Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1110018

Summary: Not able to set deny acls on samba shares
Product: [Community] GlusterFS Reporter: Harshavardhana <fharshav>
Component: gluster-smbAssignee: Anoop C S <anoopcs>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: mainlineCC: atumball, cww, jbyers, lmohanty, rtalur
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 999484 Environment:
Last Closed: 2018-10-09 09:50:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 999484    
Bug Blocks:    

Description Harshavardhana 2014-06-16 20:25:43 UTC 
+++ This bug was initially created as a clone of Bug #999484 +++

Description of problem:

We are not able to set deny acls on samba shares. samba shares include rhs volumes, xfs partitions. This might be because deny acls are not supported with samba. However we are not sure about this. So this bug would be used to track this issue. 

If we confirm samba does not support deny acls, we would convert this bug as documentation bug to include the information in rhs documentation.



Version-Release number of selected component (if applicable):
samba-3.6.9-159.1

How reproducible:
always

--- Additional comment from RHEL Product and Program Management on 2013-08-21 08:08:57 EDT ---

Since this issue was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Christopher R. Hertel on 2013-08-21 21:34:44 EDT ---

The vfs_glusterfs module does not support storage and retrieval of Windows ACLs. Instead, it converts the Windows ACLs into POSIX ACLs (as best as it can) and stores the POSIX ACLs in the file system. This ensures that other applications and access methods are all obeying the same access rules. When Windows asks to read a Security Descriptor (SD), the POSIX ACLs are translated back into Windows format (as best as we can) and the SD is constructed from the result.

POSIX doesn't have a concept of Deny ACLs, so there is no way to retrieve a Deny ACL using this mechanism.

--- Additional comment from Raghavendra Talur on 2013-08-27 01:30:46 EDT ---

You can use acl_xattr object on top of glusterfs to support NT_ACLs.
But we have not tested its integration throughly yet.

--- Additional comment from Christopher R. Hertel on 2013-08-27 14:17:17 EDT ---

Agreed.

The solution is to test the addition of the vfs_acl_xattr module above the vfs_glusterfs module in the Samba VFS stack. This stacking should work, but we have not tested it fully to verify it for production use.

--- Additional comment from Lalatendu Mohanty on 2013-09-11 08:44:13 EDT ---

We should also take this bug as high severity because it is important from Windows security point of view. 

In Windows if a set of permissions given to a to a particular group and we can set deny acl for a for a particular user from the group. While calculating the final permission for the user, deny acl take higher precedence and the deny acl will be applicable for the user.

--- Additional comment from Christopher R. Hertel on 2013-10-02 15:39:49 EDT ---

This simply requires QE testing with the vfs_acl_xattr module.
Comment 1 Harshavardhana 2014-06-16 20:27:16 UTC 
*** Bug 870256 has been marked as a duplicate of this bug. ***
Comment 2 Anand Avati 2014-06-16 20:34:09 UTC 
REVIEW: http://review.gluster.org/8086 (samba/hook-scripts: Enable acl_xattr by default) posted (#2) for review on master by Harshavardhana (harsha)
Comment 3 Anand Avati 2014-06-18 06:37:11 UTC 
REVIEW: http://review.gluster.org/8086 (samba/hook-scripts: Enable acl_xattr by default) posted (#3) for review on master by Harshavardhana (harsha)
Comment 5 Mike McCune 2016-03-28 23:30:47 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 6 Anoop C S 2018-10-09 09:50:14 UTC 
Even though it is not default, the use of acl_xattr vfs module from Samba alongside glusterfs vfs module has not yet revealed any issues. Also there is no plan to make it default in near future.