Re: [cifs-discuss] FW: multi-protocol (cifs/nfs) access to same files - help please

[John Keiffer]

Afshin,

We are using version 1.1.6 which is kernel 104+ most CIFS fixes and a few other 
things. (at least that's my understanding.

Thanks,
John

-----Original Message-----
From: afshin.ardak...@sun.com [mailto:afshin.ardak...@sun.com] 
Sent: Monday, March 30, 2009 11:09 AM
To: John Keiffer
Cc: cifs-discuss@opensolaris.org
Subject: Re: [cifs-discuss] FW: multi-protocol (cifs/nfs) access to same files 
- help please

This is a long email so before reading the whole thing, which Nexenta
build you're running and do you know which Solaris build that maps to?

I haven't read the whole email but the reason for asking the build is
that you MIGHT be experiencing a problem that's been fixed.

Afshin

John Keiffer wrote:
> Hello, posting to cifs-discuss in addition to zfs-discuss to find some 
> help. Please see the cross post below.
>  
> Thanks.
>  
> _____________________________________________
> *From:* John Keiffer
> *Sent:* Monday, March 30, 2009 10:54 AM
> *To:* 'zfs-disc...@opensolaris.org'
> *Subject:* multi-protocol (cifs/nfs) access to same files - help please
>  
> Hello,
>  
> New here, and I'm not sure if this is the correct mailing list to post 
> this question or not.
>  
> Anyway, we are having some questions about multi-protocol (CIFS/NFS) 
> access to the same files specifically when not using AD or LDAP.
>  
>  
> *Summary:*
> Accessing the same folder from CIFS or NFS when working in a workgroup 
> configuration (no domain authentication) works fine using cifs user 
> "smb" and nfs user "root". Files can be written from both windows and 
> unix clients. From the unix client, if root has given permissions to a 
> folder, one can write files when logged in as any nis user or local 
> user. From the windows client, I haven't tried yet to login as a 
> different user and try to write once the share is mapped using the smb user.
>  
> Here are the odd things I found, I don't know if it's a config issue, 
> user error or bug yet:
> => if a file is written by cifs, then modified from nfs, I don't know 
> what to do to make it accessible by cifs again (see test4 below)
> => if a file is created by nfs, it can be read but cannot be written to 
> from windows, even when posix permissions are set to 777. (see test5 below)
>  
>  
> *Nexenta configuration*
> *=================*
> No specific workgroup
> No AD or LDAP configuration
> Acls on folder bigmirror/big: local users smb and nfs, owner@ have full 
> access, everyone@ and group@ (root) are denied write access
>  
> owner@   Allow:list_directory, read_data, add_file, write_data, 
> add_subdirectory, append_data, write_xattr, execute, write_attributes, 
> write_acl, write_owner                                    
> group@   Allow:list_directory, read_data, execute         Deny:add_file, 
> write_data, add_subdirectory, append_data        
> everyone@        Allow:list_directory, read_data, read_xattr, execute, 
> read_attributes, read_acl, synchronize    Deny:add_file, write_data, 
> add_subdirectory, append_data, write_xattr, write_attributes, write_acl, 
> write_owner 
> user:nfs         Allow:list_directory, read_data, add_file, write_data, 
> add_subdirectory, append_data, read_xattr, write_xattr, execute, 
> delete_child, write_attributes, write_acl, write_owner          
> user:smb         Allow:list_directory, read_data, add_file, write_data, 
> add_subdirectory, append_data, read_xattr, write_xattr, execute, 
> delete_child, write_attributes, write_acl, write_owner          
>  
> CIFS share (named big) has anonymous access enable
> NFS share has anonymous access enable, and root field is set to 
> <ip>:<ip> which are the 2 interfaces on a unix client, so that root 
> shows up as "root" and not "4294967294" (nfs nobody)
> No identity mapping yet
>  
> *Tests*
> *=====*
> *Test1: mount the nfs share from unix client 10.2.15.33 as root and 
> create a directory*
> [r...@c33r15-rhel4 leo4]# mkdir testdir2
> [r...@c33r15-rhel4 leo4]# ls -l
> total 1
> drwxr-xr-x  2 root root 2 Mar 20 16:04 testdir2
>  
> *Test2: connect to the cifs share from a windows client using user smb, 
> **default **password, and write a directory*
> ths ahre shows up under default workgroup "Workgroup" when browsing 
> \\<ip>\big
>  
> new directory "cifsdircreatedbysmb" created
> when viewing Security tab, ACEs are smb (LEOPARD-4\smb) and SYSTEM, none 
> of the permissions are checked.
> when going to Advanced, it shows that smb and SYSTEM (whatever this is) 
> have full control, and owner is smb
>  
> smb can write the file "cifsfilecreatedbysmb" under the folder 
> "cifsdircreatedbysmb"
>  
> Here's how the permissions show from the unix client:
> [r...@c33r15-rhel4 leo4]# ls -l
> total 5
> d---------  2 61001 bin  3 Mar 20 16:26 cifsdircreatedbysmb
> [r...@c33r15-rhel4 leo4]# ls -l cifsdircreatedbysmb
> total 1
> ----------  1 61001 bin 0 Mar 20 16:25 cifsfilecreatedby smb.txt
> [r...@c33r15-rhel4 leo4]#
>  
> *Test3: create directory from unix client as root and access from windows*
> new directory "nfsdircreatebyroot"
> [r...@c33r15-rhel4 leo4]# ls -l
> total 5
> d---------  2 61001 bin  3 Mar 20 16:26 cifsdircreatedbysmb
> drwxrwxrwx  2 root  root 3 Mar 20 16:14 nfsdircreatebyroot
> drwxr-xr-x  2 root  root 2 Mar 20 16:04 testdir2
>  
>  From windows client, when viewing Security tab, ACEs are Everyone, root 
