Re: [cifs-discuss] FW: multi-protocol (cifs/nfs) access to same files - help please

[Afshin Salek]

Seems like you're using Samba but just to make sure run the following
two scripts on your system and post the output:

http://opensolaris.org/os/project/cifs-server/files/cifs-chkcfg

http://opensolaris.org/os/project/cifs-server/files/cifs-gendiag

Afshin

John Keiffer wrote:

n...@leopard-4:/$ ls -Vd bigmirror/big/
drwxr-xr-x+  5 root     root          12 Mar 27 17:40 bigmirror/big/
               user:nfs:rwxp-D-ARW-Co-:-------:allow
               user:smb:rwxp-D-ARW-Co-:-------:allow
                 owner@:--------------:-------:deny
                 owner@:rwxp---A-W-Co-:-------:allow
                 group@:-w-p----------:-------:deny
                 group@:r-x-----------:-------:allow
              everyone@:-w-p---A-W-Co-:-------:deny
              everyone@:r-x---a-R-c--s:-------:allow

n...@leopard-4:/$ show folder bigmirror/big share cifs -v
PROPERTY                 VALUE
folder                   bigmirror/big
protocol                 cifs
share_name               big
nested                   0
comment                  ""
anonymous_rw             true

I'm not exactly sure how to answer your second question, but I think it's the 
Solaris CIFS server through Nexenta?

Thanks.

-----Original Message-----

From: afshin.ardak...@sun.com [mailto:afshin.ardak...@sun.com] Sent: Monday, March 30, 2009 11:23 AM

To: John Keiffer
Cc: cifs-discuss@opensolaris.org
Subject: Re: [cifs-discuss] FW: multi-protocol (cifs/nfs) access to same files 
- help please

*Nexenta configuration*
*=================*
No specific workgroup
No AD or LDAP configuration

Acls on folder bigmirror/big: local users smb and nfs, owner@ have full access, everyone@ and group@ (root) are denied write access owner@ Allow:list_directory, read_data, add_file, write_data, add_subdirectory, append_data, write_xattr, execute, write_attributes, write_acl, write_owner group@ Allow:list_directory, read_data, execute Deny:add_file, write_data, add_subdirectory, append_data everyone@ Allow:list_directory, read_data, read_xattr, execute, read_attributes, read_acl, synchronize Deny:add_file, write_data, add_subdirectory, append_data, write_xattr, write_attributes, write_acl, write_owner user:nfs Allow:list_directory, read_data, add_file, write_data, add_subdirectory, append_data, read_xattr, write_xattr, execute, delete_child, write_attributes, write_acl, write_owner user:smb Allow:list_directory, read_data, add_file, write_data, add_subdirectory, append_data, read_xattr, write_xattr, execute, delete_child, write_attributes, write_acl, write_owner

Can you provide the output of "ls -Vd", this is hard to read.

CIFS share (named big) has anonymous access enable

What do you mean by this? Are you using Solaris CIFS server or Samba?

Afshin

NFS share has anonymous access enable, and root field is set to <ip>:<ip> which are the 2 interfaces on a unix client, so that root shows up as "root" and not "4294967294" (nfs nobody)

No identity mapping yet

*Tests*

*=====*

*Test1: mount the nfs share from unix client 10.2.15.33 as root and create a directory*

[r...@c33r15-rhel4 leo4]# mkdir testdir2
[r...@c33r15-rhel4 leo4]# ls -l
total 1
drwxr-xr-x  2 root root 2 Mar 20 16:04 testdir2

*Test2: connect to the cifs share from a windows client using user smb, **default **password, and write a directory* ths ahre shows up under default workgroup "Workgroup" when browsing \\<ip>\big new directory "cifsdircreatedbysmb" created when viewing Security tab, ACEs are smb (LEOPARD-4\smb) and SYSTEM, none of the permissions are checked. when going to Advanced, it shows that smb and SYSTEM (whatever this is) have full control, and owner is smb smb can write the file "cifsfilecreatedbysmb" under the folder "cifsdircreatedbysmb" Here's how the permissions show from the unix client:

[r...@c33r15-rhel4 leo4]# ls -l
total 5
d---------  2 61001 bin  3 Mar 20 16:26 cifsdircreatedbysmb
[r...@c33r15-rhel4 leo4]# ls -l cifsdircreatedbysmb
total 1
----------  1 61001 bin 0 Mar 20 16:25 cifsfilecreatedby smb.txt
[r...@c33r15-rhel4 leo4]#

*Test3: create directory from unix client as root and access from windows*

new directory "nfsdircreatebyroot"
[r...@c33r15-rhel4 leo4]# ls -l
total 5
d---------  2 61001 bin  3 Mar 20 16:26 cifsdircreatedbysmb
drwxrwxrwx  2 root  root 3 Mar 20 16:14 nfsdircreatebyroot
drwxr-xr-x  2 root  root 2 Mar 20 16:04 testdir2

