[OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office Files over CIFS
Andrew Martin
amartin at xes-inc.com
Tue Nov 11 19:45:32 UTC 2014
Hello,
I am running an OpenIndiana server with a ZFS pool exporting a share over both
NFSv4 and CIFS. The CIFS export is mounted by Windows 7 clients. On this share,
I have the following ACLs configured for directories:
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:dir_inherit:allow
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/delete_child/read_attributes
/write_attributes/delete/read_acl/write_acl/write_owner
/synchronize:file_inherit/inherit_only:allow
2:group:Domain Users:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/delete_child/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:dir_inherit:allow
3:group:Domain Users:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:file_inherit/inherit_only:allow
4:group@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:dir_inherit:allow
5:group@:list_directory/read_data/read_xattr/read_attributes/read_acl
/synchronize:file_inherit/inherit_only:allow
And these ACLs for files:
0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:allow
1:group:Domain Users:read_data/write_data/append_data/read_xattr
/write_xattr/read_attributes/write_attributes/delete/read_acl
/write_acl/write_owner/synchronize:allow
2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
This works just fine, Domain Users are able to read and write files as expected,
except with Microsoft Office applications. Similar to
http://openindiana.org/pipermail/openindiana-discuss/2012-June/008550.html,
Microsoft Office applications allow you to open the file, but when you try to
save you are denied with "There has been a network or file permission error. The
network connection may be lost.". The ACLs set on the file are as I indicated
above. Note that this only affects pre-existing Office files, newly-created
files are writable.
If in Windows I right-click on the file, go to Properties - Security - Edit and
check the Modify box under Allow for Domain Users, I am then able to save the
file in Office. This appears to modify the permissions to the following set:
0:group:Domain Users:read_data/write_data/append_data/read_xattr
/write_xattr/execute/read_attributes/write_attributes/delete
/read_acl/synchronize:allow
1:group:Domain Users:read_data/write_data/append_data/read_xattr
/write_xattr/execute/read_attributes/write_attributes/read_acl
/write_acl/write_owner/synchronize:allow
2:owner@:read_data/write_data/append_data/read_xattr/write_xattr
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:allow
3:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
Note that if I add the exact same permission set to another (currently
unreadable) file from the ZFS side (with chmod), I can make the Security
permissions dialog look exactly the same (Modify is checked), however I cannot
save from Office applications until I uncheck and recheck it through Windows.
Thus it seems that Windows is storing some extra metadata that I cannot access
or even view on the server. Has anyone encountered this before or do you have
any suggestions for what else can I try to attempt to properly set the
permissions on these files from the server?
Thanks,
Andrew Martin
More information about the openindiana-discuss
mailing list