1484427 – Cannot map subfolder of gluster/samba share when using vfs objects = glusterfs

Bug 1484427 - Cannot map subfolder of gluster/samba share when using vfs objects = glusterfs

Summary: Cannot map subfolder of gluster/samba share when using vfs objects = glusterfs

Keywords:
Status:	CLOSED WORKSFORME
Alias:	None
Product:	GlusterFS
Classification:	Community
Component:	gluster-smb
Sub Component:
Version:	3.10
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Anoop C S
QA Contact:	bugs@gluster.org
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-23 14:42 UTC by Daniel Weller
Modified:	2018-01-26 14:41 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-11-29 07:18:13 UTC
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Daniel Weller 2017-08-23 14:42:26 UTC

Description of problem:
Cannot map subfolder of gluster/samba share when using vfs objects = glusterfs in windows.
Mapping the parent folder works fine.

Version-Release number of selected component (if applicable):
Gluster: CentOS 3.10.5 (centos-release-gluster310)
Samba: 4.6.7 

How reproducible:
always

Steps to Reproduce:
0.a. Have samba Active Directory controller configured
0.b. Create file-server, join domain as member
1. create share (see additional info)
2. configure ACLs in windows client (as recommended in samba wiki)
3. map network drive: \\fileserver\share\subfolder


Actual results:
windows gets 'access denied' for user/pass that works with the root-folder of the share
log-files (samba) shows: Could not close dir! fname=<subfoldername>, fd=-1, err=1=Operation not permitted

Expected results:
Subfolder is mapped as network drive

Additional info:

testparm:
[global]
        netbios name = FILE
        realm = MY.REALM
        workgroup = MY
        log file = /var/log/samba.log
        clustering = Yes
        registry shares = Yes
        security = ADS
        template homedir = /gluster/mnt/users/%U
        template shell = /bin/bash
        winbind refresh tickets = Yes
        winbind use default domain = Yes
        idmap config my:range = 20000-1999999
        idmap config my:backend = rid
        idmap config *:range = 10000-19999
        idmap config * : backend = tdb
        store dos attributes = Yes
        map acl inherit = Yes
        inherit acls = Yes
        vfs objects = acl_xattr

[profiles]
        comment = User Profile Directories
        path = /
        kernel share modes = No
        read only = No
        vfs objects = glusterfs
        glusterfs:loglevel = 3
        glusterfs:logfile = /var/log/samba/glusterfs-profiles.log
        glusterfs:volfile_server = 172.17.1.3 172.17.1.4
        glusterfs:volume = profiles


getfacl profiles/
# file: profiles/
# owner: administrator
# group: domain\040admins
user::rwx
user:20512:rwx
user:20513:rwx
group::rwx
group:10006:rwx
group:administrator:rwx
group:domain\040admins:rwx
group:domain\040users:rwx
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:user:20512:rwx
default:group::---
default:group:10006:rwx
default:group:domain\040admins:rwx
default:mask::rwx
default:other::---

getfacl profiles/Administrator.V2/
# file: profiles/Administrator.V2/
# owner: administrator
# group: domain\040users
user::rwx
user:20512:rwx
group::---
group:10006:rwx
group:administrator:rwx
group:domain\040admins:rwx
group:domain\040users:---
mask::rwx
other::---
default:user::rwx
default:user:administrator:rwx
default:user:20512:rwx
default:group::---
default:group:10006:rwx
default:group:domain\040admins:rwx
default:group:domain\040users:---
default:mask::rwx
default:other::---

Comment 1 Poornima G 2017-08-28 05:27:13 UTC

Couple of things:
1. Can you try to export a non gluster, local filesystem with the same acls, and see if this works? Just to make sure if its AD/Samba issue or Gluster issue

2. For trial purpose, what happens when you give all permissions to others i.e 777?

Comment 2 Poornima G 2017-08-28 05:28:44 UTC

@Anoop Can you look into this, do you see any obvious reasons why this is not working?

Comment 3 Daniel Weller 2017-08-29 08:00:21 UTC

(In reply to Poornima G from comment #1)
> Couple of things:
> 1. Can you try to export a non gluster, local filesystem with the same acls,
> and see if this works? Just to make sure if its AD/Samba issue or Gluster
> issue
> 
> 2. For trial purpose, what happens when you give all permissions to others
> i.e 777?

1. mounting the very same gluster volume, and then sharing the mount-point works fine.

2. does not change anything.

Comment 4 Anoop C S 2017-08-30 09:40:11 UTC

(In reply to Daniel Weller from comment #0)
> getfacl profiles/Administrator.V2/
> # file: profiles/Administrator.V2/
> # owner: administrator
> # group: domain\040users
> user::rwx
> user:20512:rwx
> group::---
> group:10006:rwx
> group:administrator:rwx
> group:domain\040admins:rwx
> group:domain\040users:---
> mask::rwx
> other::---
> default:user::rwx
> default:user:administrator:rwx
> default:user:20512:rwx
> default:group::---
> default:group:10006:rwx
> default:group:domain\040admins:rwx
> default:group:domain\040users:---
> default:mask::rwx
> default:other::---

What is the uid for the user by which you are trying to access sub-directory?
# getent passwd 'MY\<username>'

Also I need the following details:
# wbinfo -r 'MY\<username>'

If my understanding is correct, 20512 corresponds to Administrator account. No other users from Domain 'MY' have permission to access the sub-directory. Please update the permissions in such a way that 'Domain Users' group is allowed to access the directory.

