Bug 765573 - (GLUSTER-3841) Access control lists (ACL) do not work as expected with Samba user's group membership
Access control lists (ACL) do not work as expected with Samba user's group me...
Status: CLOSED DUPLICATE of bug 764911
Product: GlusterFS
Classification: Community
Component: access-control (Show other bugs)
mainline
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: shishir gowda
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-12-02 13:49 EST by Jonathan Windle
Modified: 2013-12-08 20:28 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jonathan Windle 2011-12-02 13:49:39 EST
GlusterFS Version: 3.2.5
Linux Distro: Ubuntu Server 10.04.3 LTS
Kernel Version: 2.6.32-35-server #78-Ubuntu SMP Tue Oct 11 16:26:12 UTC 2011 x86_64 GNU/Linux

I have a Linux server that is joined to a Microsoft Active Directory domain through Samba. This same server runs glusterd and mounts the hosted gluster file systems to local mount points which are then shared out via Samba. This actually happens across two servers that mirror file systems which makes glusterfs important but I believe is not necessarily important for this bug report.

The underlying file system that glusterd hosts off of is ext4 and is mounted with the "acl" option. The glusterfs mount points are also mounted with the "acl" option.

The problem I am experiencing is that the glusterfs mount points do not seem to respect all of my user's group memberships through Samba. However if I access the files directly though the ext4 file system the group membership is respected.

Currently this problem is a blocker for me using glusterfs in a project I'm working on, so it feels rather important to me. I understand if this problem is of lower priority for the glusterfs devs though.

I originally thought this problem may be related to bug 764911 & 3792 (16 group membership limit) but after talking with some people in #gluster it was suggested I should file a new bug report.

As a side note looking into one of the ways NFS handles the 16 group membership limit I found the following article http://goo.gl/Z2rCL which recommends the NFS server flag "--manage-gids". If I am running into the 16 group membership limit glusterd implementing something like --manage-gids would be ideal for me.

Here is a example of what I am experiencing. Let me know if I can provide any more information that would be helpful. Thanks.

$ cat /etc/mtab 
...
/dev/mapper/extrastorage-glusterfs /mnt/glusterfs ext4 rw,acl 0 0
gluster:/iis /mnt/iis fuse.glusterfs rw,allow_other,max_read=131072 0 0
gluster:/sites /mnt/sites fuse.glusterfs rw,allow_other,max_read=131072 0 0

$ id
uid=1000004483(auser) gid=1000000513(agroup) groups=100001762(group00),100011164(group01),100024554(group02),100047776(group03),100056591(group04),1000000512(group05),1000000513(group06),1000000519(group07),1000000572(group08),1000001138(group09),1000001139(group10),1000001140(group11),1000001307(group12),1000001437(group13),1000001605(group14),1000001606(group15),1000001607(group16),1000032963(group17),1000034638(group18),1000034641(group19),1000036325(group20),1000042568(group21),1000045344(group22),1000045345(group23),1000045346(group24),1000045347(group25),1000045351(group26),1000056421(group27),1000056617(group28),1000056664(group29),1000056867(group30),1000056868(group31),1000056869(group32),1000056870(group33),1000058224(group34),1000058509(group35)

$ getfacl /mnt/iis
getfacl: Removing leading '/' from absolute path names
# file: mnt/iis
# owner: root
# group: root
# flags: -s-
user::rwx
group::r-x
group:group05:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:group05:rwx
default:mask::rwx
default:other::r-x

$ touch /mnt/iis/afile

$ ls -l /mnt/iis
-rw-r--r--+ 1 auser root     0 2011-12-02 10:27 afile

$ getfacl /mnt/sites
getfacl: Removing leading '/' from absolute path names
# file: mnt/sites
# owner: root
# group: root
# flags: -s-
user::rwx
group::rwx
group:group28:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:group28:rwx
default:mask::rwx
default:other::---

$ touch /mnt/sites/afile
touch: cannot touch `/mnt/sites/afile': Permission denied

$ ls -l /mnt/sites/
ls: cannot open directory /mnt/sites/: Permission denied

$ getfacl /mnt/glusterfs/sites
getfacl: Removing leading '/' from absolute path names
# file: mnt/glusterfs/sites
# owner: root
# group: root
# flags: -s-
user::rwx
group::rwx
group:group28:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:group28:rwx
default:mask::rwx
default:other::---

$ ls -l /mnt/glusterfs/sites
drwxrws---+ 2 root root 4096 2011-11-21 09:26 afolder
Comment 1 shishir gowda 2011-12-05 01:56:57 EST
Hi Jonathan,

You are correct, this bug is a duplicate of bug 764911.

I will mark this bug as a duplicate of it.

*** This bug has been marked as a duplicate of bug 3179 ***

Note You need to log in before you can comment on or make changes to this bug.