Uploaded image for project: 'FreeNAS / TrueNAS'
  1. FreeNAS / TrueNAS
  2. NAS-105486

ixnas VFS issue adding group owner and removing inherited permissions

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done (View Workflow)
    • Priority: Low
    • Resolution: Complete
    • Affects Version/s: 11.3-RELEASE, 12.0-ALPHA1
    • Fix Version/s: 11.3-U2, 12.0-ALPHA1
    • Component/s: SMB
    • Labels:
      None

      Description

      After upgrading our systems to 11.3 I was seeing issues setting permissions on SMB shares from windows. 

      To work out the issue I build a new box from scratch on 11.3 and found through much trail and errors that the bugs were related to ixnas which is the new default instead of zfsacl and zfs_space.

      We use active directory and all the users and groups will be from AD.

      The two bugs I've found which cause problems are:

      Changing a folder to be owned by a AD Group results in a "user" entry being added, which prevents any group members having permissions.

      Removing inheritence, and choosing to "copy" results in samba telling windows the inherited ACLs are still there (although getfacl shows them being changed to not have the "I" flag)

       

      The following steps produced the bugs:

       

      A share exists as follows (created and ACL's done from the GUI)

      # file: /mnt/dev-arc-01/testshare
      # owner: secg-folder-gl-arc-02-sharename-owner
      # group: secg-folder-gl-arc-02-sharename-owner
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCos:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd-----:allow
               everyone@:--------------:fd-----:allow

       

      Firstly, using a SBM share with ixnas VFS:

      Step 1: Create new folder in root of share called Test7
      It's created fine and looks like this (With these inherited permissions set on the root of the share with the ACL editor)

      # file: Test7
      # owner: pa-wluke
      # group: secg-folder-gl-arc-02-sharename-owner
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCos:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
               everyone@:--------------:fd----I:allow

       

      Step 2: Edit the permissions in windows, and select to Disable Inheritence, it applys, and then windows refreshes to show them still there and that they're inherited.

      [Doesn't work-- updates in getfacl, but samba still shows as inherited to windows)

      # file: Test7
      # owner: pa-wluke
      # group: secg-folder-gl-arc-02-sharename-owner
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd-----:allow
               everyone@:--------------:fd-----:allow

      [This is first bug, can't remove these inherited permissions now, as samba still shows them to windows as inherited]


      Step 3: Change owner to secg-folder-sharename-customername-owner (this is a AD group) and add secg-folder-sharename-customername-owner with full permisiosns

      [results in this GROUP being added as a USER, see below. This means that group membership isn't checked and so it doesn't grant any permissions. Windows correctly shows it as the group and there doesn't seem to be a way to change it]

      # file: Test7
      # owner: secg-folder-sharename-customername-owner
      # group: secg-folder-gl-arc-02-sharename-owner
      user:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
               everyone@:--------------:fd-----:allow


      Step 4: Add secg-folder-sharename-customername-rw and secg-folder-sharename-customername-ro. Apply. These get added correctly

      [This appears to work correctly]

      # file: Test7
      # owner: secg-folder-sharename-customername-owner
      # group: secg-folder-gl-arc-02-sharename-owner
      user:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-sharename-customername-rw:rwxp-daARWc---:fd-----:allow
      group:secg-folder-sharename-customername-ro:r-x---a-R-c---:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
               everyone@:--------------:fd-----:allow

      Step 5: Add pa-wluke with full permissions (this is to prevent loosing access as I'm a member of both the "-owner" groups but the group secg-folder-sharename-customername-owner is acced as user so doens't work.

      [Works fine]

      # file: Test7
      # owner: secg-folder-sharename-customername-owner
      # group: secg-folder-gl-arc-02-sharename-owner
      user:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-sharename-customername-rw:rwxp-daARWc---:fd-----:allow
      group:secg-folder-sharename-customername-ro:r-x---a-R-c---:fd-----:allow
          group:pa-wluke:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
               everyone@:--------------:fd-----:allow


      (note that those groups are showing as inherted again, I asusme that's because samba tells windows thye are and so subsequent saves set them back that way. I'll now try and remove those entirely).

       

      Step 6: Disable inheritence (Choose to remove entirely, not to copy in the windows UI)

      [Works fine]

      # file: Test7
      # owner: secg-folder-sharename-customername-owner
      # group: secg-folder-gl-arc-02-sharename-owner
      user:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-sharename-customername-rw:rwxp-daARWc---:fd-----:allow
      group:secg-folder-sharename-customername-ro:r-x---a-R-c---:fd-----:allow
          group:pa-wluke:rwxpDdaARWcCo-:fd-----:allow
               everyone@:--------------:fd-----:allow

      (Also, note, windows does NOT list the everyone permissions whatsoever)
       

       

      Now, with zfsacl and zfs_sparce instead (just to show what the expected behavious is:

       


      Now, with zfsacl and zfsspace instead of ixnas:

      Windows now shows the everyone listing when viewing permissions


      Create new folder in root of the share, Test8:

      [All looks good]

      # file: /mnt/dev-arc-01/testshare/Test8
      # owner: pa-wluke
      # group: secg-folder-gl-arc-02-sharename-owner
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCos:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-p----R-----:fd----I:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd----I:allow
               everyone@:--------------:fd----I:allow


      Edit the permissions in windows, and disable inheritence and choose to copy. Windows now correctly shows them as no longer inherited, and the everyone permission is gone.

      [Permissons are correct, all good]

      # file: /mnt/dev-arc-01/testshare/Test8
      # owner: pa-wluke
      # group: secg-folder-gl-arc-02-sharename-owner
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-pD---R-----:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd-----:allow


      Change onwer to secg-folder-sharename-customername-owner and add secg-folder-sharename-customername-owner with full permisiosns

      [All looks correct, this group has been correctly added as a group so members will be granted correct permissions]

      # file: /mnt/dev-arc-01/testshare/Test8
      # owner: secg-folder-sharename-customername-owner
      # group: secg-folder-gl-arc-02-sharename-owner
      group:secg-folder-gl-arc-02-sharename-owner:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-rw:rw-pD---R-----:fd-----:allow
      group:secg-folder-gl-arc-02-sharename-ro:r-x---a-R-c---:fd-----:allow
      group:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow


      Add secg-folder-sharename-customername-rw and secg-folder-sharename-customername-ro. Apply. Also, remove the initial 3 groups that were copied in.

      [This all works great]

      # file: /mnt/dev-arc-01/testshare/Test8
      # owner: secg-folder-sharename-customername-owner
      # group: secg-folder-gl-arc-02-sharename-owner
      group:secg-folder-sharename-customername-owner:rwxpDdaARWcCo-:fd-----:allow
      group:secg-folder-sharename-customername-rw:rwxp-daARWc---:fd-----:allow
      group:secg-folder-sharename-customername-ro:r-x---a-R-c---:fd-----:allow


      [I can now control access to the folder and its contents through AD groups, perfect! These folders will contain subfolders per day going back up to a decade, with up to 200k files in each day... hence the need for groups to control access]
       

       

        Attachments

          Attachments

            JEditor

              Activity

                People

                Assignee:
                awalker Andrew Walker
                Reporter:
                wluke William
                Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: