[OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office Files over CIFS

Andrew Martin amartin at xes-inc.com
Tue Nov 11 19:45:32 UTC 2014


Hello,

I am running an OpenIndiana server with a ZFS pool exporting a share over both
NFSv4 and CIFS. The CIFS export is mounted by Windows 7 clients. On this share,
I have the following ACLs configured for directories:
     0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/read_xattr/write_xattr/execute/delete_child
         /read_attributes/write_attributes/delete/read_acl/write_acl
         /write_owner/synchronize:dir_inherit:allow
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/read_xattr/write_xattr/delete_child/read_attributes
         /write_attributes/delete/read_acl/write_acl/write_owner
         /synchronize:file_inherit/inherit_only:allow
     2:group:Domain Users:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:dir_inherit:allow
     3:group:Domain Users:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/delete_child
         /read_attributes/write_attributes/delete/read_acl/write_acl
         /write_owner/synchronize:file_inherit/inherit_only:allow
     4:group@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:dir_inherit:allow
     5:group@:list_directory/read_data/read_xattr/read_attributes/read_acl
         /synchronize:file_inherit/inherit_only:allow

And these ACLs for files:
     0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
         /read_attributes/write_attributes/delete/read_acl/write_acl
         /write_owner/synchronize:allow
     1:group:Domain Users:read_data/write_data/append_data/read_xattr
         /write_xattr/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:allow
     2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow

This works just fine, Domain Users are able to read and write files as expected,
except with Microsoft Office applications. Similar to
http://openindiana.org/pipermail/openindiana-discuss/2012-June/008550.html,
Microsoft Office applications allow you to open the file, but when you try to
save you are denied with "There has been a network or file permission error. The
network connection may be lost.". The ACLs set on the file are as I indicated
above. Note that this only affects pre-existing Office files, newly-created
files are writable.

If in Windows I right-click on the file, go to Properties - Security - Edit and
check the Modify box under Allow for Domain Users, I am then able to save the
file in Office. This appears to modify the permissions to the following set:
     0:group:Domain Users:read_data/write_data/append_data/read_xattr
         /write_xattr/execute/read_attributes/write_attributes/delete
         /read_acl/synchronize:allow
     1:group:Domain Users:read_data/write_data/append_data/read_xattr
         /write_xattr/execute/read_attributes/write_attributes/read_acl
         /write_acl/write_owner/synchronize:allow
     2:owner@:read_data/write_data/append_data/read_xattr/write_xattr
         /read_attributes/write_attributes/delete/read_acl/write_acl
         /write_owner/synchronize:allow
     3:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow

Note that if I add the exact same permission set to another (currently
unreadable) file from the ZFS side (with chmod), I can make the Security
permissions dialog look exactly the same (Modify is checked), however I cannot
save from Office applications until I uncheck and recheck it through Windows.
Thus it seems that Windows is storing some extra metadata that I cannot access
or even view on the server. Has anyone encountered this before or do you have
any suggestions for what else can I try to attempt to properly set the
permissions on these files from the server?

Thanks,

Andrew Martin



More information about the openindiana-discuss mailing list