<div dir="ltr"><div>Forgot one,</div><div><br></div><div>### test_shares.conf ###</div><div><br></div><div>[testfs]</div><div>comment = GPFS Cluster on DORS using %R protocol</div><div>path = /dors/testfs</div><div>copy = template_nfs4</div>
<div>admin users = "DOMAIN\userImLoggingInWith"</div><div><br></div><div><br></div><div>It doesn't matter if I login with an "admin user" or a regular user allowed by NFS4 (NTACLs) set via the security tab. The same problems happen with save/save as unless gpfs:sharemodes = no .</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Apr 2, 2014 at 9:08 PM, Sabuj Pattanayek <span dir="ltr"><<a href="mailto:sabujp@gmail.com" target="_blank">sabujp@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote"><div class="">On Wed, Apr 2, 2014 at 5:08 PM, Jonathan Buzzard <span dir="ltr"><<a href="mailto:jonathan@buzzard.me.uk" target="_blank">jonathan@buzzard.me.uk</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>On 02/04/14 22:42, Sabuj Pattanayek wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Yup, I had those settings set already, and neither save as or save worked.<br>
<br>
</blockquote>
<br></div>
You need to provide more information. Much more of your smb.conf, what OS, Samba, and GPFS, along with your GPFS config.<br></blockquote><div><br></div></div><div>rhel 6.3, 2.6.32-279.31.1.el6.x86_64, sernet samba 4.1.6, ctdb 1.0.114.7-1, gpfs 3.5.0.11, gpfs config farther down :</div>
<div><br></div><div>### smb.conf ###</div><div><br></div><div><div>[global]</div><div>workgroup = DOMAIN</div><div>netbios name = gpfs-smb-server</div><div>password server = <a href="http://dc-1.ds.domain.edu" target="_blank">dc-1.ds.domain.edu</a> <a href="http://dc-2.ds.domain.edu" target="_blank">dc-2.ds.domain.edu</a> <a href="http://dc-3.ds.domain.edu" target="_blank">dc-3.ds.domain.edu</a></div>
<div>realm = <a href="http://DS.DOMAIN.EDU" target="_blank">DS.DOMAIN.EDU</a></div><div>security = ads</div><div>encrypt passwords = yes</div><div>allow trusted domains = No</div><div>idmap config *:backend = tdb</div><div>
idmap config *:range = 4000000 - 5000000</div>
<div>idmap config DOMAIN : backend = rid</div><div>idmap config DOMAIN : range = 5000001 - 9000000</div><div>template shell = /bin/bash<br></div><div>template homedir = /home/%U</div><div>winbind offline logon = false</div>
<div>winbind trusted domains only = no<br></div><div>winbind use default domain = yes</div><div># ldap handles users</div><div>winbind enum users = no</div><div>winbind enum groups = no<br></div><div>winbind expand groups = 3<br>
</div><div>server string = SMB<br></div><div>log file = /var/log/samba/log.%m<br></div><div>max log size = 50<br></div><div>passdb backend = tdbsam</div><div><br></div><div>clustering = yes</div><div>unix extensions = yes<br>
</div><div><br></div><div>include = /etc/samba/template_shares.conf<br></div><div>include = /etc/samba/test_shares.conf<br></div></div><div><br></div><div>### template_shares.conf ###</div><div><br></div><div><div>[template_nfs4]</div>
<div>comment = GPFS Cluster on smb using %R protocol</div><div>path = /dors/testfs</div><div>writeable = yes</div><div>vfs objects = shadow_copy2 gpfs fileid</div><div class=""><div>ea support = yes</div><div>store dos attributes = yes</div>
</div><div>access based share enum = yes</div><div class=""><div>map readonly = no</div><div>map archive = no</div><div>map system = no</div></div><div>mangled names = no</div><div>force unknown acl user = yes</div><div>
locking = yes</div><div>notify:inotify = no</div>
<div>shadow:snapdir = .snapshots</div><div>shadow:localtime = yes</div><div>shadow:format = %Y%m%d_%H:%M</div><div>shadow:fixinodes = yes</div><div>shadow:snapdirseverywhere = yes</div><div>shadow:sort = desc</div><div># vfs_gpfs settings</div>
<div>gpfs:acl = yes</div><div>gpfs:winattr = yes</div><div>gpfs:dfreequota = yes</div><div>nfs4:mode = simple</div><div>nfs4:chown = yes</div><div>nfs4:acedup = merge</div><div>## needed to turn off sharemodes, msoffice on windows couldn't save<br>
</div><div># <a href="https://bugzilla.samba.org/show_bug.cgi?id=6762" target="_blank">https://bugzilla.samba.org/show_bug.cgi?id=6762</a></div><div>gpfs:sharemodes = no</div><div>gpfs:leases = yes</div><div>posix locking = yes</div>
<div>
kernel oplocks = no</div><div>kernel share modes = yes</div><div>fileid:algorithm = fsname<br></div></div><div class=""><div><br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Have you tested that the DOS attributes are correctly being stored in the GPFS file system?<br></blockquote><div><br></div></div><div>No, but they're all set to no, including map hidden which was missing above but according to man smb.conf is by default set to no, so wouldn't these not be mapped/stored in GPFS anyways? What EA file would these be stored in if these were set to yes?</div>
<div class="">
<div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
It explicitly does work. The issues are all around Office trying to preserve ACL's which the vast majority of software does not.<br></blockquote><div><br></div></div><div>Understood, but again, with the setup above, I had to turn sharemodes off to get it to work. Setting it to no was mentioned in a comment in that samba bug by Volker, i.e. I just didn't think of that myself, so there must be some correlation. </div>
<div class="">