Comment 5 Daniel Weller 2017-08-30 11:28:42 UTC

(In reply to Anoop C S from comment #4)
> (In reply to Daniel Weller from comment #0)
> > getfacl profiles/Administrator.V2/
> > # file: profiles/Administrator.V2/
> > # owner: administrator
> > # group: domain\040users
> > user::rwx
> > user:20512:rwx
> > group::---
> > group:10006:rwx
> > group:administrator:rwx
> > group:domain\040admins:rwx
> > group:domain\040users:---
> > mask::rwx
> > other::---
> > default:user::rwx
> > default:user:administrator:rwx
> > default:user:20512:rwx
> > default:group::---
> > default:group:10006:rwx
> > default:group:domain\040admins:rwx
> > default:group:domain\040users:---
> > default:mask::rwx
> > default:other::---
> 
> What is the uid for the user by which you are trying to access sub-directory?
> # getent passwd 'MY\<username>'
> 
> Also I need the following details:
> # wbinfo -r 'MY\<username>'
> 
> If my understanding is correct, 20512 corresponds to Administrator account.
> No other users from Domain 'MY' have permission to access the sub-directory.
> Please update the permissions in such a way that 'Domain Users' group is
> allowed to access the directory.

# getent passwd "MY\weller"
weller:*:21127:20513:Daniel Weller:/gluster/mnt/users/weller:/bin/bash

# wbinfo -r 'MY\weller'
21127
20513
21125
20512
20572
21120
21164
21162
21167
10002
10001


created a new volume, mounted, and set permission to full control for domain users
# gluster volume create atest replica 2 172.17.1.3:/gluster/bricks/atest 172.17.1.4:/gluster/bricks/atest
# net conf addshare atest /gluster/mnt/atest writeable=y guest_ok=n
# net conf setparm atest "browsable" "yes"
# smbcontrol all reload-config

switch to windows, set permissions (share permissions: domain admins: full control, domain users: change, security: add fullcontrol for domain users, this folder subfolders and files)


# getfacl /gluster/mnt/atest

# file: .
# owner: administrator
# group: domain\040admins
user::rwx
user:20512:rwx
user:20513:rwx
group::rwx
group:administrator:rwx
group:domain\040admins:rwx
group:domain\040users:rwx
mask::rwx
other::rwx
default:user::rwx
default:user:administrator:rwx
default:user:20513:rwx
default:group::r-x
default:group:domain\040admins:r-x
default:group:domain\040users:rwx
default:mask::rwx
default:other::r-x


getfacl /gluster/mnt/atest/folder
getfacl: Removing leading '/' from absolute path names
# file: gluster/mnt/atest/folder
# owner: weller
# group: domain\040users
user::rwx
user:20513:rwx
group::rwx
group:domain\040users:rwx
group:weller:rwx
mask::rwx
other::r-x
default:user::rwx
default:user:20513:rwx
default:user:weller:rwx
default:group::r-x
default:group:domain\040users:rwx
default:mask::rwx
default:other::r-x



-> map network drive in windows (\\IP\atest as well as \\IP\atest\folder and \\IP\atest\folder\subfolder) work fine

changed share export to vfs gluster:
net conf setparm atest "vfs objects" "glusterfs"
net conf setparm atest "glusterfs:volume" "atest"
net conf setparm atest "glusterfs:volfile_server" "172.17.1.3 172.17.1.4"
net conf setparm atest "glusterfs:logfile" "/var/log/samba/glusterfs-atest.log"
net conf setparm atest "glusterfs:loglevel" "7"
net conf setparm atest "kernel share modes" "no"
net conf setparm atest "path" "/"
smbcontrol all reload-config

switch to windows: verify that permissions are as set above: yes
map network drive:
\\IP\atest -> works
\\IP\atest\folder -> fails
...

Comment 6 Niels de Vos 2017-09-04 08:11:18 UTC

Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba? If this is a Samba problem, please open a bug at bugzilla.samba.org and close this one with a reference.

Thanks!

Comment 7 Anoop C S 2017-09-08 07:08:23 UTC

(In reply to Niels de Vos from comment #6)
> Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba?

This seems more like a issue in the way ACLs are setup and may not be something which requires a change to code base in either Samba or GlusterFS. 

So keeping this open till we figure out the missing ACL configuration.

> If this is a Samba problem, please open a bug at bugzilla.samba.org and close
> this one with a reference.
> 
> Thanks!

Daniel,

Can you please increase Samba's log level to 10 and share the logs under /var/log/samba/ while you get a failure on mapping network drive to sub-folder within GlusterFS volume with user 'weller'?

Also please try setting permissions using POSIX ACLs using the following wiki on a new volume and see if the results are same.

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

Comment 8 Daniel Weller 2017-09-26 14:07:17 UTC

(In reply to Anoop C S from comment #7)
> (In reply to Niels de Vos from comment #6)
> > Anoop, can you judge if this is a Gluster issue, or needs a fix in Samba?
> 
> This seems more like a issue in the way ACLs are setup and may not be
> something which requires a change to code base in either Samba or GlusterFS. 
> 
> So keeping this open till we figure out the missing ACL configuration.
> 
> > If this is a Samba problem, please open a bug at bugzilla.samba.org and close
> > this one with a reference.
> > 
> > Thanks!
> 
> Daniel,
> 
> Can you please increase Samba's log level to 10 and share the logs under
> /var/log/samba/ while you get a failure on mapping network drive to
> sub-folder within GlusterFS volume with user 'weller'?
> 
> Also please try setting permissions using POSIX ACLs using the following
> wiki on a new volume and see if the results are same.
> 
> https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

fixed by upgrade to gluster 3.12 and samba 4.7
I suggest close this bug. If you still want to figure things out, I could provide the requested log files.
However: posix acl are not an option for us. we would have to setup a separate test environment anyways...

Note You need to log in before you can comment on or make changes to this bug.