> (LEOPARD-4\root), S-1-5-21-10.... (some SID, maybe maps to smb user?), 
> none of the permissions are checked.
> when going to Advanced, it shows that those 3 users are denied and 
> allowed some permissions, need to click on Edit to find out which ones. 
> Only shows that Everyone is denied "Write attributes, Write Extended 
> atributes, Change permissions and Change ownership". Root is allowed 
> "Traverse, List folder, Create files, Create folders, Write attributes, 
> Write extended attributes, Change permissions, Take ownership". The SID 
> is allowed "Traverse, List folder, Create files, Create folders". 
> Everyone is allowed ""Traverse, List folder, Read attributes, Read 
> extended attributes, Create files, Create folders, Read permissions"
>  
> *Test4: create file from windows and write to it from unix*
>  From unix, give world access to "nfsdircreatebyroot"
> [r...@c33r15-rhel4 leo4]# chmod 777 nfsdircreatebyroot
>  From windows, create file "cifsfilecreatedbysmb" under 
> "nfsdircreatebyroot".
>  From unix, vi the file and write to it
> [r...@c33r15-rhel4 leo4]# cd nfsdircreatebyroot/
> [r...@c33r15-rhel4 nfsdircreatebyroot]# vi cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# cat cifsfilecreatedbysmb.txt
> writing from nfs by root
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> ----------  1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
>  
> Once this is done, the file can no longer be viewed from Windows, gets 
> access denied. After being accessed from nfx, I assume the security blob 
> is now nfs. (I don't know what security style Nexenta has on file 
> systems, I would assume it's mixed by default?)
> Properties show that Everyone is denied write access, and owner smb has 
> only special permissions. Among those, he can change permissions, so he 
> can allow full control to himself. But even after this change, smb still 
> cannot read the file from Windows.
>  
>  From unix I can change ownership and permissions on the file
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> ----------  1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]#
> [r...@c33r15-rhel4 nfsdircreatebyroot]# chown root cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> ----------  1 root bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# chgrp root cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> ----------  1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# chmod 755 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> -rwxr-xr-x  1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]#
>  
> Still cannot view it from windows.
>  
> Add an id mapping rule between winuser:s...@matrix.lab (matrix.lab is 
> still the default domain name for the appliance, even though we're not 
> joined to it) and unixuser:root
>  
> No changes, still cannot view the file from windows
>  
> => if a file is written by cifs, then modified from nfs, I don't know 
> what to do to make it accessible by cifs again
>  
>  
> *Test5: create file from unix and access it from windows*
> [r...@c33r15-rhel4 leo4]# cd cifsdircreatedbysmb
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# vi nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
> total 1
> -rw-r--r--  1 root  root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]#
>  
> I was able to view it from windows but could not save it after writting 
> to it, had to save to a new file. When looking at Security tab, it says: 
> Unable to display information.
>  
>  From unix:
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
> total 2
> -rw-r--r--  1 root  root  0 Mar 20 17:07 nfsfilecreatedbyroot.txt
> ----------  1 61001 bin  28 Mar 20 17:09 
> nfsfilecreatedbyroot_wriitenbysmb.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat 
> nfsfilecreatedbyroot_wriitenbysmb.txt
> writing from windows by smb
> [r...@c33r15-rhel4 cifsdircreatedbysmb]#
>  
> Changing permissions so that Everyone can write to the file now:
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# chmod 777 nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
> total 2
> -rwxrwxrwx  1 root  root  0 Mar 20 17:07 nfsfilecreatedbyroot.txt
> ----------  1 61001 bin  28 Mar 20 17:09 
> nfsfilecreatedbyroot_wriitenbysmb.txt
>  
> No changes from windows side.
>  
> => if a file is created by nfs, it can be read but cannot be written to 
> from windows, even when posix permissions are set to 777.
>  
> *Test6: create a file from unix client as a local nis user (qacifs7077, 
> don't get fooled by the name)*
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# su qacifs7077
> bash-3.00$ pwd
> /mnt/leo4/cifsdircreatedbysmb
> bash-3.00$ cd ..
> bash-3.00$ ls -l
> total 5
> d---------  2 61001 bin  4 Mar 20 17:09 cifsdircreatedbysmb
> drwxrwxrwx  2 root  root 3 Mar 20 16:14 nfsdircreatebyroot
> drwxr-xr-x  2 root  root 2 Mar 20 16:04 testdir2
> bash-3.00$ cd nfsdircreatebyroot/
> bash-3.00$ touch nfsfilecreatedbynisuser
> bash-3.00$ ls -l
> total 2
> -rwxr-xr-x  1 root       root   26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> -rw-r--r--  1 qacifs7077 group1  0 Mar 20 17:25 nfsfilecreatedbynisuser
> bash-3.00$
>  
>  From windows, when looking at Security tab, it says: Unable to display 
> information.
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> cifs-discuss mailing list
> cifs-discuss@opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss