Forgot one, ### test_shares.conf ###
[testfs] comment = GPFS Cluster on DORS using %R protocol path = /dors/testfs copy = template_nfs4 admin users = "DOMAIN\userImLoggingInWith" It doesn't matter if I login with an "admin user" or a regular user allowed by NFS4 (NTACLs) set via the security tab. The same problems happen with save/save as unless gpfs:sharemodes = no . On Wed, Apr 2, 2014 at 9:08 PM, Sabuj Pattanayek <[email protected]> wrote: > > > > On Wed, Apr 2, 2014 at 5:08 PM, Jonathan Buzzard > <[email protected]>wrote: > >> On 02/04/14 22:42, Sabuj Pattanayek wrote: >> >>> Yup, I had those settings set already, and neither save as or save >>> worked. >>> >>> >> You need to provide more information. Much more of your smb.conf, what >> OS, Samba, and GPFS, along with your GPFS config. >> > > rhel 6.3, 2.6.32-279.31.1.el6.x86_64, sernet samba 4.1.6, ctdb > 1.0.114.7-1, gpfs 3.5.0.11, gpfs config farther down : > > ### smb.conf ### > > [global] > workgroup = DOMAIN > netbios name = gpfs-smb-server > password server = dc-1.ds.domain.edu dc-2.ds.domain.edu dc-3.ds.domain.edu > realm = DS.DOMAIN.EDU > security = ads > encrypt passwords = yes > allow trusted domains = No > idmap config *:backend = tdb > idmap config *:range = 4000000 - 5000000 > idmap config DOMAIN : backend = rid > idmap config DOMAIN : range = 5000001 - 9000000 > template shell = /bin/bash > template homedir = /home/%U > winbind offline logon = false > winbind trusted domains only = no > winbind use default domain = yes > # ldap handles users > winbind enum users = no > winbind enum groups = no > winbind expand groups = 3 > server string = SMB > log file = /var/log/samba/log.%m > max log size = 50 > passdb backend = tdbsam > > clustering = yes > unix extensions = yes > > include = /etc/samba/template_shares.conf > include = /etc/samba/test_shares.conf > > ### template_shares.conf ### > > [template_nfs4] > comment = GPFS Cluster on smb using %R protocol > path = /dors/testfs > writeable = yes > vfs objects = shadow_copy2 gpfs fileid > ea support = yes > store dos attributes = yes > access based share enum = yes > map readonly = no > map archive = no > map system = no > mangled names = no > force unknown acl user = yes > locking = yes > notify:inotify = no > shadow:snapdir = .snapshots > shadow:localtime = yes > shadow:format = %Y%m%d_%H:%M > shadow:fixinodes = yes > shadow:snapdirseverywhere = yes > shadow:sort = desc > # vfs_gpfs settings > gpfs:acl = yes > gpfs:winattr = yes > gpfs:dfreequota = yes > nfs4:mode = simple > nfs4:chown = yes > nfs4:acedup = merge > ## needed to turn off sharemodes, msoffice on windows couldn't save > # https://bugzilla.samba.org/show_bug.cgi?id=6762 > gpfs:sharemodes = no > gpfs:leases = yes > posix locking = yes > kernel oplocks = no > kernel share modes = yes > fileid:algorithm = fsname > > > >> >> Have you tested that the DOS attributes are correctly being stored in the >> GPFS file system? >> > > No, but they're all set to no, including map hidden which was missing > above but according to man smb.conf is by default set to no, so wouldn't > these not be mapped/stored in GPFS anyways? What EA file would these be > stored in if these were set to yes? > > >> >> It explicitly does work. The issues are all around Office trying to >> preserve ACL's which the vast majority of software does not. >> > > Understood, but again, with the setup above, I had to turn sharemodes off > to get it to work. Setting it to no was mentioned in a comment in that > samba bug by Volker, i.e. I just didn't think of that myself, so there must > be some correlation. > > >> Are you running with NFSv4 ACL's *ONLY* on GPFS? Using Posix or Posix and >> NFSv4 together is likely to lead to problems. > > > posix + nfs4, it can be problematic but we're working around it. > > # mmlsfs dors > flag value description > ------------------- ------------------------ > ----------------------------------- > -f 2048 Minimum fragment size in > bytes (system pool) > 32768 Minimum fragment size in > bytes (other pools) > -i 512 Inode size in bytes > -I 32768 Indirect block size in bytes > -m 1 Default number of metadata > replicas > -M 2 Maximum number of metadata > replicas > -r 1 Default number of data > replicas > -R 2 Maximum number of data > replicas > -j