Bug 1484427
Summary: | Cannot map subfolder of gluster/samba share when using vfs objects = glusterfs | ||
---|---|---|---|
Product: | [Community] GlusterFS | Reporter: | Daniel Weller <d.weller> |
Component: | gluster-smb | Assignee: | Anoop C S <anoopcs> |
Status: | CLOSED WORKSFORME | QA Contact: | bugs <bugs> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.10 | CC: | anoopcs, bugs, d.weller, jbyers, pgurusid |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-11-29 07:18:13 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Daniel Weller
2017-08-23 14:42:26 UTC
Couple of things: 1. Can you try to export a non gluster, local filesystem with the same acls, and see if this works? Just to make sure if its AD/Samba issue or Gluster issue 2. For trial purpose, what happens when you give all permissions to others i.e 777? @Anoop Can you look into this, do you see any obvious reasons why this is not working? (In reply to Poornima G from comment #1) > Couple of things: > 1. Can you try to export a non gluster, local filesystem with the same acls, > and see if this works? Just to make sure if its AD/Samba issue or Gluster > issue > > 2. For trial purpose, what happens when you give all permissions to others > i.e 777? 1. mounting the very same gluster volume, and then sharing the mount-point works fine. 2. does not change anything. (In reply to Daniel Weller from comment #0) > getfacl profiles/Administrator.V2/ > # file: profiles/Administrator.V2/ > # owner: administrator > # group: domain\040users > user::rwx > user:20512:rwx > group::--- > group:10006:rwx > group:administrator:rwx > group:domain\040admins:rwx > group:domain\040users:--- > mask::rwx > other::--- > default:user::rwx > default:user:administrator:rwx > default:user:20512:rwx > default:group::--- > default:group:10006:rwx > default:group:domain\040admins:rwx > default:group:domain\040users:--- > default:mask::rwx > default:other::--- What is the uid for the user by which you are trying to access sub-directory? # getent passwd 'MY\<username>' Also I need the following details: # wbinfo -r 'MY\<username>' If my understanding is correct, 20512 corresponds to Administrator account. No other users from Domain 'MY' have permission to access the sub-directory. Please update the permissions in such a way that 'Domain Users' group is allowed to access the directory. (In reply to Anoop C S from comment #4) > (In reply to Daniel Weller from comment #0) > > getfacl profiles/Administrator.V2/ > > # file: profiles/Administrator.V2/ > > # owner: administrator > > # group: domain\040users > > user::rwx > > user:20512:rwx > > group::--- > > group:10006:rwx > > group:administrator:rwx > > group:domain\040admins:rwx > > group:domain\040users:--- > > mask::rwx > > other::--- > > default:user::rwx > > default:user:administrator:rwx > > default:user:20512:rwx > > default:group::--- > > default:group:10006:rwx > > default:group:domain\040admins:rwx > > default:group:domain\040users:--- > > default:mask::rwx > > default:other::--- > > What is the uid for the user by which you are trying to access sub-directory? > # getent passwd 'MY\<username>' > > Also I need the following details: > # wbinfo -r 'MY\<username>' > > If my understanding is correct, 20512 corresponds to Administrator account. > No other users from Domain 'MY' have permission to access the sub-directory. > Please update the permissions in such a way that 'Domain Users' group is > allowed to access the directory. # getent passwd "MY\weller" weller:*:21127:20513:Daniel Weller:/gluster/mnt/users/weller:/bin/bash # wbinfo -r 'MY\weller' 21127 20513 21125 20512 20572 21120 21164 21162 21167 10002 10001 created a new volume, mounted, and set permission to full control for domain users # gluster volume create atest replica 2 172.17.1.3:/gluster/bricks/atest 172.17.1.4:/gluster/bricks/atest # net conf addshare atest /gluster/mnt/atest writeable=y guest_ok=n # net conf setparm atest "browsable" "yes" # smbcontrol all reload-config switch to windows, set permissions (share permissions: domain admins: full control, domain users: change, security: add fullcontrol for domain users, this folder subfolders and files) # getfacl /gluster/mnt/atest # file: . # owner: administrator # group: domain\040admins user::rwx user:20512:rwx user:20513:rwx group::rwx group:administrator:rwx group:domain\040admins:rwx group:domain\040users:rwx mask::rwx other::rwx default:user::rwx default:user:administrator:rwx default:user:20513:rwx default:group::r-x default:group:domain\040admins:r-x default:group:domain\040users:rwx default:mask::rwx default:other::r-x getfacl /gluster/mnt/atest/folder getfacl: Removing leading '/' from absolute path names # file: gluster/mnt/atest/folder # owner: weller # group: domain\040users user::rwx user:20513:rwx group::rwx group:domain\040users:rwx group:weller:rwx mask::rwx other::r-x default:user::rwx default:user:20513:rwx default:user:weller:rwx default:group::r-x default:group:domain\040users:rwx default:mask::rwx default:other::r-x -> map network drive in windows (\\IP\atest as well as \\IP\atest\folder and \\IP\atest\folder\subfolder) work fine changed share export to vfs gluster: net conf setparm atest "vfs objects" "glusterfs" net conf setparm atest "glusterfs:volume" "atest" net conf setparm atest "glusterfs:volfile_server" "172.17.1.3 172.17.1.4" net conf setparm atest "glusterfs:logfile" "/var/log/samba/glusterfs-atest.log" net conf setparm atest "glusterfs:loglevel" "7" net conf setparm atest "kernel share modes" "no" net conf setparm atest "path" "/" smbcontrol all reload-config switch to windows: verify that permissions are as set above: yes map network drive: \\IP\atest -> works \\IP\atest\folder -> fails ... Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba? If this is a Samba problem, please open a bug at bugzilla.samba.org and close this one with a reference. Thanks! (In reply to Niels de Vos from comment #6) > Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba? This seems more like a issue in the way ACLs are setup and may not be something which requires a change to code base in either Samba or GlusterFS. So keeping this open till we figure out the missing ACL configuration. > If this is a Samba problem, please open a bug at bugzilla.samba.org and close > this one with a reference. > > Thanks! Daniel, Can you please increase Samba's log level to 10 and share the logs under /var/log/samba/ while you get a failure on mapping network drive to sub-folder within GlusterFS volume with user 'weller'? Also please try setting permissions using POSIX ACLs using the following wiki on a new volume and see if the results are same. https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs (In reply to Anoop C S from comment #7) > (In reply to Niels de Vos from comment #6) > > Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba? > > This seems more like a issue in the way ACLs are setup and may not be > something which requires a change to code base in either Samba or GlusterFS. > > So keeping this open till we figure out the missing ACL configuration. > > > If this is a Samba problem, please open a bug at bugzilla.samba.org and close > > this one with a reference. > > > > Thanks! > > Daniel, > > Can you please increase Samba's log level to 10 and share the logs under > /var/log/samba/ while you get a failure on mapping network drive to > sub-folder within GlusterFS volume with user 'weller'? > > Also please try setting permissions using POSIX ACLs using the following > wiki on a new volume and see if the results are same. > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs fixed by upgrade to gluster 3.12 and samba 4.7 I suggest close this bug. If you still want to figure things out, I could provide the requested log files. However: posix acl are not an option for us. we would have to setup a separate test environment anyways... |