[OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office Files over CIFS

Andrew Martin amartin at xes-inc.com
Tue Nov 11 22:38:48 UTC 2014


----- Original Message -----
> From: "Marcel Telka" <marcel at telka.sk>
> To: "Discussion list for OpenIndiana" <openindiana-discuss at openindiana.org>
> Sent: Tuesday, November 11, 2014 2:31:55 PM
> Subject: Re: [OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office Files over CIFS
> 
> I'm not sure it is related, but you might want to look at this:
> 
> https://github.com/Nexenta/illumos-nexenta/commit/f360b07ec371df666ee6bb29182e387f57c948f7
> 
Marcel,

Thanks, this looks promising! I am not sure if the version of smb/server that I am running 
has this patch, though I suspect it does not. I'll look into it.

I've also been capturing activity with Wireshark to see if I can narrow this down further:

In a successful save, I can see Word doing the following:
* create a temporary file D92B1D52.tmp, write some data to it
* chown D92B1D52.tmp to the same owner as the actual docx (NT SET SECURITY DESC), may fail 
  with STATUS_INVALID_OWNER but this doesn't seem to be a problem
* request the ACLs on the parent directory via NT QUERY SECURITY DESC
* set the ACLs on D92B1D52.tmp
** Everyone - access allowed
** Domain Users - access allowed
* close D92B1D52.tmp
* mv the docx to 11E1292B.tmp
* mv D92B1D52.tmp to the docx filename
* set (new) docx file owner and ACLs:
** Everyone - access allowed
** Domain Users - access allowed
* open 11E1292B.tmp and set the "delete on close" flag
* close 11E1292B.tmp, thus deleting it

In a failed save:
* create a temporary file CE21CDFD.tmp, write some data to it
* attempt to chown CE21CDFD.tmp to the same owner as the actual docx (NT SET SECURITY DESC), 
  fails with STATUS_INVALID_OWNER
* request the ACLs on the parent dir (NT QUERY SECURITY DESC), fails with STATUS_NONE_MAPPED
* close CE21CDFD.tmp
* open CE21CDFD.tmp and set the "delete on close" flag
* close CE21CDFD.tmp, thus deleting it

It appears that Word creates a temporary file in the same directory, writes some data 
to it, and then tries to query the ACLs of the parent directory. If it cannot query the
parent directory's ACLs (STATUS_NONE_MAPPED), it then aborts and fails the save.

Note that the ACLs on the parent directory are:
     0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/read_xattr/write_xattr/execute/delete_child
         /read_attributes/write_attributes/delete/read_acl/write_acl
         /write_owner/synchronize:dir_inherit:allow
     1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/read_xattr/write_xattr/delete_child/read_attributes
         /write_attributes/delete/read_acl/write_acl/write_owner
         /synchronize:file_inherit/inherit_only:allow
     2:group:Domain Users:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:dir_inherit:allow
     3:group:Domain Users:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/delete_child
         /read_attributes/write_attributes/delete/read_acl/write_acl
         /write_owner/synchronize:file_inherit/inherit_only:allow
     4:group@:list_directory/read_data/read_xattr/execute/read_attributes
         /read_acl/synchronize:dir_inherit:allow
     5:group@:list_directory/read_data/read_xattr/read_attributes/read_acl
         /synchronize:file_inherit/inherit_only:allow
     6:everyone@:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:dir_inherit:allow
     7:everyone@:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:file_inherit/inherit_only:allow

Oddly enough, if I look at the parent directory's permissions through the Security
tab in Windows, it shows Domain users as only having these permissions:
 List folder contents
 Special permissions

If I try to grant Domain Users "Full control", Windows fails with this error:
No Mapping between account names and security IDs was done

Does this additional debug information help provide a clue to the source of this problem?

Thanks,

Andrew



More information about the openindiana-discuss mailing list