[OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office Files over CIFS

Marcel Telka marcel at telka.sk
Tue Nov 11 20:31:55 UTC 2014

On Tue, Nov 11, 2014 at 01:45:32PM -0600, Andrew Martin wrote:
> Hello,
> I am running an OpenIndiana server with a ZFS pool exporting a share over both
> NFSv4 and CIFS. The CIFS export is mounted by Windows 7 clients. On this share,
> I have the following ACLs configured for directories:
>      0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
>          /append_data/read_xattr/write_xattr/execute/delete_child
>          /read_attributes/write_attributes/delete/read_acl/write_acl
>          /write_owner/synchronize:dir_inherit:allow
>      1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
>          /append_data/read_xattr/write_xattr/delete_child/read_attributes
>          /write_attributes/delete/read_acl/write_acl/write_owner
>          /synchronize:file_inherit/inherit_only:allow
>      2:group:Domain Users:list_directory/read_data/add_file/write_data
>          /add_subdirectory/append_data/read_xattr/write_xattr/execute
>          /delete_child/read_attributes/write_attributes/delete/read_acl
>          /write_acl/write_owner/synchronize:dir_inherit:allow
>      3:group:Domain Users:list_directory/read_data/add_file/write_data
>          /add_subdirectory/append_data/read_xattr/write_xattr/delete_child
>          /read_attributes/write_attributes/delete/read_acl/write_acl
>          /write_owner/synchronize:file_inherit/inherit_only:allow
>      4:group@:list_directory/read_data/read_xattr/execute/read_attributes
>          /read_acl/synchronize:dir_inherit:allow
>      5:group@:list_directory/read_data/read_xattr/read_attributes/read_acl
>          /synchronize:file_inherit/inherit_only:allow
> And these ACLs for files:
>      0:owner@:read_data/write_data/append_data/read_xattr/write_xattr
>          /read_attributes/write_attributes/delete/read_acl/write_acl
>          /write_owner/synchronize:allow
>      1:group:Domain Users:read_data/write_data/append_data/read_xattr
>          /write_xattr/read_attributes/write_attributes/delete/read_acl
>          /write_acl/write_owner/synchronize:allow
>      2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
> This works just fine, Domain Users are able to read and write files as expected,
> except with Microsoft Office applications. Similar to
> http://openindiana.org/pipermail/openindiana-discuss/2012-June/008550.html,
> Microsoft Office applications allow you to open the file, but when you try to
> save you are denied with "There has been a network or file permission error. The
> network connection may be lost.". The ACLs set on the file are as I indicated
> above. Note that this only affects pre-existing Office files, newly-created
> files are writable.
> If in Windows I right-click on the file, go to Properties - Security - Edit and
> check the Modify box under Allow for Domain Users, I am then able to save the
> file in Office. This appears to modify the permissions to the following set:
>      0:group:Domain Users:read_data/write_data/append_data/read_xattr
>          /write_xattr/execute/read_attributes/write_attributes/delete
>          /read_acl/synchronize:allow
>      1:group:Domain Users:read_data/write_data/append_data/read_xattr
>          /write_xattr/execute/read_attributes/write_attributes/read_acl
>          /write_acl/write_owner/synchronize:allow
>      2:owner@:read_data/write_data/append_data/read_xattr/write_xattr
>          /read_attributes/write_attributes/delete/read_acl/write_acl
>          /write_owner/synchronize:allow
>      3:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow
> Note that if I add the exact same permission set to another (currently
> unreadable) file from the ZFS side (with chmod), I can make the Security
> permissions dialog look exactly the same (Modify is checked), however I cannot
> save from Office applications until I uncheck and recheck it through Windows.
> Thus it seems that Windows is storing some extra metadata that I cannot access
> or even view on the server. Has anyone encountered this before or do you have
> any suggestions for what else can I try to attempt to properly set the
> permissions on these files from the server?

I'm not sure it is related, but you might want to look at this:


| Marcel Telka   e-mail:   marcel at telka.sk  |
|                homepage: http://telka.sk/ |
|                jabber:   marcel at jabber.sk |

More information about the openindiana-discuss mailing list