Hello, New here, and I'm not sure if this is the correct mailing list to post this question or not.
Anyway, we are having some questions about multi-protocol (CIFS/NFS) access to the same files specifically when not using AD or LDAP. Summary: Accessing the same folder from CIFS or NFS when working in a workgroup configuration (no domain authentication) works fine using cifs user "smb" and nfs user "root". Files can be written from both windows and unix clients. From the unix client, if root has given permissions to a folder, one can write files when logged in as any nis user or local user. From the windows client, I haven't tried yet to login as a different user and try to write once the share is mapped using the smb user. Here are the odd things I found, I don't know if it's a config issue, user error or bug yet: => if a file is written by cifs, then modified from nfs, I don't know what to do to make it accessible by cifs again (see test4 below) => if a file is created by nfs, it can be read but cannot be written to from windows, even when posix permissions are set to 777. (see test5 below) Nexenta configuration ================= No specific workgroup No AD or LDAP configuration Acls on folder bigmirror/big: local users smb and nfs, owner@ have full access, everyone@ and group@ (root) are denied write access owner@ Allow:list_directory, read_data, add_file, write_data, add_subdirectory, append_data, write_xattr, execute, write_attributes, write_acl, write_owner group@ Allow:list_directory, read_data, execute Deny:add_file, write_data, add_subdirectory, append_data everyone@ Allow:list_directory, read_data, read_xattr, execute, read_attributes, read_acl, synchronize Deny:add_file, write_data, add_subdirectory, append_data, write_xattr, write_attributes, write_acl, write_owner user:nfs Allow:list_directory, read_data, add_file, write_data, add_subdirectory, append_data, read_xattr, write_xattr, execute, delete_child, write_attributes, write_acl, write_owner user:smb Allow:list_directory, read_data, add_file, write_data, add_subdirectory, append_data, read_xattr, write_xattr, execute, delete_child, write_attributes, write_acl, write_owner CIFS share (named big) has anonymous access enable NFS share has anonymous access enable, and root field is set to <ip>:<ip> which are the 2 interfaces on a unix client, so that root shows up as "root" and not "4294967294" (nfs nobody) No identity mapping yet Tests ===== Test1: mount the nfs share from unix client 10.2.15.33 as root and create a directory [r...@c33r15-rhel4 leo4]# mkdir testdir2 [r...@c33r15-rhel4 leo4]# ls -l total 1 drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2 Test2: connect to the cifs share from a windows client using user smb, default password, and write a directory ths ahre shows up under default workgroup "Workgroup" when browsing \\<ip>\big new directory "cifsdircreatedbysmb" created when viewing Security tab, ACEs are smb (LEOPARD-4\smb) and SYSTEM, none of the permissions are checked. when going to Advanced, it shows that smb and SYSTEM (whatever this is) have full control, and owner is smb smb can write the file "cifsfilecreatedbysmb" under the folder "cifsdircreatedbysmb" Here's how the permissions show from the unix client: [r...@c33r15-rhel4 leo4]# ls -l total 5 d--------- 2 61001 bin 3 Mar 20 16:26 cifsdircreatedbysmb [r...@c33r15-rhel4 leo4]# ls -l cifsdircreatedbysmb total 1 ---------- 1 61001 bin 0 Mar 20 16:25 cifsfilecreatedby smb.txt [r...@c33r15-rhel4 leo4]# Test3: create directory from unix client as root and access from windows new directory "nfsdircreatebyroot" [r...@c33r15-rhel4 leo4]# ls -l total 5 d--------- 2 61001 bin 3 Mar 20 16:26 cifsdircreatedbysmb drwxrwxrwx 2 root root 3 Mar 20 16:14 nfsdircreatebyroot drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2 >From windows client, when viewing Security tab, ACEs are Everyone, root >(LEOPARD-4\root), S-1-5-21-10.... (some SID, maybe maps to smb user?), none of >the permissions are checked. when going to Advanced, it shows that those 3 users are denied and allowed some permissions, need to click on Edit to find out which ones. Only shows that Everyone is denied "Write attributes, Write Extended atributes, Change permissions and Change ownership". Root is allowed "Traverse, List folder, Create files, Create folders, Write attributes, Write extended attributes, Change permissions, Take ownership". The SID is allowed "Traverse, List folder, Create files, Create folders". Everyone is allowed ""Traverse, List folder, Read attributes, Read extended attributes, Create files, Create folders, Read permissions" Test4: create file from windows and write to it from unix >From unix, give world access to "nfsdircreatebyroot" [r...