[gpfsug-discuss] question about why unix extensions = no is recommended when using samba + gpfs?
Sabuj Pattanayek
sabujp at gmail.com
Thu Apr 3 03:11:43 BST 2014
Forgot one,
### test_shares.conf ###
[testfs]
comment = GPFS Cluster on DORS using %R protocol
path = /dors/testfs
copy = template_nfs4
admin users = "DOMAIN\userImLoggingInWith"
It doesn't matter if I login with an "admin user" or a regular user allowed
by NFS4 (NTACLs) set via the security tab. The same problems happen with
save/save as unless gpfs:sharemodes = no .
On Wed, Apr 2, 2014 at 9:08 PM, Sabuj Pattanayek <sabujp at gmail.com> wrote:
>
>
>
> On Wed, Apr 2, 2014 at 5:08 PM, Jonathan Buzzard <jonathan at buzzard.me.uk>wrote:
>
>> On 02/04/14 22:42, Sabuj Pattanayek wrote:
>>
>>> Yup, I had those settings set already, and neither save as or save
>>> worked.
>>>
>>>
>> You need to provide more information. Much more of your smb.conf, what
>> OS, Samba, and GPFS, along with your GPFS config.
>>
>
> rhel 6.3, 2.6.32-279.31.1.el6.x86_64, sernet samba 4.1.6, ctdb
> 1.0.114.7-1, gpfs 3.5.0.11, gpfs config farther down :
>
> ### smb.conf ###
>
> [global]
> workgroup = DOMAIN
> netbios name = gpfs-smb-server
> password server = dc-1.ds.domain.edu dc-2.ds.domain.edu dc-3.ds.domain.edu
> realm = DS.DOMAIN.EDU
> security = ads
> encrypt passwords = yes
> allow trusted domains = No
> idmap config *:backend = tdb
> idmap config *:range = 4000000 - 5000000
> idmap config DOMAIN : backend = rid
> idmap config DOMAIN : range = 5000001 - 9000000
> template shell = /bin/bash
> template homedir = /home/%U
> winbind offline logon = false
> winbind trusted domains only = no
> winbind use default domain = yes
> # ldap handles users
> winbind enum users = no
> winbind enum groups = no
> winbind expand groups = 3
> server string = SMB
> log file = /var/log/samba/log.%m
> max log size = 50
> passdb backend = tdbsam
>
> clustering = yes
> unix extensions = yes
>
> include = /etc/samba/template_shares.conf
> include = /etc/samba/test_shares.conf
>
> ### template_shares.conf ###
>
> [template_nfs4]
> comment = GPFS Cluster on smb using %R protocol
> path = /dors/testfs
> writeable = yes
> vfs objects = shadow_copy2 gpfs fileid
> ea support = yes
> store dos attributes = yes
> access based share enum = yes
> map readonly = no
> map archive = no
> map system = no
> mangled names = no
> force unknown acl user = yes
> locking = yes
> notify:inotify = no
> shadow:snapdir = .snapshots
> shadow:localtime = yes
> shadow:format = %Y%m%d_%H:%M
> shadow:fixinodes = yes
> shadow:snapdirseverywhere = yes
> shadow:sort = desc
> # vfs_gpfs settings
> gpfs:acl = yes
> gpfs:winattr = yes
> gpfs:dfreequota = yes
> nfs4:mode = simple
> nfs4:chown = yes
> nfs4:acedup = merge
> ## needed to turn off sharemodes, msoffice on windows couldn't save
> # https://bugzilla.samba.org/show_bug.cgi?id=6762
> gpfs:sharemodes = no
> gpfs:leases = yes
> posix locking = yes
> kernel oplocks = no
> kernel share modes = yes
> fileid:algorithm = fsname
>
>
>
>>
>> Have you tested that the DOS attributes are correctly being stored in the
>> GPFS file system?
>>
>
> No, but they're all set to no, including map hidden which was missing
> above but according to man smb.conf is by default set to no, so wouldn't
> these not be mapped/stored in GPFS anyways? What EA file would these be
> stored in if these were set to yes?
>
>
>>
>> It explicitly does work. The issues are all around Office trying to
>> preserve ACL's which the vast majority of software does not.
>>
>
> Understood, but again, with the setup above, I had to turn sharemodes off
> to get it to work. Setting it to no was mentioned in a comment in that
> samba bug by Volker, i.e. I just didn't think of that myself, so there must
> be some correlation.
>
>
>> Are you running with NFSv4 ACL's *ONLY* on GPFS? Using Posix or Posix and
>> NFSv4 together is likely to lead to problems.
>
>
> posix + nfs4, it can be problematic but we're working around it.
