[OpenIndiana-discuss] Office apps unable to write to ZFS over CIFS

Martin Frost me at cs.Stanford.EDU
Sat Jun 30 23:00:37 UTC 2012 

Thanks to all for the replies.  The Oracle Solaris documentation here:

  http://docs.oracle.com/cd/E19253-01/819-5461/ftyxi/index.html

says:

    The primary rules of ACL access on a ZFS file follow:

    * ZFS processes ACL entries in the order they are listed
	in the ACL, from the top down.

    * After an allow permission has been granted, it cannot be denied
	by a subsequent ACL deny entry in the same ACL permission set.

And my 'allow' was deliberately placed before the 'deny':

              owner@:rwxpdDaARWcCos:fd-----:allow
           everyone@:rwxpdDaARWcCos:fd-----:deny

And indeed *Windows* is allowing the owner to write files in such
directories in the OI ZFS filesystem.

But Office under Windows does not allow that, though it does allow
reading files there (despite the "deny" of all read permissions for
everyone@, which of course the above documention says should be
ignored, as should the denial of write access).

(Office on MacOS X doesn't have this problem.  It's happy to write
such files despite the second line saying 'deny', though if the 'deny'
is the first line, Office on MacOS X does properly fail to read or
write the file.)

If I remove the "everyone@:...:deny", Office under Windows lets the
owner write the file.  It appears that non-owners still cannot read or
write such files, despite my having removed the "everyone@:...:deny",
so I'm satisfied that things are still protected as needed.

So Windows and Office on Windows -- both created by Microsoft --
interpret these ACLs differently.  Oh well.

Thanks again for your help.

Martin

 > Date: Thu, 28 Jun 2012 23:19:04 -0400
 > From: Robbie Crash <sardonic.smiles at gmail.com>
 > 
 > The explicit deny would apply to creator/owner if that were the
 > case. Also, it's not a 1:1 NTFS ACL mapping to the ZFS ACL. IIRC,
 > the permissions all show up as special permissions, for only one or
 > two generic users.
 > 
 > If Windows thought that there was an explicit deny, it wouldn't
 > open the file, and since those are inherited permissions, likely
 > couldn't open the directory itself.
 > 
 > Try running process explorer on the Windows box to see if it has
 > closed the file handles.
 > 
 > Also, what version of Office?
 > 
 > On Jun 28, 2012 10:50 PM, "Gordon Ross" <gordon.w.ross at gmail.com> wrote:
 > 
 > > On Thu, Jun 28, 2012 at 9:17 PM, Martin Frost <me at cs.stanford.edu> wrote:
 > > >  > Date: Thu, 28 Jun 2012 18:14:53 -0400
 > > >  > From: Gordon Ross <gordon.w.ross at gmail.com>
 > > >  >
 > > >  > On Thu, Jun 28, 2012 at 5:08 PM, Martin Frost <me at cs.stanford.edu>
 > > wrote:
 > > >  > > I'm running oi_148 as a fileserver, exporting via NFS and the
 > > >  > > kernel CIFS service for ZFS.
 > > >  > >
 > > >  > > But Windows users (XP and probably all Windows versions)
 > > >  > > are unable to write files from any MS Office applications
 > > >  > > into the shares from ZFS.  They always get: "Access
 > > >  > > denied.  Contact your administrator."  Same result whether
 > > >  > > they're trying to overwrite a file or write a new file.
 > > >  > >
 > > >  > > Any ideas what's causing that?  This is driving me crazy.
 > > >  > > I've seen the same problem under Linux with Samba, where
 > > >  > > disabling locking seemed to help.
 > > >  > >
 > > >  > > After that error, the users save the file to the local
 > > >  > > disk and copy it over the CIFS connection into the ZFS
 > > >  > > system successfully.  So they clearly have write access
 > > >  > > into ZFS from Windows, and the filesystem has lots of free
 > > >  > > space, but Office can't write any files to ZFS.  I assume
 > > >  > > this is some sort of locking problem.  I have nbmand=on,
 > > >  > > which is what I've read it should be set to for CIFS
 > > >  > > sharing.
 > > >  > >
 > > >  > > The directories and files they're trying to edit are owned
 > > >  > > by the actual user (defined by matching passwd and
 > > >  > > smbpasswd entries on the OI machine) and have 700
 > > >  > > permissions and full_set ACLS:
 > > >  > >
 > > >  > >               owner@:rwxpdDaARWcCos:fd-----:allow
 > > >  > >            everyone@:rwxpdDaARWcCos:fd-----:deny
 > > >  >
 > > >  > You are always a member of the "everyone" group, so that
 > > >  > deny ACE is killing your access.
 > > >
 > > > Sorry, that's wrong.  The first ACL wins, allowing the owner in.
 > >
 > > Not according to:
 > > http://msdn.microsoft.com/en-us/library/cc246052(v=prot.13).aspx
 > > Quoting:  "An explicit deny will always override all other permissions."
 > >
 > > > Otherwise, the owner wouldn't have been able to copy the file
 > > > to ZFS over CIFS after Word failed to write it there directly.
 > >
 > > During the copy, you might have different permissions (i.e. as creator).

More information about the OpenIndiana-discuss mailing list