<div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:9pt" ><div dir="ltr" >Hi,</div>
<div dir="ltr" > </div>
<div dir="ltr" >to answer the two questions:</div>
<div dir="ltr" > </div>
<div dir="ltr" ><div>> 1. What's the purpose of a special flag to indicate that it is smbd<br>> setting the ACL? Does this tie in with the undocumented "mmchfs -k<br>> samba" feature?</div>
<div> </div>
<div>Windows expects ACL entries in a canonical order, first deny entries,<br>then allow. See<br>e.g. <a href="https://docs.microsoft.com/en-us/windows/desktop/secauthz/order-of-aces-in-a-dacl">https://docs.microsoft.com/en-us/windows/desktop/secauthz/order-of-aces-in-a-dacl</a></div>
<div>From a brief look, using the the GPFS_ACL_SAMBA flag has the file<br>system skip allow entries after deny entries when reading the ACL and<br>does not store allow entries after deny entries. Maybe this is not<br>stricly necessary and we could let SMB (Windows) clients deal with<br>ordering problems, but that would require some research and testing.</div>
<div> </div>
<div>> 2. There is a whole bunch of stuff in the documentation about v4.1<br>> ACL's. How does one trigger that. All I seem to be able to do is<br>> get POSIX and v4 ACL's. Do you get v4.1 ACL's if you set the file<br>> system to "Samba" ACL's or am I missing something.</div>
<div> </div>
<div>This is likely the extension made to NFSv4 ACLs to allow storing<br>additional flags (the ACL4_FLAG_* defines in gpfs.h). These flags are<br>used by Windows SMB clients to determine whether ACLs have been<br>inherited. As far as i know, the file system only stores these flags,<br>but does not act upon them. You can get this format by initializing<br>the gpfs_acl struct with acl_type = GPFS_ACL_VERSION_NFS4 and<br>acl_level = GPFS_ACL_LEVEL_V4FLAGS before calling gpfs_setacl. The<br>Samba code in vfs_gpfs.c does that if you want to see an example.</div></div>
<div dir="ltr" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial, Helvetica, sans-serif;font-size:10.5pt" ><div class="socmaildefaultfont" dir="ltr" style="font-family:Arial;font-size:10.5pt" ><div dir="ltr" > </div>
<div dir="ltr" >Regards,</div>
<div dir="ltr" > </div>
<div dir="ltr" ><font size="2" face="Verdana,Arial,Helvetica,sans-serif" ><font size="2" face="Verdana,Arial,Helvetica,sans-serif" ><span style="font-size:0.857em;" ><span style="font-family: Verdana,Geneva,sans-serif;" >Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ<br>christof.schmitt@us.ibm.com || +1-520-799-2469 (T/L: 321-2469)</span></span></font></font></div></div></div></div></div></div></div>
<div dir="ltr" > </div>
<div dir="ltr" > </div>
<blockquote data-history-content-modified="1" data-history-expanded="1" dir="ltr" style="border-left:solid #aaaaaa 2px; margin-left:5px; padding-left:5px; direction:ltr; margin-right:0px" >----- Original message -----<br>From: Jonathan Buzzard <jonathan.buzzard@strath.ac.uk><br>Sent by: gpfsug-discuss-bounces@spectrumscale.org<br>To: gpfsug-discuss@spectrumscale.org<br>Cc:<br>Subject: Re: [gpfsug-discuss] Adding to an existing GPFS ACL<br>Date: Wed, Mar 27, 2019 3:58 PM<br>
<div><font size="2" face="Default Monospace,Courier New,Courier,monospace" >On 27/03/2019 15:59, Buterbaugh, Kevin L wrote:<br><br>[SNIP]<br><br>> So am I missing something?<br><br>Nope you are not missing anything. Setting NFSv4 ACL's on GPFS on<br>*LINUX* has always been a steaming pile of Brontosaurus droppings.<br><br>I have been on about since 2011... Search the mailing list archives.<br><br>> Is there an easier solution than writing a<br>> script which recurses over the fileset, gets the existing ACL with<br>> mmgetacl and outputs that to a file, edits that file to add in the new<br>> group, and passes that as input to mmputacl? That seems very cumbersome<br>> and error prone, especially if I’m the one writing the script!<br>><br><br>The best option is to get yourself a pSeries machine, install AIX and<br>GPFS and use the native AIX ACL command to set the ACL's. This works<br>because AIX has a mechanism for passing NFSv4 ACL's through it's VFS<br>interface. The RichACL kernel patches for Linux to give it the same<br>functionality went nowhere. Noting that the XFS and JFS file systems,<br>internally have NFSv4 ACL support.<br><br>The next best option is to export it as an NSFv4 file system and use a<br>Linux/FreeBSD machine to set the ACL's (a Mac might even work). Expect<br>performance to not be great.<br><br>The next best option is to do an SMB export, mount it on Linux and use<br>setcifsacl or map it on Windows and use cacls command. Some<br>experimentation on working out exactly how NFSv4 ACLS get mapped to<br>Windows ACLS would be advisable before a mass apply though. I don't<br>think it is possible to set all NFSv4 ACL options using this method.<br><br>Probably the best option, but which is not publicly available is to use<br>my modified version of the Linux nfs4_setacl command :-)<br><br>You just modify nfs4_acl_for_path.c and nfs4_set_acl.c so they<br>read/write the GPFS ACL struct and convert between the GPFS<br>representation and the internal data structure used by the<br>nfs4-acl-tools to hold NFSv4 ACL's.<br><br>However I have not put it any where public because the GPFS API<br>documentation is incomplete when it comes to ACL's. Consequently I can't<br>be sure it is safe so I am not releasing it. I have two questions that I<br>would like answering before I make it public. I will ask them for the<br>third time, in hopes someone at IBM is actually listening.<br><br> 1. What's the purpose of a special flag to indicate that it is smbd<br> setting the ACL? Does this tie in with the undocumented "mmchfs -k<br> samba" feature?<br><br> 2. There is a whole bunch of stuff in the documentation about v4.1<br> ACL's. How does one trigger that. All I seem to be able to do is<br> get POSIX and v4 ACL's. Do you get v4.1 ACL's if you set the file<br> system to "Samba" ACL's or am I missing something.<br><br>The other option is to write a script. Personally I would use<br>Perl/Python rather than a shell script as it would be easier to read the<br>result of mmgetacl into a buffer, append the extra bits and write it out<br>again with mmputacl. It is horribly slow however if you have millions of<br>files to iterate over. Trust me back in 2011 I had Perl scripts for<br>setting ACL's.<br><br>The final option though not quick would be for IBM to actually implement<br>a mmsetfacl command. Surely it would not be too hard to take the code<br>from AIX and modify the bits that set ACL's to use the GPFS API.<br>Alternatively take the FreeBSD ACL commands and use them as a starting<br>point. However I would not hold your breath for IBM if you expect them<br>to fix the situation.<br><br><br>JAB.<br><br>--<br>Jonathan A. Buzzard Tel: +44141-5483420<br>HPC System Administrator, ARCHIE-WeSt.<br>University of Strathclyde, John Anderson Building, Glasgow. G4 0NG<br>_______________________________________________<br>gpfsug-discuss mailing list<br>gpfsug-discuss at spectrumscale.org<br><a href="http://gpfsug.org/mailman/listinfo/gpfsug-discuss" target="_blank">http://gpfsug.org/mailman/listinfo/gpfsug-discuss</a></font><br> </div></blockquote>
<div dir="ltr" > </div></div><BR>