>
> # mmlsfs dors
> flag value description
> ------------------- ------------------------
> -----------------------------------
> -f 2048 Minimum fragment size in
> bytes (system pool)
> 32768 Minimum fragment size in
> bytes (other pools)
> -i 512 Inode size in bytes
> -I 32768 Indirect block size in bytes
> -m 1 Default number of metadata
> replicas
> -M 2 Maximum number of metadata
> replicas
> -r 1 Default number of data
> replicas
> -R 2 Maximum number of data
> replicas
> -j scatter Block allocation type
> -D nfs4 File locking semantics in
> effect
> -k all ACL semantics in effect
> -n 2000 Estimated number of nodes
> that will mount file system
> -B 65536 Block size (system pool)
> 1048576 Block size (other pools)
> -Q user;group;fileset Quotas enforced
> none Default quotas enabled
> --filesetdf Yes Fileset df enabled?
> -V 13.23 (3.5.0.7) File system version
> --create-time Thu Nov 7 11:29:46 2013 File system creation time
> -u Yes Support for large LUNs?
> -z No Is DMAPI enabled?
> -L 16777216 Logfile size
> -E Yes Exact mtime mount option
> -S No Suppress atime mount option
> -K whenpossible Strict replica allocation
> option
> --fastea Yes Fast external attributes
> enabled?
> --inode-limit 524288000 Maximum number of inodes
> -P system;capacity;fast Disk storage pools in file
> system
> -d
> 3T_7K_0;3T_7K_1;3T_7K_2;3T_7K_3;3T_7K_4;3T_7K_5;3T_7K_6;3T_7K_7;3T_7K_8;3T_7K_9;3T_7K_10;3T_7K_11;3T_7K_12;3T_7K_13;900GB_10K_0;900GB_10K_1;900GB_10K_2;900GB_10K_3;
> -d
> 900GB_10K_4;900GB_10K_5;900GB_10K_6;900GB_10K_7;900GB_10K_8;900GB_10K_9;900GB_10K_10;900GB_10K_11;900GB_10K_12;900GB_10K_13;900GB_10K_14;900GB_10K_15;900GB_10K_16;
> -d
> 900GB_10K_17;900GB_10K_18;900GB_10K_19;400GB_SSD_0;400GB_SSD_1;400GB_SSD_2;400GB_SSD_3;400GB_SSD_4
> Disks in file system
> --perfileset-quota yes Per-fileset quota enforcement
> -A yes Automatic mount option
> -o none Additional mount options
> -T /dors Default mount point
> --mount-priority 0 Mount priority
>
> A funny thing I noticed was that if I set security settings through the
> security properties dialog in windows on a share with gpfs:acl = yes, it
> sets posix acl's and doesn't automatically promote the acl's to nfs4. The
> top level acl on a share directory has to be set to nfs4 before you set
> users loose on it and at least one acl (a user / group on that directory)
> has to have DirInherit:FileInherit otherwise files and directories beneath
> that directory don't get set with nfs4 acl's which then breaks things like
> Windows being able to discern the difference between full and modify
> privileges (since posix only provides rwx, samba doesn't seem to care about
> the 'c' acl provided by gpfs).
>
> Several other strange behaviors I noticed :
>
> * Turning inheritance off through the windows security -> advanced dialog
> doesn't work unless you delete (or add I guess, but didn't try adding an
> acl) some acl, either the group/user that you're trying to disable
> inheritance for (which then means you have to re-add that group with
> inheritance disabled) or some other group / user that you don't care about.
> For example to disable inheritance on a directory for a group, you'd add a
> dummy user/group acl to that directory, disable inheritance for the
> group/user you want to disable inheritance for, then delete that dummy
> group, otherwise clicking apply -> ok, backing out and then going back in
> doesn't change the inheritance settings in either the advanced security
> dialog or FileInherit, DirInherit, or Inherit acls in the output of
> mmgetacl.
>
> * robocopy y: z: /mir /COPY:DATSO throws "something is wrong with the
> device. Failed to set NTACL ... " error 31 errors if your'e trying to copy
> ACLs and data from some other share, but it still ends up copying the ACL's
> properly! The problem is that robocopy doesn't complete, it only descends
> one directory level at a time per robocopy run when it throws all these
> errors. So you have to keep running robocopy in a loop from a .bat script
> or manually keep running it until you think it's actually copied over all
> the ACL's. This doesn't happen with acl_xattr, but acl_xattr has other
> issues as well.
>
> * Does any of the auditing tab stuff work? Samba has auditing via log
> files, but this seems to be something that's stored in NTFS?
>
> * I haven't tried anything from the quota tab, can it actually set GPFS
> quotas somehow? I guess in windows you can set per directory quotas, the
> closest thing would be filesets linked to directories with user/group
> quotas within that fileset, but I don't think that tab is going to let you
> do that.
>
> Thanks,
> Sabuj
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20140402/660ee76b/attachment-0003.htm>
More information about the gpfsug-discuss
mailing list