----- Original Message -----
> From: "Marcel Telka" <mar...@telka.sk>
> To: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>
> Sent: Tuesday, November 11, 2014 2:31:55 PM
> Subject: Re: [OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office
> Files over CIFS
>
> I'm not sure it is related, but you might want to look at this:
>
> https://github.com/Nexenta/illumos-nexenta/commit/f360b07ec371df666ee6bb29182e387f57c948f7
>
Marcel,
Thanks, this looks promising! I am not sure if the version of smb/server that I
am running
has this patch, though I suspect it does not. I'll look into it.
I've also been capturing activity with Wireshark to see if I can narrow this
down further:
In a successful save, I can see Word doing the following:
* create a temporary file D92B1D52.tmp, write some data to it
* chown D92B1D52.tmp to the same owner as the actual docx (NT SET SECURITY
DESC), may fail
with STATUS_INVALID_OWNER but this doesn't seem to be a problem
* request the ACLs on the parent directory via NT QUERY SECURITY DESC
* set the ACLs on D92B1D52.tmp
** Everyone - access allowed
** Domain Users - access allowed
* close D92B1D52.tmp
* mv the docx to 11E1292B.tmp
* mv D92B1D52.tmp to the docx filename
* set (new) docx file owner and ACLs:
** Everyone - access allowed
** Domain Users - access allowed
* open 11E1292B.tmp and set the "delete on close" flag
* close 11E1292B.tmp, thus deleting it
In a failed save:
* create a temporary file CE21CDFD.tmp, write some data to it
* attempt to chown CE21CDFD.tmp to the same owner as the actual docx (NT SET
SECURITY DESC),
fails with STATUS_INVALID_OWNER
* request the ACLs on the parent dir (NT QUERY SECURITY DESC), fails with
STATUS_NONE_MAPPED
* close CE21CDFD.tmp
* open CE21CDFD.tmp and set the "delete on close" flag
* close CE21CDFD.tmp, thus deleting it
It appears that Word creates a temporary file in the same directory, writes
some data
to it, and then tries to query the ACLs of the parent directory. If it cannot
query the
parent directory's ACLs (STATUS_NONE_MAPPED), it then aborts and fails the save.
Note that the ACLs on the parent directory are:
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:dir_inherit:allow
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/delete_child/read_attributes
/write_attributes/delete/read_acl/write_acl/write_owner
/synchronize:file_inherit/inherit_only:allow
2:group:Domain Users:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:dir_inherit:allow
3:group:Domain Users:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:file_inherit/inherit_only:allow
4:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:dir_inherit:allow
5:group@:list_directory/read_data/read_xattr/read_attributes/read_acl
/synchronize:file_inherit/inherit_only:allow
6:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:dir_inherit:allow
7:everyone@:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:file_inherit/inherit_only:allow
Oddly enough, if I look at the parent directory's permissions through the
Security
tab in Windows, it shows Domain users as only having these permissions:
List folder contents
Special permissions
If I try to grant Domain Users "Full control", Windows fails with this error:
No Mapping between account names and security IDs was done
Does this additional debug information help provide a clue to the source of
this problem?
Thanks,
Andrew
_______________________________________________
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
