Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

ixnas VFS issue adding group owner and removing inherited permissions

Description

After upgrading our systems to 11.3 I was seeing issues setting permissions on SMB shares from windows.

To work out the issue I build a new box from scratch on 11.3 and found through much trail and errors that the bugs were related to ixnas which is the new default instead of zfsacl and zfs_space.

We use active directory and all the users and groups will be from AD.

The two bugs I've found which cause problems are:

Changing a folder to be owned by a AD Group results in a "user" entry being added, which prevents any group members having permissions.

Removing inheritence, and choosing to "copy" results in samba telling windows the inherited ACLs are still there (although getfacl shows them being changed to not have the "I" flag)

The following steps produced the bugs:

A share exists as follows (created and ACL's done from the GUI)

  1. file: /mnt/dev-arc-01/testshare

  2. owner: secg-folder-gl-arc-02-sharename-owner

  3. group: secg-folder-gl-arc-02-sharename-owner
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCos:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd-----:allow
    everyone@:--------------:fd-----:allow

Firstly, using a SBM share with ixnas VFS:

Step 1: Create new folder in root of share called Test7
It's created fine and looks like this (With these inherited permissions set on the root of the share with the ACL editor)

  1. file: Test7

  2. owner: pa-wluke

  3. group: secg-folder-gl-arc-02-sharename-owner
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCos:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
    everyone@:--------------:fd----I:allow

Step 2: Edit the permissions in windows, and select to Disable Inheritence, it applys, and then windows refreshes to show them still there and that they're inherited.

[Doesn't work-- updates in getfacl, but samba still shows as inherited to windows)

  1. file: Test7

  2. owner: pa-wluke

  3. group: secg-folder-gl-arc-02-sharename-owner
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd-----:allow
    everyone@:--------------:fd-----:allow

[This is first bug, can't remove these inherited permissions now, as samba still shows them to windows as inherited]

Step 3: Change owner to secg-folder-sharename-customername-owner (this is a AD group) and add secg-folder-sharename-customername-owner with full permisiosns

[results in this GROUP being added as a USER, see below. This means that group membership isn't checked and so it doesn't grant any permissions. Windows correctly shows it as the group and there doesn't seem to be a way to change it]

  1. file: Test7

  2. owner: secg-folder-sharename-customername-owner

  3. group: secg-folder-gl-arc-02-sharename-owner
    user:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
    everyone@:--------------:fd-----:allow

Step 4: Add secg-folder-sharename-customername-rw and secg-folder-sharename-customername-ro. Apply. These get added correctly

[This appears to work correctly]

  1. file: Test7

  2. owner: secg-folder-sharename-customername-owner

  3. group: secg-folder-gl-arc-02-sharename-owner
    user:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-sharename-customername-rw:rwxp-daARWc---:fd-----:allow
    group:secg-folder-sharename-customername-ro:r-x---a-R-c---:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
    everyone@:--------------:fd-----:allow

Step 5: Add pa-wluke with full permissions (this is to prevent loosing access as I'm a member of both the "-owner" groups but the group secg-folder-sharename-customername-owner is acced as user so doens't work.

[Works fine]

  1. file: Test7

  2. owner: secg-folder-sharename-customername-owner

  3. group: secg-folder-gl-arc-02-sharename-owner
    user:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-sharename-customername-rw:rwxp-daARWc---:fd-----:allow
    group:secg-folder-sharename-customername-ro:r-x---a-R-c---:fd-----:allow
    group:pa-wluke:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
    everyone@:--------------:fd-----:allow

(note that those groups are showing as inherted again, I asusme that's because samba tells windows thye are and so subsequent saves set them back that way. I'll now try and remove those entirely).

Step 6: Disable inheritence (Choose to remove entirely, not to copy in the windows UI)

[Works fine]

  1. file: Test7

  2. owner: secg-folder-sharename-customername-owner

  3. group: secg-folder-gl-arc-02-sharename-owner
    user:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-sharename-customername-rw:rwxp-daARWc---:fd-----:allow
    group:secg-folder-sharename-customername-ro:r-x---a-R-c---:fd-----:allow
    group:pa-wluke:rwxpDdaARWcCo-:fd-----:allow
    everyone@:--------------:fd-----:allow

(Also, note, windows does NOT list the everyone permissions whatsoever)

Now, with zfsacl and zfs_sparce instead (just to show what the expected behavious is:

Now, with zfsacl and zfsspace instead of ixnas:

Windows now shows the everyone listing when viewing permissions

Create new folder in root of the share, Test8:

[All looks good]

  1. file: /mnt/dev-arc-01/testshare/Test8

  2. owner: pa-wluke

  3. group: secg-folder-gl-arc-02-sharename-owner
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCos:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
    everyone@:--------------:fd----I:allow

Edit the permissions in windows, and disable inheritence and choose to copy. Windows now correctly shows them as no longer inherited, and the everyone permission is gone.

[Permissons are correct, all good]

  1. file: /mnt/dev-arc-01/testshare/Test8

  2. owner: pa-wluke

  3. group: secg-folder-gl-arc-02-sharename-owner
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-pD---R-----:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd-----:allow

Change onwer to secg-folder-sharename-customername-owner and add secg-folder-sharename-customername-owner with full permisiosns

[All looks correct, this group has been correctly added as a group so members will be granted correct permissions]

  1. file: /mnt/dev-arc-01/testshare/Test8

  2. owner: secg-folder-sharename-customername-owner

  3. group: secg-folder-gl-arc-02-sharename-owner
    group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-rw:rw-pD---R-----:fd-----:allow
    group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd-----:allow
    group:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow

Add secg-folder-sharename-customername-rw and secg-folder-sharename-customername-ro. Apply. Also, remove the initial 3 groups that were copied in.

[This all works great]

  1. file: /mnt/dev-arc-01/testshare/Test8

  2. owner: secg-folder-sharename-customername-owner

  3. group: secg-folder-gl-arc-02-sharename-owner
    group:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
    group:secg-folder-sharename-customername-rw:rwxp-daARWc---:fd-----:allow
    group:secg-folder-sharename-customername-ro:r-x---a-R-c---:fd-----:allow

[I can now control access to the folder and its contents through AD groups, perfect! These folders will contain subfolders per day going back up to a decade, with up to 200k files in each day... hence the need for groups to control access]

Problem/Justification

None

Impact

None

SmartDraw Connector

Katalon Manual Tests (BETA)

Activity

Show:

Bug Clerk March 31, 2020 at 5:18 PM

William Gryzbowski March 27, 2020 at 7:48 PM

11.3 PR will be merged once freeze is lifted

Bug Clerk March 24, 2020 at 2:35 PM

William Luke March 23, 2020 at 1:04 PM

Thanks great Andrew, thanks for the swift acknowledgement, I'm happy to test, just let me know.

Andrew Walker March 23, 2020 at 12:54 PM

William, thank you for the detailed bug report. I will try to have a fixed vfs module for you to test by tomorrow or the day after.

Complete
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Priority

More fields

Katalon Platform

Created March 20, 2020 at 5:30 PM
Updated July 1, 2022 at 4:50 PM
Resolved March 27, 2020 at 8:23 PM
Configure