[OpenIndiana-discuss] Problems with ZFS ACL vs 'normal' ACL

Robbie Crash sardonic.smiles at gmail.com
Mon Apr 9 17:02:23 UTC 2012 

Hello,

I'm having some issues that are undoubtedly my fault, but that I've been
unable to fix.

I have several FS shared via SMB, the shares work and the data is
available, and I can create new files/directories without issue. However, I
cannot edit nor delete files consistently. Usually it works for a few days
or a few weeks, then all of a sudden, I cannot rename files/directories or
edit existing files. I usually can fix the issue by altering the ZFS ACL
using /usr/bin/chmod instead of the default one in /usr/gnu/bin/chmod, and
giving full_set and read_set as requried. This is really annoying and has
to be redone seemingly at random.

I've tried setting aclmode and aclinherit to discard, but that hasn't
helped at all. Setting to passthrough and reapplying seems to get things
working for a while, then back to getting denied.

The command I'm running to set the permissions is:
$ /usr/bin/chmod A=owner@:full_set:fd:allow,group@
:read_set:fd:allow,everyone@:read_set:fd:allow /Data/Dir

Which gives me:
$ /usr/bin/ls -lV /Data/
drwxr--r--+ 25 robbie   staff         25 Jan 14 15:34 Dir
                 owner@:rwxpdDaARWcCos:fd----I:allow
                 group@:r-----a-R-c--s:fd----I:allow
              everyone@:r-----a-R-c--s:fd----I:allow

A normal ls just shows whatever was set with /usr/gnu/bin/chmod.

Generally speaking if I do /usr/bin/ls before resetting the permissions, I
get something along the lines of owner@:rwxpdDaARWcCos:------I:allow, so
just the fd bits not set.

Logged in locally to the box things work properly. I can rename/move/edit
files without issue, it's just over SMB that there's an issue.

The pool was originally created under ZFS on Linux running under Ubuntu,
exported from there, and imported into OI151. Most of the shares are also
configured as netatalk shares for OSX clients. I have not tested to see if
OSX users have issues editing files, but I don't care about if they can
since none of the OSX users should be able to edit anything on the server.
Windows clients are all Windows 7 and are joined to an AD Domain, but are
authenticating as local users. SMB is using local account authentication,
not AD Integrated.

-- 
Seconds to the drop, but it seems like hours.

http://www.eff.org/
<http://www.eff.org/>http://creativecommons.org/

More information about the OpenIndiana-discuss mailing list