[OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office Files over CIFS
Marcel Telka
marcel at telka.sk
Tue Nov 11 20:31:55 UTC 2014
On Tue, Nov 11, 2014 at 01:45:32PM -0600, Andrew Martin wrote:
> Hello,
>
> I am running an OpenIndiana server with a ZFS pool exporting a share over both
> NFSv4 and CIFS. The CIFS export is mounted by Windows 7 clients. On this share,
> I have the following ACLs configured for directories:
> 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
> /append_data/read_xattr/write_xattr/execute/delete_child
> /read_attributes/write_attributes/delete/read_acl/write_acl
> /write_owner/synchronize:dir_inherit:allow
> 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
> /append_data/read_xattr/write_xattr/delete_child/read_attributes
> /write_attributes/delete/read_acl/write_acl/write_owner
> /synchronize:file_inherit/inherit_only:allow
> 2:group:Domain Users:list_directory/read_data/add_file/write_data
> /add_subdirectory/append_data/read_xattr/write_xattr/execute
> /delete_child/read_attributes/write_attributes/delete/read_acl
> /write_acl/write_owner/synchronize:dir_inherit:allow
> 3:group:Domain Users:list_directory/read_data/add_file/write_data
> /add_subdirectory/append_data/read_xattr/write_xattr/delete_child
> /read_attributes/write_attributes/delete/read_acl/write_acl
> /write_owner/synchronize:file_inherit/inherit_only:allow
> 4:group@:list_directory/read_data/read_xattr/execute/read_attributes
> /read_acl/synchronize:dir_inherit:allow
> 5:group@:list_directory/read_data/read_xattr/read_attributes/read_acl
> /synchronize:file_inherit/inherit_only:allow
>
> And these ACLs for files:
> 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
> /read_attributes/write_attributes/delete/read_acl/write_acl
> /write_owner/synchronize:allow
> 1:group:Domain Users:read_data/write_data/append_data/read_xattr
> /write_xattr/read_attributes/write_attributes/delete/read_acl
> /write_acl/write_owner/synchronize:allow
> 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
>
> This works just fine, Domain Users are able to read and write files as expected,
> except with Microsoft Office applications. Similar to
> http://openindiana.org/pipermail/openindiana-discuss/2012-June/008550.html,
> Microsoft Office applications allow you to open the file, but when you try to
> save you are denied with "There has been a network or file permission error. The
> network connection may be lost.". The ACLs set on the file are as I indicated
> above. Note that this only affects pre-existing Office files, newly-created
> files are writable.
>
> If in Windows I right-click on the file, go to Properties - Security - Edit and
> check the Modify box under Allow for Domain Users, I am then able to save the
> file in Office. This appears to modify the permissions to the following set:
> 0:group:Domain Users:read_data/write_data/append_data/read_xattr
> /write_xattr/execute/read_attributes/write_attributes/delete
> /read_acl/synchronize:allow
> 1:group:Domain Users:read_data/write_data/append_data/read_xattr
> /write_xattr/execute/read_attributes/write_attributes/read_acl
> /write_acl/write_owner/synchronize:allow
> 2:owner@:read_data/write_data/append_data/read_xattr/write_xattr
> /read_attributes/write_attributes/delete/read_acl/write_acl
> /write_owner/synchronize:allow
> 3:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
>
> Note that if I add the exact same permission set to another (currently
> unreadable) file from the ZFS side (with chmod), I can make the Security
> permissions dialog look exactly the same (Modify is checked), however I cannot
> save from Office applications until I uncheck and recheck it through Windows.
> Thus it seems that Windows is storing some extra metadata that I cannot access
> or even view on the server. Has anyone encountered this before or do you have
> any suggestions for what else can I try to attempt to properly set the
> permissions on these files from the server?
I'm not sure it is related, but you might want to look at this:
https://github.com/Nexenta/illumos-nexenta/commit/f360b07ec371df666ee6bb29182e387f57c948f7
--
+-------------------------------------------+
| Marcel Telka e-mail: marcel at telka.sk |
| homepage: http://telka.sk/ |
| jabber: marcel at jabber.sk |
+-------------------------------------------+
More information about the openindiana-discuss
mailing list