scatter Block allocation type > -D nfs4 File locking semantics in > effect > -k all ACL semantics in effect > -n 2000 Estimated number of nodes > that will mount file system > -B 65536 Block size (system pool) > 1048576 Block size (other pools) > -Q user;group;fileset Quotas enforced > none Default quotas enabled > --filesetdf Yes Fileset df enabled? > -V 13.23 (3.5.0.7) File system version > --create-time Thu Nov 7 11:29:46 2013 File system creation time > -u Yes Support for large LUNs? > -z No Is DMAPI enabled? > -L 16777216 Logfile size > -E Yes Exact mtime mount option > -S No Suppress atime mount option > -K whenpossible Strict replica allocation > option > --fastea Yes Fast external attributes > enabled? > --inode-limit 524288000 Maximum number of inodes > -P system;capacity;fast Disk storage pools in file > system > -d > 3T_7K_0;3T_7K_1;3T_7K_2;3T_7K_3;3T_7K_4;3T_7K_5;3T_7K_6;3T_7K_7;3T_7K_8;3T_7K_9;3T_7K_10;3T_7K_11;3T_7K_12;3T_7K_13;900GB_10K_0;900GB_10K_1;900GB_10K_2;900GB_10K_3; > -d > 900GB_10K_4;900GB_10K_5;900GB_10K_6;900GB_10K_7;900GB_10K_8;900GB_10K_9;900GB_10K_10;900GB_10K_11;900GB_10K_12;900GB_10K_13;900GB_10K_14;900GB_10K_15;900GB_10K_16; > -d > 900GB_10K_17;900GB_10K_18;900GB_10K_19;400GB_SSD_0;400GB_SSD_1;400GB_SSD_2;400GB_SSD_3;400GB_SSD_4 > Disks in file system > --perfileset-quota yes Per-fileset quota enforcement > -A yes Automatic mount option > -o none Additional mount options > -T /dors Default mount point > --mount-priority 0 Mount priority > > A funny thing I noticed was that if I set security settings through the > security properties dialog in windows on a share with gpfs:acl = yes, it > sets posix acl's and doesn't automatically promote the acl's to nfs4. The > top level acl on a share directory has to be set to nfs4 before you set > users loose on it and at least one acl (a user / group on that directory) > has to have DirInherit:FileInherit otherwise files and directories beneath > that directory don't get set with nfs4 acl's which then breaks things like > Windows being able to discern the difference between full and modify > privileges (since posix only provides rwx, samba doesn't seem to care about > the 'c' acl provided by gpfs). > > Several other strange behaviors I noticed : > > * Turning inheritance off through the windows security -> advanced dialog > doesn't work unless you delete (or add I guess, but didn't try adding an > acl) some acl, either the group/user that you're trying to disable > inheritance for (which then means you have to re-add that group with > inheritance disabled) or some other group / user that you don't care about. > For example to disable inheritance on a directory for a group, you'd add a > dummy user/group acl to that directory, disable inheritance for the > group/user you want to disable inheritance for, then delete that dummy > group, otherwise clicking apply -> ok, backing out and then going back in > doesn't change the inheritance settings in either the advanced security > dialog or FileInherit, DirInherit, or Inherit acls in the output of > mmgetacl. > > * robocopy y: z: /mir /COPY:DATSO throws "something is wrong with the > device. Failed to set NTACL ... " error 31 errors if your'e trying to copy > ACLs and data from some other share, but it still ends up copying the ACL's > properly! The problem is that robocopy doesn't complete, it only descends > one directory level at a time per robocopy run when it throws all these > errors. So you have to keep running robocopy in a loop from a .bat script > or manually keep running it until you think it's actually copied over all > the ACL's. This doesn't happen with acl_xattr, but acl_xattr has other > issues as well. > > * Does any of the auditing tab stuff work? Samba has auditing via log > files, but this seems to be something that's stored in NTFS? > > * I haven't tried anything from the quota tab, can it actually set GPFS > quotas somehow? I guess in windows you can set per directory quotas, the > closest thing would be filesets linked to directories with user/group > quotas within that fileset, but I don't think that tab is going to let you > do that. > > Thanks, > Sabuj > >
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at gpfsug.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
