocks = Yes
level2 oplocks = no
force unknown acl user = Yes
nfs4: mode = special
nfs4: chown = yes
nfs4: acedup = merge

share
read only = No
browseable = yes
path = /sb/share
map acl inherit = yes
inherit acls = no
dos filemode = no
create mask = 0770
force create mode = 0770
directory mask = 0777

Versions :

GPFS v3.4.0-18 on Linux.
samba-3.5.10-114

Did anybody else has experienced this? Note that if I replace 'gpfs' module with 'acl_xattr' modules, it seems to work fine. Can I use samba on gpfs without the GPFS module?

Thanks,

Andras
Updated on 2013-02-06T20:00:47Z at 2013-02-06T20:00:47Z by SystemAdmin
  • cambach
    cambach
    15 Posts
    ACCEPTED ANSWER

    Re: Directory ACLs on SAMBA on GPFS

    ‏2013-02-01T09:36:22Z  in response to SystemAdmin
    You'll need the vfs_gpfs module if you want to use any of its features like
    • NFSv4 ACL support
    • propagation of oplocks, sharemodes to GPFS
    • diskfree report based on quota
    • offline (HSM) file handling

    If you do not need any of those, you could leave it away.

    As it seems that you want to use POSIX instead of NFSv4 ACLs, you might want to set
    gpfs:acl = false to deactivate any NFSv4 ACL code (and let the default POSIX ACL code kick in).

    Your Samba version does not have this flag and is also vulnerable to multiple security issues.
    So you better go with Samba 3.6.12 (that has the flag and various POSIX ACL fixes) and try again.
    • SystemAdmin
      SystemAdmin
      2092 Posts
      ACCEPTED ANSWER

      Re: Directory ACLs on SAMBA on GPFS

      ‏2013-02-02T00:14:40Z  in response to cambach
      Thanks for the info.

      Just to make sure, I don't need vfs_gpfs for file locking? I am using ctdb (clustering = yes.)

      Andras
      • cambach
        cambach
        15 Posts
        ACCEPTED ANSWER

        Re: Directory ACLs on SAMBA on GPFS

        ‏2013-02-05T14:46:01Z  in response to SystemAdmin
        If you only access the data via Samba (and not via NFS or other protocols), you can leave the module away.
        CIFS internal locking will be handled by Samba (and CTDB) completely.
  • SystemAdmin
    SystemAdmin
    2092 Posts
    ACCEPTED ANSWER

    Re: Directory ACLs on SAMBA on GPFS

    ‏2013-02-06T20:00:47Z  in response to SystemAdmin
    Thank You!

    Andras