From windows client, when viewing Security tab, ACEs are Everyone, root (LEOPARD-4\root), S-1-5-21-10.... (some SID, maybe maps to smb user?), none of the permissions are checked. when going to Advanced, it shows that those 3 users are denied and allowed some permissions, need to click on Edit to find out which ones. Only shows that Everyone is denied "Write attributes, Write Extended atributes, Change permissions and Change ownership". Root is allowed "Traverse, List folder, Create files, Create folders, Write attributes, Write extended attributes, Change permissions, Take ownership". The SID is allowed "Traverse, List folder, Create files, Create folders". Everyone is allowed ""Traverse, List folder, Read attributes, Read extended attributes, Create files, Create folders, Read permissions" *Test4: create file from windows and write to it from unix*

 From unix, give world access to "nfsdircreatebyroot"
[r...@c33r15-rhel4 leo4]# chmod 777 nfsdircreatebyroot

From windows, create file "cifsfilecreatedbysmb" under "nfsdircreatebyroot".

 From unix, vi the file and write to it
[r...@c33r15-rhel4 leo4]# cd nfsdircreatebyroot/
[r...@c33r15-rhel4 nfsdircreatebyroot]# vi cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# cat cifsfilecreatedbysmb.txt
writing from nfs by root
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
----------  1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt

Once this is done, the file can no longer be viewed from Windows, gets access denied. After being accessed from nfx, I assume the security blob is now nfs. (I don't know what security style Nexenta has on file systems, I would assume it's mixed by default?) Properties show that Everyone is denied write access, and owner smb has only special permissions. Among those, he can change permissions, so he can allow full control to himself. But even after this change, smb still cannot read the file from Windows. From unix I can change ownership and permissions on the file

[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
----------  1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]#
[r...@c33r15-rhel4 nfsdircreatebyroot]# chown root cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
----------  1 root bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# chgrp root cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
----------  1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# chmod 755 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
-rwxr-xr-x  1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]#

Still cannot view it from windows. Add an id mapping rule between winuser:s...@matrix.lab (matrix.lab is still the default domain name for the appliance, even though we're not joined to it) and unixuser:root No changes, still cannot view the file from windows => if a file is written by cifs, then modified from nfs, I don't know what to do to make it accessible by cifs again *Test5: create file from unix and access it from windows*

[r...@c33r15-rhel4 leo4]# cd cifsdircreatedbysmb
[r...@c33r15-rhel4 cifsdircreatedbysmb]# vi nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 1
-rw-r--r--  1 root  root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]#

I was able to view it from windows but could not save it after writting to it, had to save to a new file. When looking at Security tab, it says: Unable to display information. From unix:

[r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 2
-rw-r--r--  1 root  root  0 Mar 20 17:07 nfsfilecreatedbyroot.txt

---------- 1 61001 bin 28 Mar 20 17:09 nfsfilecreatedbyroot_wriitenbysmb.txt

[r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt

[r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot_wriitenbysmb.txt

writing from windows by smb
[r...@c33r15-rhel4 cifsdircreatedbysmb]#

Changing permissions so that Everyone can write to the file now:

[r...@c33r15-rhel4 cifsdircreatedbysmb]# chmod 777 nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 2
-rwxrwxrwx  1 root  root  0 Mar 20 17:07 nfsfilecreatedbyroot.txt

---------- 1 61001 bin 28 Mar 20 17:09 nfsfilecreatedbyroot_wriitenbysmb.txt No changes from windows side. => if a file is created by nfs, it can be read but cannot be written to from windows, even when posix permissions are set to 777. *Test6: create a file from unix client as a local nis user (qacifs7077, don't get fooled by the name)*

[r...@c33r15-rhel4 cifsdircreatedbysmb]# su qacifs7077
bash-3.00$ pwd
/mnt/leo4/cifsdircreatedbysmb
bash-3.00$ cd ..
bash-3.00$ ls -l
total 5
d---------  2 61001 bin  4 Mar 20 17:09 cifsdircreatedbysmb
drwxrwxrwx  2 root  root 3 Mar 20 16:14 nfsdircreatebyroot
drwxr-xr-x  2 root  root 2 Mar 20 16:04 testdir2
bash-3.00$ cd nfsdircreatebyroot/
bash-3.00$ touch nfsfilecreatedbynisuser
bash-3.00$ ls -l
total 2
-rwxr-xr-x  1 root       root   26 Mar 20 16:14 cifsfilecreatedbysmb.txt
-rw-r--r--  1 qacifs7077 group1  0 Mar 20 17:25 nfsfilecreatedbynisuser
bash-3.00$

From windows, when looking at Security tab, it says: Unable to display information.

------------------------------------------------------------------------

_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

_______________________________________________
cifs-discuss mailing list
cifs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss