[OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office Files over CIFS

Gordon Ross gordon.w.ross at gmail.com
Thu Nov 13 01:15:03 UTC 2014 

There were some delete-on-close problems.  Not sure if this was caused
by that...


On Tue, Nov 11, 2014 at 5:38 PM, Andrew Martin <amartin at xes-inc.com> wrote:
> ----- Original Message -----
>> From: "Marcel Telka" <marcel at telka.sk>
>> To: "Discussion list for OpenIndiana" <openindiana-discuss at openindiana.org>
>> Sent: Tuesday, November 11, 2014 2:31:55 PM
>> Subject: Re: [OpenIndiana-discuss] ZFS ACLs - Cannot Write Microsoft Office Files over CIFS
>>
>> I'm not sure it is related, but you might want to look at this:
>>
>> https://github.com/Nexenta/illumos-nexenta/commit/f360b07ec371df666ee6bb29182e387f57c948f7
>>
> Marcel,
>
> Thanks, this looks promising! I am not sure if the version of smb/server that I am running
> has this patch, though I suspect it does not. I'll look into it.
>
> I've also been capturing activity with Wireshark to see if I can narrow this down further:
>
> In a successful save, I can see Word doing the following:
> * create a temporary file D92B1D52.tmp, write some data to it
> * chown D92B1D52.tmp to the same owner as the actual docx (NT SET SECURITY DESC), may fail
>   with STATUS_INVALID_OWNER but this doesn't seem to be a problem
> * request the ACLs on the parent directory via NT QUERY SECURITY DESC
> * set the ACLs on D92B1D52.tmp
> ** Everyone - access allowed
> ** Domain Users - access allowed
> * close D92B1D52.tmp
> * mv the docx to 11E1292B.tmp
> * mv D92B1D52.tmp to the docx filename
> * set (new) docx file owner and ACLs:
> ** Everyone - access allowed
> ** Domain Users - access allowed
> * open 11E1292B.tmp and set the "delete on close" flag
> * close 11E1292B.tmp, thus deleting it
>
> In a failed save:
> * create a temporary file CE21CDFD.tmp, write some data to it
> * attempt to chown CE21CDFD.tmp to the same owner as the actual docx (NT SET SECURITY DESC),
>   fails with STATUS_INVALID_OWNER
> * request the ACLs on the parent dir (NT QUERY SECURITY DESC), fails with STATUS_NONE_MAPPED
> * close CE21CDFD.tmp
> * open CE21CDFD.tmp and set the "delete on close" flag
> * close CE21CDFD.tmp, thus deleting it
>
> It appears that Word creates a temporary file in the same directory, writes some data
> to it, and then tries to query the ACLs of the parent directory. If it cannot query the
> parent directory's ACLs (STATUS_NONE_MAPPED), it then aborts and fails the save.
>
> Note that the ACLs on the parent directory are:
>      0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
>          /append_data/read_xattr/write_xattr/execute/delete_child
>          /read_attributes/write_attributes/delete/read_acl/write_acl
>          /write_owner/synchronize:dir_inherit:allow
>      1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
>          /append_data/read_xattr/write_xattr/delete_child/read_attributes
>          /write_attributes/delete/read_acl/write_acl/write_owner
>          /synchronize:file_inherit/inherit_only:allow
>      2:group:Domain Users:list_directory/read_data/add_file/write_data
>          /add_subdirectory/append_data/read_xattr/write_xattr/execute
>          /delete_child/read_attributes/write_attributes/delete/read_acl
>          /write_acl/write_owner/synchronize:dir_inherit:allow
>      3:group:Domain Users:list_directory/read_data/add_file/write_data
>          /add_subdirectory/append_data/read_xattr/write_xattr/delete_child
>          /read_attributes/write_attributes/delete/read_acl/write_acl
>          /write_owner/synchronize:file_inherit/inherit_only:allow
>      4:group@:list_directory/read_data/read_xattr/execute/read_attributes
>          /read_acl/synchronize:dir_inherit:allow
>      5:group@:list_directory/read_data/read_xattr/read_attributes/read_acl
>          /synchronize:file_inherit/inherit_only:allow
>      6:everyone@:list_directory/read_data/add_file/write_data
>          /add_subdirectory/append_data/read_xattr/write_xattr/execute
>          /delete_child/read_attributes/write_attributes/delete/read_acl
>          /write_acl/write_owner/synchronize:dir_inherit:allow
>      7:everyone@:list_directory/read_data/add_file/write_data
>          /add_subdirectory/append_data/read_xattr/write_xattr/execute
>          /delete_child/read_attributes/write_attributes/delete/read_acl
>          /write_acl/write_owner/synchronize:file_inherit/inherit_only:allow
>
> Oddly enough, if I look at the parent directory's permissions through the Security
> tab in Windows, it shows Domain users as only having these permissions:
>  List folder contents
>  Special permissions
>
> If I try to grant Domain Users "Full control", Windows fails with this error:
> No Mapping between account names and security IDs was done
>
> Does this additional debug information help provide a clue to the source of this problem?
>
> Thanks,
>
> Andrew
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss

More information about the openindiana-discuss mailing list