Description of problem: Cannot map subfolder of gluster/samba share when using vfs objects = glusterfs in windows. Mapping the parent folder works fine. Version-Release number of selected component (if applicable): Gluster: CentOS 3.10.5 (centos-release-gluster310) Samba: 4.6.7 How reproducible: always Steps to Reproduce: 0.a. Have samba Active Directory controller configured 0.b. Create file-server, join domain as member 1. create share (see additional info) 2. configure ACLs in windows client (as recommended in samba wiki) 3. map network drive: \\fileserver\share\subfolder Actual results: windows gets 'access denied' for user/pass that works with the root-folder of the share log-files (samba) shows: Could not close dir! fname=<subfoldername>, fd=-1, err=1=Operation not permitted Expected results: Subfolder is mapped as network drive Additional info: testparm: [global] netbios name = FILE realm = MY.REALM workgroup = MY log file = /var/log/samba.log clustering = Yes registry shares = Yes security = ADS template homedir = /gluster/mnt/users/%U template shell = /bin/bash winbind refresh tickets = Yes winbind use default domain = Yes idmap config my:range = 20000-1999999 idmap config my:backend = rid idmap config *:range = 10000-19999 idmap config * : backend = tdb store dos attributes = Yes map acl inherit = Yes inherit acls = Yes vfs objects = acl_xattr [profiles] comment = User Profile Directories path = / kernel share modes = No read only = No vfs objects = glusterfs glusterfs:loglevel = 3 glusterfs:logfile = /var/log/samba/glusterfs-profiles.log glusterfs:volfile_server = 172.17.1.3 172.17.1.4 glusterfs:volume = profiles getfacl profiles/ # file: profiles/ # owner: administrator # group: domain\040admins user::rwx user:20512:rwx user:20513:rwx group::rwx group:10006:rwx group:administrator:rwx group:domain\040admins:rwx group:domain\040users:rwx mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:user:20512:rwx default:group::--- default:group:10006:rwx default:group:domain\040admins:rwx default:mask::rwx default:other::--- getfacl profiles/Administrator.V2/ # file: profiles/Administrator.V2/ # owner: administrator # group: domain\040users user::rwx user:20512:rwx group::--- group:10006:rwx group:administrator:rwx group:domain\040admins:rwx group:domain\040users:--- mask::rwx other::--- default:user::rwx default:user:administrator:rwx default:user:20512:rwx default:group::--- default:group:10006:rwx default:group:domain\040admins:rwx default:group:domain\040users:--- default:mask::rwx default:other::---
Couple of things: 1. Can you try to export a non gluster, local filesystem with the same acls, and see if this works? Just to make sure if its AD/Samba issue or Gluster issue 2. For trial purpose, what happens when you give all permissions to others i.e 777?
@Anoop Can you look into this, do you see any obvious reasons why this is not working?
(In reply to Poornima G from comment #1) > Couple of things: > 1. Can you try to export a non gluster, local filesystem with the same acls, > and see if this works? Just to make sure if its AD/Samba issue or Gluster > issue > > 2. For trial purpose, what happens when you give all permissions to others > i.e 777? 1. mounting the very same gluster volume, and then sharing the mount-point works fine. 2. does not change anything.
(In reply to Daniel Weller from comment #0) > getfacl profiles/Administrator.V2/ > # file: profiles/Administrator.V2/ > # owner: administrator > # group: domain\040users > user::rwx > user:20512:rwx > group::--- > group:10006:rwx > group:administrator:rwx > group:domain\040admins:rwx > group:domain\040users:--- > mask::rwx > other::--- > default:user::rwx > default:user:administrator:rwx > default:user:20512:rwx > default:group::--- > default:group:10006:rwx > default:group:domain\040admins:rwx > default:group:domain\040users:--- > default:mask::rwx > default:other::--- What is the uid for the user by which you are trying to access sub-directory? # getent passwd 'MY\<username>' Also I need the following details: # wbinfo -r 'MY\<username>' If my understanding is correct, 20512 corresponds to Administrator account. No other users from Domain 'MY' have permission to access the sub-directory. Please update the permissions in such a way that 'Domain Users' group is allowed to access the directory.
