[cifs-discuss] CIFS Inheritance inconsistant Between OpenSolaris 2008.05 and Windows

Mark Shellenbaum Mark.Shellenbaum at Sun.COM
Sun Sep 28 10:29:25 PDT 2008 

DJ wrote:
> Hi marks,
> 
> Thanks for the reply. However it doesn't provide any help for my issue.
> See my additional comments below.
> 
>> marks Wrote:
>>
>> With the latest bits you could have used the new
>> full_set alias, such as:
>>
>> chmod A1=owner@:full_set:fd:allow /test
>>
>> we also have read_set, write_set and modify_set
> 
> This is a nice bit of information, but the way I did this gave the same results. So it doesn't really help resolve the issue.
> 
> 
>> Have you set the zfs aclinherit property to
>> passthrough?
>>
>> With the latest OpenSolaris bits and with aclinherit
>> set to passthrough 
>> you would have created this ACL from Solaris.
>>
>> $ mkdir dir.1.1
>> $ ls -dV dir.1.1
>> drwxrws---+  2 marks    staff          2 Sep 27 18:43
>> dir.1.1
>>                   owner@:rwxpdDaARWcCos:fdi---I:allow
>> owner@:rwxpdDaARWcCos:------I:allow
>>                   group@:rwxpdDaARWcCos:fdi---I:allow
>> group@:rwxpdDaARWcCos:------I:allow
>>
>> It looks like you have an non-updated version of
>> OpenSolaris 0508.  You 
>> will need to update your system to get the new
>> passthrough behavior that 
>> went into build 88.
>>
>> Have you done an pkg image-update of this system?
> 
> I have specifically not done a "pkg image-update" on this system because I tried it once and corrupted the entire system and had to re-install from the beginning. I just haven't wanted to try and do this again yet.
> But with that said, even your example above shows the exact same settings on the directory where the inheritance bits are; :fdi---I: Which I believe is the cause of my problem to begin with.
> You also must not have noticed at the bottom where I mentioned that I have tried setting "aclinherit=passthrough" which did not help. It did change some of the inherited regular properties but did not fix the inheritance properties. I did not have that set in my example and had just mentioned it at the bottom, so it's understandable that you would think I missed it.
> 

My example showed a completely different set of ACEs.  In your example 
the "fdi" entry was propagated to the new director as it should.  The 
"fdi" entries are necessary for further propagation.  In your example 
the owner@ and group@ were disabled in order to apply the posix mode to 
the file.  In my example that did not occur and the owner@ and group@ 
entries were inherited without modification.  It did create the "fdi" 
entry for propagation, but also created two entries for owner@ and 
group@ that will affect access control on the directory.

If you don't move off the 86 build then you can't have this behavior.

