999484 – Not able to set deny acls on samba shares

Bug 999484 - Not able to set deny acls on samba shares

Summary: Not able to set deny acls on samba shares

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	samba
Sub Component:
Version:	2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Ira Cooper
QA Contact:	Lalatendu Mohanty
Docs Contact:
URL:
Whiteboard:	ntacl
Depends On:
Blocks:	1110018
TreeView+	depends on / blocked

Reported:	2013-08-21 11:52 UTC by Lalatendu Mohanty
Modified:	2015-12-03 17:13 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1110018 (view as bug list)
Environment:
Last Closed:	2015-12-03 17:13:26 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Lalatendu Mohanty 2013-08-21 11:52:21 UTC

Description of problem:

We are not able to set deny acls on samba shares. samba shares include rhs volumes, xfs partitions. This might be because deny acls are not supported with samba. However we are not sure about this. So this bug would be used to track this issue. 

If we confirm samba does not support deny acls, we would convert this bug as documentation bug to include the information in rhs documentation.



Version-Release number of selected component (if applicable):
samba-3.6.9-159.1

How reproducible:
always

Comment 2 Christopher R. Hertel 2013-08-22 01:34:44 UTC

The vfs_glusterfs module does not support storage and retrieval of Windows ACLs. Instead, it converts the Windows ACLs into POSIX ACLs (as best as it can) and stores the POSIX ACLs in the file system. This ensures that other applications and access methods are all obeying the same access rules. When Windows asks to read a Security Descriptor (SD), the POSIX ACLs are translated back into Windows format (as best as we can) and the SD is constructed from the result.

POSIX doesn't have a concept of Deny ACLs, so there is no way to retrieve a Deny ACL using this mechanism.

Comment 3 Raghavendra Talur 2013-08-27 05:30:46 UTC

You can use acl_xattr object on top of glusterfs to support NT_ACLs.
But we have not tested its integration throughly yet.

Comment 4 Christopher R. Hertel 2013-08-27 18:17:17 UTC

Agreed.

The solution is to test the addition of the vfs_acl_xattr module above the vfs_glusterfs module in the Samba VFS stack. This stacking should work, but we have not tested it fully to verify it for production use.

Comment 5 Lalatendu Mohanty 2013-09-11 12:44:13 UTC

We should also take this bug as high severity because it is important from Windows security point of view. 

In Windows if a set of permissions given to a to a particular group and we can set deny acl for a for a particular user from the group. While calculating the final permission for the user, deny acl take higher precedence and the deny acl will be applicable for the user.

Comment 6 Christopher R. Hertel 2013-10-02 19:39:49 UTC

This simply requires QE testing with the vfs_acl_xattr module.

Comment 7 Vivek Agarwal 2015-12-03 17:13:26 UTC

Thank you for submitting this issue for consideration in Red Hat Gluster Storage. The release for which you requested us to review, is now End of Life. Please See https://access.redhat.com/support/policy/updates/rhs/

If you can reproduce this bug against a currently maintained version of Red Hat Gluster Storage, please feel free to file a new report against the current release.

Note You need to log in before you can comment on or make changes to this bug.