(In reply to Anoop C S from comment #4) > (In reply to Daniel Weller from comment #0) > > getfacl profiles/Administrator.V2/ > > # file: profiles/Administrator.V2/ > > # owner: administrator > > # group: domain\040users > > user::rwx > > user:20512:rwx > > group::--- > > group:10006:rwx > > group:administrator:rwx > > group:domain\040admins:rwx > > group:domain\040users:--- > > mask::rwx > > other::--- > > default:user::rwx > > default:user:administrator:rwx > > default:user:20512:rwx > > default:group::--- > > default:group:10006:rwx > > default:group:domain\040admins:rwx > > default:group:domain\040users:--- > > default:mask::rwx > > default:other::--- > > What is the uid for the user by which you are trying to access sub-directory? > # getent passwd 'MY\<username>' > > Also I need the following details: > # wbinfo -r 'MY\<username>' > > If my understanding is correct, 20512 corresponds to Administrator account. > No other users from Domain 'MY' have permission to access the sub-directory. > Please update the permissions in such a way that 'Domain Users' group is > allowed to access the directory. # getent passwd "MY\weller" weller:*:21127:20513:Daniel Weller:/gluster/mnt/users/weller:/bin/bash # wbinfo -r 'MY\weller' 21127 20513 21125 20512 20572 21120 21164 21162 21167 10002 10001 created a new volume, mounted, and set permission to full control for domain users # gluster volume create atest replica 2 172.17.1.3:/gluster/bricks/atest 172.17.1.4:/gluster/bricks/atest # net conf addshare atest /gluster/mnt/atest writeable=y guest_ok=n # net conf setparm atest "browsable" "yes" # smbcontrol all reload-config switch to windows, set permissions (share permissions: domain admins: full control, domain users: change, security: add fullcontrol for domain users, this folder subfolders and files) # getfacl /gluster/mnt/atest # file: . # owner: administrator # group: domain\040admins user::rwx user:20512:rwx user:20513:rwx group::rwx group:administrator:rwx group:domain\040admins:rwx group:domain\040users:rwx mask::rwx other::rwx default:user::rwx default:user:administrator:rwx default:user:20513:rwx default:group::r-x default:group:domain\040admins:r-x default:group:domain\040users:rwx default:mask::rwx default:other::r-x getfacl /gluster/mnt/atest/folder getfacl: Removing leading '/' from absolute path names # file: gluster/mnt/atest/folder # owner: weller # group: domain\040users user::rwx user:20513:rwx group::rwx group:domain\040users:rwx group:weller:rwx mask::rwx other::r-x default:user::rwx default:user:20513:rwx default:user:weller:rwx default:group::r-x default:group:domain\040users:rwx default:mask::rwx default:other::r-x -> map network drive in windows (\\IP\atest as well as \\IP\atest\folder and \\IP\atest\folder\subfolder) work fine changed share export to vfs gluster: net conf setparm atest "vfs objects" "glusterfs" net conf setparm atest "glusterfs:volume" "atest" net conf setparm atest "glusterfs:volfile_server" "172.17.1.3 172.17.1.4" net conf setparm atest "glusterfs:logfile" "/var/log/samba/glusterfs-atest.log" net conf setparm atest "glusterfs:loglevel" "7" net conf setparm atest "kernel share modes" "no" net conf setparm atest "path" "/" smbcontrol all reload-config switch to windows: verify that permissions are as set above: yes map network drive: \\IP\atest -> works \\IP\atest\folder -> fails ...
Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba? If this is a Samba problem, please open a bug at bugzilla.samba.org and close this one with a reference. Thanks!
(In reply to Niels de Vos from comment #6) > Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba? This seems more like a issue in the way ACLs are setup and may not be something which requires a change to code base in either Samba or GlusterFS. So keeping this open till we figure out the missing ACL configuration. > If this is a Samba problem, please open a bug at bugzilla.samba.org and close > this one with a reference. > > Thanks! Daniel, Can you please increase Samba's log level to 10 and share the logs under /var/log/samba/ while you get a failure on mapping network drive to sub-folder within GlusterFS volume with user 'weller'? Also please try setting permissions using POSIX ACLs using the following wiki on a new volume and see if the results are same. https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
(In reply to Anoop C S from comment #7) > (In reply to Niels de Vos from comment #6) > > Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba? > > This seems more like a issue in the way ACLs are setup and may not be > something which requires a change to code base in either Samba or GlusterFS. > > So keeping this open till we figure out the missing ACL configuration. > > > If this is a Samba problem, please open a bug at bugzilla.samba.org and close > > this one with a reference. > > > > Thanks! > > Daniel, > > Can you please increase Samba's log level to 10 and share the logs under > /var/log/samba/ while you get a failure on mapping network drive to > sub-folder within GlusterFS volume with user 'weller'? > > Also please try setting permissions using POSIX ACLs using the following > wiki on a new volume and see if the results are same. > > https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs fixed by upgrade to gluster 3.12 and samba 4.7 I suggest close this bug. If you still want to figure things out, I could provide the requested log files. However: posix acl are not an option for us. we would have to setup a separate test environment anyways...