@c33r15-rhel4 leo4]# chmod 777 nfsdircreatebyroot >From windows, create file "cifsfilecreatedbysmb" under "nfsdircreatebyroot". >From unix, vi the file and write to it [r...@c33r15-rhel4 leo4]# cd nfsdircreatebyroot/ [r...@c33r15-rhel4 nfsdircreatebyroot]# vi cifsfilecreatedbysmb.txt [r...@c33r15-rhel4 nfsdircreatebyroot]# cat cifsfilecreatedbysmb.txt writing from nfs by root [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l total 1 ---------- 1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt Once this is done, the file can no longer be viewed from Windows, gets access denied. After being accessed from nfx, I assume the security blob is now nfs. (I don't know what security style Nexenta has on file systems, I would assume it's mixed by default?) Properties show that Everyone is denied write access, and owner smb has only special permissions. Among those, he can change permissions, so he can allow full control to himself. But even after this change, smb still cannot read the file from Windows. >From unix I can change ownership and permissions on the file [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l total 1 ---------- 1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt [r...@c33r15-rhel4 nfsdircreatebyroot]# [r...@c33r15-rhel4 nfsdircreatebyroot]# chown root cifsfilecreatedbysmb.txt [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l total 1 ---------- 1 root bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt [r...@c33r15-rhel4 nfsdircreatebyroot]# chgrp root cifsfilecreatedbysmb.txt [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l total 1 ---------- 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt [r...@c33r15-rhel4 nfsdircreatebyroot]# chmod 755 cifsfilecreatedbysmb.txt [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l total 1 -rwxr-xr-x 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt [r...@c33r15-rhel4 nfsdircreatebyroot]# Still cannot view it from windows. Add an id mapping rule between winuser:s...@matrix.lab (matrix.lab is still the default domain name for the appliance, even though we're not joined to it) and unixuser:root No changes, still cannot view the file from windows => if a file is written by cifs, then modified from nfs, I don't know what to do to make it accessible by cifs again Test5: create file from unix and access it from windows [r...@c33r15-rhel4 leo4]# cd cifsdircreatedbysmb [r...@c33r15-rhel4 cifsdircreatedbysmb]# vi nfsfilecreatedbyroot.txt [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l total 1 -rw-r--r-- 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt [r...@c33r15-rhel4 cifsdircreatedbysmb]# I was able to view it from windows but could not save it after writting to it, had to save to a new file. When looking at Security tab, it says: Unable to display information. >From unix: [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l total 2 -rw-r--r-- 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt ---------- 1 61001 bin 28 Mar 20 17:09 nfsfilecreatedbyroot_wriitenbysmb.txt [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot_wriitenbysmb.txt writing from windows by smb [r...@c33r15-rhel4 cifsdircreatedbysmb]# Changing permissions so that Everyone can write to the file now: [r...@c33r15-rhel4 cifsdircreatedbysmb]# chmod 777 nfsfilecreatedbyroot.txt [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l total 2 -rwxrwxrwx 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt ---------- 1 61001 bin 28 Mar 20 17:09 nfsfilecreatedbyroot_wriitenbysmb.txt No changes from windows side. => if a file is created by nfs, it can be read but cannot be written to from windows, even when posix permissions are set to 777. Test6: create a file from unix client as a local nis user (qacifs7077, don't get fooled by the name) [r...@c33r15-rhel4 cifsdircreatedbysmb]# su qacifs7077 bash-3.00$ pwd /mnt/leo4/cifsdircreatedbysmb bash-3.00$ cd .. bash-3.00$ ls -l total 5 d--------- 2 61001 bin 4 Mar 20 17:09 cifsdircreatedbysmb drwxrwxrwx 2 root root 3 Mar 20 16:14 nfsdircreatebyroot drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2 bash-3.00$ cd nfsdircreatebyroot/ bash-3.00$ touch nfsfilecreatedbynisuser bash-3.00$ ls -l total 2 -rwxr-xr-x 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt -rw-r--r-- 1 qacifs7077 group1 0 Mar 20 17:25 nfsfilecreatedbynisuser bash-3.00$ >From windows, when looking at Security tab, it says: Unable to display >information.
_______________________________________________ zfs-discuss mailing list zfs-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/zfs-discuss