>> Not sure why the CIFS server created the ACL with
>> only inherit only 
>> ACEs.  I will leave that for Afshin to explain.
> 
> This part is what I really need to understand and get resolved.
> 
> ====> In order to help anyone trying to follow this thread, here is a reproducible set of steps showing the problem I am facing. I also included the "aclinherit=passthrough" to show it doesn't help.
> 
> First, starting with no zfs file system call rpool/test I run the following script to set up the environment:
> 
> -bash-3.2$ cat /var/tmp/test-shares
> echo "# Creating zfs file system with case=mixed mountpoint=/test and aclinherit=passthrough"
> pfexec zfs create -o case=mixed -o mountpoint=/test -o aclinherit=passthrough rpool/test
> echo "# Sharing out zfs file system as name=test"
> pfexec zfs set sharesmb=name=test rpool/test
> echo "# Changing owner of /test"
> pfexec chown djc:staff /test
> echo "# Changing permissions and ACL's of /test"
> chmod 770 /test
> chmod g+s /test
> chmod A1=owner@:rwxpdDaARWcCos:fd:allow /test
> chmod A3=group@:rwxpdDaARWcCos:fd:allow /test
> echo "# Making a directory /test/unix-dir on the Unix side"
> mkdir /test/unix-dir
> -bash-3.2$ bash /var/tmp/test-shares
> # Creating zfs file system with case=mixed mountpoint=/test and aclinherit=passthrough
> # Sharing out zfs file system as name=test
> # Changing owner of /test
> # Changing permissions and ACL's of /test
> # Making a directory /test/unix-dir on the Unix side
> -bash-3.2$
> 
> ====> At this point I got on my Windows XP SP2 system and mapped the drive T: to this share point. I then created the XP-dir directory seen below and the test-* directories and files in each of the two directories (the one created on the Solaris box and the one created from the XP box). And here is the listing of this entire area.
> 
> -bash-3.2$ ls -Vd /test ; ls -VR /test
> drwxrws---+  4 djc      staff          4 Sep 28 09:01 /test
>             owner@:--------------:-------:deny
>             owner@:rwxpdDaARWcCos:fd-----:allow
>             group@:--------------:-------:deny
>             group@:rwxpdDaARWcCos:fd-----:allow
>          everyone@:rwxp---A-W-Co-:-------:deny
>          everyone@:------a-R-c--s:-------:allow
> /test:
> total 6
> drwxrwsr-x+  3 djc      staff          4 Sep 28 09:07 unix-dir
>             owner@:rwxpdDaARWcCos:fdi---I:allow
>             owner@:----dDaARWcCos:------I:allow
>             group@:rwxpdDaARWcCos:fdi---I:allow
>             group@:----dDaARWcCos:------I:allow
>             owner@:--------------:-------:deny
>             owner@:rwxp---A-W-Co-:-------:allow
>             group@:--------------:-------:deny
>             group@:rwxp----------:-------:allow
>          everyone@:-w-p---A-W-Co-:-------:deny
>          everyone@:r-x---a-R-c--s:-------:allow
> drwxrws---+  3 djc      staff          4 Sep 28 09:07 XP-dir
>             owner@:rwxpdDaARWcCos:fd----I:allow
>             group@:rwxpdDaARWcCos:fd----I:allow
> 
> /test/unix-dir:
> total 4
> d-----S---+  2 djc      staff          2 Sep 28 09:06 test-dir-problem
>             owner@:rwxpdDaARWcCos:fdi---I:allow
>             group@:rwxpdDaARWcCos:fdi---I:allow
> -rwxrwx---+  1 djc      staff          0 Sep 28 09:06 test-file-OK.txt
>             owner@:rwxpdDaARWcCos:------I:allow
>             group@:rwxpdDaARWcCos:------I:allow
> 

This is a CIFS server created directory that doesn't go through the 
normal ZFS ACL inheritance rules.  The CIFS server always specifies the 
ACL to create file and directories with.

> /test/unix-dir/test-dir-problem:
> /test/unix-dir/test-dir-problem: Permission denied
> total 4
> 
> /test/XP-dir:
> total 4
> drwxrws---+  2 djc      staff          2 Sep 28 09:07 test-dir-OK
>             owner@:rwxpdDaARWcCos:fd----I:allow
>             group@:rwxpdDaARWcCos:fd----I:allow
> -rwxrwx---+  1 djc      staff          0 Sep 28 09:06 test-file-OK.txt
>             owner@:rwxpdDaARWcCos:------I:allow
>             group@:rwxpdDaARWcCos:------I:allow
> 
> /test/XP-dir/test-dir-OK:
> total 0
> -bash-3.2$
> 
> ====> Specifically, look very closely at the directories /test/XP-dir/test-dir-OK and /test/unix-dir/test-dir-problem and notice that the problem one has a permission denied when trying to look at it's contents. Not to mention the vast difference is the ACLs when you compare them (2 entries v. 10 entries). Not to mention that on the Solaris permissions I am back to the 000 permission problem that setting all this was supposed to fix.
> 
> Thanks,
> DJ
> --
> This message posted from opensolaris.org
> _______________________________________________
> cifs-discuss mailing list
> cifs-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

More information about the cifs-discuss mailing list