<div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Are you running with NFSv4 ACL's *ONLY* on GPFS? Using Posix or Posix and NFSv4 together is likely to lead to problems.</blockquote><div><br></div></div><div>posix + nfs4, it can be problematic but we're working around it. </div>
<div><br></div><div><div># mmlsfs dors</div><div>flag value description</div><div>------------------- ------------------------ -----------------------------------</div><div> -f 2048 Minimum fragment size in bytes (system pool)</div>
<div> 32768 Minimum fragment size in bytes (other pools)</div><div> -i 512 Inode size in bytes</div><div> -I 32768 Indirect block size in bytes</div>
<div> -m 1 Default number of metadata replicas</div><div> -M 2 Maximum number of metadata replicas</div><div> -r 1 Default number of data replicas</div>
<div> -R 2 Maximum number of data replicas</div><div> -j scatter Block allocation type</div><div> -D nfs4 File locking semantics in effect</div>
<div> -k all ACL semantics in effect</div><div> -n 2000 Estimated number of nodes that will mount file system</div><div> -B 65536 Block size (system pool)</div>
<div> 1048576 Block size (other pools)</div><div> -Q user;group;fileset Quotas enforced</div><div> none Default quotas enabled</div>
<div> --filesetdf Yes Fileset df enabled?</div><div> -V 13.23 (3.5.0.7) File system version</div><div> --create-time Thu Nov 7 11:29:46 2013 File system creation time</div>
<div> -u Yes Support for large LUNs?</div><div> -z No Is DMAPI enabled?</div><div> -L 16777216 Logfile size</div>
<div>
-E Yes Exact mtime mount option</div><div> -S No Suppress atime mount option</div><div> -K whenpossible Strict replica allocation option</div>
<div> --fastea Yes Fast external attributes enabled?</div><div> --inode-limit 524288000 Maximum number of inodes</div><div> -P system;capacity;fast Disk storage pools in file system</div>
<div> -d 3T_7K_0;3T_7K_1;3T_7K_2;3T_7K_3;3T_7K_4;3T_7K_5;3T_7K_6;3T_7K_7;3T_7K_8;3T_7K_9;3T_7K_10;3T_7K_11;3T_7K_12;3T_7K_13;900GB_10K_0;900GB_10K_1;900GB_10K_2;900GB_10K_3;</div><div> -d 900GB_10K_4;900GB_10K_5;900GB_10K_6;900GB_10K_7;900GB_10K_8;900GB_10K_9;900GB_10K_10;900GB_10K_11;900GB_10K_12;900GB_10K_13;900GB_10K_14;900GB_10K_15;900GB_10K_16;</div>
<div> -d 900GB_10K_17;900GB_10K_18;900GB_10K_19;400GB_SSD_0;400GB_SSD_1;400GB_SSD_2;400GB_SSD_3;400GB_SSD_4 Disks in file system</div><div> --perfileset-quota yes Per-fileset quota enforcement</div>
<div> -A yes Automatic mount option</div><div> -o none Additional mount options</div><div> -T /dors Default mount point</div>
<div> --mount-priority 0 Mount priority</div></div><div><br></div><div>A funny thing I noticed was that if I set security settings through the security properties dialog in windows on a share with gpfs:acl = yes, it sets posix acl's and doesn't automatically promote the acl's to nfs4. The top level acl on a share directory has to be set to nfs4 before you set users loose on it and at least one acl (a user / group on that directory) has to have DirInherit:FileInherit otherwise files and directories beneath that directory don't get set with nfs4 acl's which then breaks things like Windows being able to discern the difference between full and modify privileges (since posix only provides rwx, samba doesn't seem to care about the 'c' acl provided by gpfs).</div>
<div><br></div><div>Several other strange behaviors I noticed :</div><div><br></div><div>* Turning inheritance off through the windows security -> advanced dialog doesn't work unless you delete (or add I guess, but didn't try adding an acl) some acl, either the group/user that you're trying to disable inheritance for (which then means you have to re-add that group with inheritance disabled) or some other group / user that you don't care about. For example to disable inheritance on a directory for a group, you'd add a dummy user/group acl to that directory, disable inheritance for the group/user you want to disable inheritance for, then delete that dummy group, otherwise clicking apply -> ok, backing out and then going back in doesn't change the inheritance settings in either the advanced security dialog or FileInherit, DirInherit, or Inherit acls in the output of mmgetacl.</div>
<div><br></div><div>* robocopy y: z: /mir /COPY:DATSO throws "something is wrong with the device. Failed to set NTACL ... " error 31 errors if your'e trying to copy ACLs and data from some other share, but it still ends up copying the ACL's properly! The problem is that robocopy doesn't complete, it only descends one directory level at a time per robocopy run when it throws all these errors. So you have to keep running robocopy in a loop from a .bat script or manually keep running it until you think it's actually copied over all the ACL's. This doesn't happen with acl_xattr, but acl_xattr has other issues as well.</div>
<div><br></div><div>* Does any of the auditing tab stuff work? Samba has auditing via log files, but this seems to be something that's stored in NTFS?</div><div><br></div><div>* I haven't tried anything from the quota tab, can it actually set GPFS quotas somehow? I guess in windows you can set per directory quotas, the closest thing would be filesets linked to directories with user/group quotas within that fileset, but I don't think that tab is going to let you do that.</div>
<div><br></div><div>Thanks,</div><div>Sabuj</div><div> </div></div></div></div>
</blockquote></div><br></div>