[gpfsug-discuss] question about why unix extensions = no is recommended when using samba + gpfs?

Sabuj Pattanayek sabujp at gmail.com
Thu Apr 3 03:08:40 BST 2014

On Wed, Apr 2, 2014 at 5:08 PM, Jonathan Buzzard <jonathan at buzzard.me.uk>wrote:

> On 02/04/14 22:42, Sabuj Pattanayek wrote:
>> Yup, I had those settings set already, and neither save as or save worked.
> You need to provide more information. Much more of your smb.conf, what OS,
> Samba, and GPFS, along with your GPFS config.

rhel  6.3, 2.6.32-279.31.1.el6.x86_64, sernet samba 4.1.6, ctdb, gpfs, gpfs config farther down :

### smb.conf ###

workgroup = DOMAIN
netbios name = gpfs-smb-server
password server = dc-1.ds.domain.edu dc-2.ds.domain.edu dc-3.ds.domain.edu
security = ads
encrypt passwords = yes
allow trusted domains = No
idmap config *:backend = tdb
idmap config *:range = 4000000 - 5000000
idmap config DOMAIN : backend  = rid
idmap config DOMAIN : range    = 5000001 - 9000000
template shell = /bin/bash
template homedir = /home/%U
winbind offline logon = false
winbind trusted domains only = no
winbind use default domain = yes
# ldap handles users
winbind enum users  = no
winbind enum groups = no
winbind expand groups = 3
server string = SMB
log file = /var/log/samba/log.%m
max log size = 50
passdb backend = tdbsam

clustering = yes
unix extensions = yes

include = /etc/samba/template_shares.conf
include = /etc/samba/test_shares.conf

### template_shares.conf ###

comment = GPFS Cluster on smb using %R protocol
path = /dors/testfs
writeable = yes
vfs objects = shadow_copy2 gpfs fileid
ea support = yes
store dos attributes = yes
access based share enum = yes
map readonly = no
map archive = no
map system = no
mangled names = no
force unknown acl user = yes
locking = yes
notify:inotify = no
shadow:snapdir = .snapshots
shadow:localtime = yes
shadow:format = %Y%m%d_%H:%M
shadow:fixinodes = yes
shadow:snapdirseverywhere = yes
shadow:sort = desc
# vfs_gpfs settings
gpfs:acl = yes
gpfs:winattr = yes
gpfs:dfreequota = yes
nfs4:mode = simple
nfs4:chown = yes
nfs4:acedup = merge
## needed to turn off sharemodes, msoffice on windows couldn't save
# https://bugzilla.samba.org/show_bug.cgi?id=6762
gpfs:sharemodes = no
gpfs:leases = yes
posix locking = yes
kernel oplocks = no
kernel share modes = yes
fileid:algorithm = fsname

> Have you tested that the DOS attributes are correctly being stored in the
> GPFS file system?

No, but they're all set to no, including map hidden which was missing above
but according to man smb.conf is by default set to no, so wouldn't these
not be mapped/stored in GPFS anyways? What EA file would these be stored in
if these were set to yes?

> It explicitly does work. The issues are all around Office trying to
> preserve ACL's which the vast majority of software does not.

Understood, but again, with the setup above, I had to turn sharemodes off
to get it to work. Setting it to no was mentioned in a comment in that
samba bug by Volker, i.e. I just didn't think of that myself, so there must
be some correlation.

> Are you running with NFSv4 ACL's *ONLY* on GPFS? Using Posix or Posix and
> NFSv4 together is likely to lead to problems.

posix + nfs4, it can be problematic but we're working around it.

# mmlsfs dors
flag                value                    description
------------------- ------------------------
 -f                 2048                     Minimum fragment size in bytes
(system pool)
                    32768                    Minimum fragment size in bytes
(other pools)
 -i                 512                      Inode size in bytes
 -I                 32768                    Indirect block size in bytes
 -m                 1                        Default number of metadata
 -M                 2                        Maximum number of metadata
 -r                 1                        Default number of data replicas
 -R                 2                        Maximum number of data replicas
 -j                 scatter                  Block allocation type
 -D                 nfs4                     File locking semantics in
 -k                 all                      ACL semantics in effect
 -n                 2000                     Estimated number of nodes that
will mount file system
 -B                 65536                    Block size (system pool)
                    1048576                  Block size (other pools)
 -Q                 user;group;fileset       Quotas enforced
                    none                     Default quotas enabled
 --filesetdf        Yes                      Fileset df enabled?
 -V                 13.23 (          File system version
 --create-time      Thu Nov  7 11:29:46 2013 File system creation time
 -u                 Yes                      Support for large LUNs?
 -z                 No                       Is DMAPI enabled?
 -L                 16777216                 Logfile size
 -E                 Yes                      Exact mtime mount option
 -S                 No                       Suppress atime mount option
 -K                 whenpossible             Strict replica allocation
 --fastea           Yes                      Fast external attributes
 --inode-limit      524288000                Maximum number of inodes
 -P                 system;capacity;fast     Disk storage pools in file
 Disks in file system
 --perfileset-quota yes                      Per-fileset quota enforcement
 -A                 yes                      Automatic mount option
 -o                 none                     Additional mount options
 -T                 /dors                    Default mount point
 --mount-priority   0                        Mount priority

A funny thing I noticed was that if I set security settings through the
security properties dialog in windows on a share with gpfs:acl = yes, it
sets posix acl's and doesn't automatically promote the acl's to nfs4. The
top level acl on a share directory has to be set to nfs4 before you set
users loose on it and at least one acl (a user / group on that directory)
has to have DirInherit:FileInherit otherwise files and directories beneath
that directory don't get set with nfs4 acl's which then breaks things like
Windows being able to discern the difference between full and modify
privileges (since posix only provides rwx, samba doesn't seem to care about
the 'c' acl provided by gpfs).

Several other strange behaviors I noticed :

* Turning inheritance off through the windows security -> advanced dialog
doesn't work unless you delete (or add I guess, but didn't try adding an
acl) some acl, either the group/user that you're trying to disable
inheritance for (which then means you have to re-add that group with
inheritance disabled) or some other group / user that you don't care about.
For example to disable inheritance on a directory for a group, you'd add a
dummy user/group acl to that directory, disable inheritance for the
group/user you want to disable inheritance for, then delete that dummy
group, otherwise clicking apply -> ok, backing out and then going back in
doesn't change the inheritance settings in either the advanced security
dialog or FileInherit, DirInherit, or Inherit acls in the output of

* robocopy y: z: /mir /COPY:DATSO throws "something is wrong with the
device. Failed to set NTACL ... " error 31 errors if your'e trying to copy
ACLs and data from some other share, but it still ends up copying the ACL's
properly! The problem is that robocopy doesn't complete, it only descends
one directory level at a time per robocopy run when it throws all these
errors. So you have to keep running robocopy in a loop from a .bat script
or manually keep running it until you think it's actually copied over all
the ACL's. This doesn't happen with acl_xattr, but acl_xattr has other
issues as well.

* Does any of the auditing tab stuff work? Samba has auditing via log
files, but this seems to be something that's stored in NTFS?

* I haven't tried anything from the quota tab, can it actually set GPFS
quotas somehow? I guess in windows you can set per directory quotas, the
closest thing would be filesets linked to directories with user/group
quotas within that fileset, but I don't think that tab is going to let you
do that.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20140402/d5dedd94/attachment-0003.htm>

More information about the gpfsug-discuss mailing list