On Tue, Nov 11, 2014 at 01:45:32PM -0600, Andrew Martin wrote: > Hello, > > I am running an OpenIndiana server with a ZFS pool exporting a share over both > NFSv4 and CIFS. The CIFS export is mounted by Windows 7 clients. On this > share, > I have the following ACLs configured for directories: > 0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory > /append_data/read_xattr/write_xattr/execute/delete_child > /read_attributes/write_attributes/delete/read_acl/write_acl > /write_owner/synchronize:dir_inherit:allow > 1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory > /append_data/read_xattr/write_xattr/delete_child/read_attributes > /write_attributes/delete/read_acl/write_acl/write_owner > /synchronize:file_inherit/inherit_only:allow > 2:group:Domain Users:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:dir_inherit:allow > 3:group:Domain Users:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/delete_child > /read_attributes/write_attributes/delete/read_acl/write_acl > /write_owner/synchronize:file_inherit/inherit_only:allow > 4:group@:list_directory/read_data/read_xattr/execute/read_attributes > /read_acl/synchronize:dir_inherit:allow > 5:group@:list_directory/read_data/read_xattr/read_attributes/read_acl > /synchronize:file_inherit/inherit_only:allow > > And these ACLs for files: > 0:owner@:read_data/write_data/append_data/read_xattr/write_xattr > /read_attributes/write_attributes/delete/read_acl/write_acl > /write_owner/synchronize:allow > 1:group:Domain Users:read_data/write_data/append_data/read_xattr > /write_xattr/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:allow > 2:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow > > This works just fine, Domain Users are able to read and write files as > expected, > except with Microsoft Office applications. Similar to > http://openindiana.org/pipermail/openindiana-discuss/2012-June/008550.html, > Microsoft Office applications allow you to open the file, but when you try to > save you are denied with "There has been a network or file permission error. > The > network connection may be lost.". The ACLs set on the file are as I indicated > above. Note that this only affects pre-existing Office files, newly-created > files are writable. > > If in Windows I right-click on the file, go to Properties - Security - Edit > and > check the Modify box under Allow for Domain Users, I am then able to save the > file in Office. This appears to modify the permissions to the following set: > 0:group:Domain Users:read_data/write_data/append_data/read_xattr > /write_xattr/execute/read_attributes/write_attributes/delete > /read_acl/synchronize:allow > 1:group:Domain Users:read_data/write_data/append_data/read_xattr > /write_xattr/execute/read_attributes/write_attributes/read_acl > /write_acl/write_owner/synchronize:allow > 2:owner@:read_data/write_data/append_data/read_xattr/write_xattr > /read_attributes/write_attributes/delete/read_acl/write_acl > /write_owner/synchronize:allow > 3:group@:read_data/read_xattr/read_attributes/read_acl/synchronize:allow > > Note that if I add the exact same permission set to another (currently > unreadable) file from the ZFS side (with chmod), I can make the Security > permissions dialog look exactly the same (Modify is checked), however I cannot > save from Office applications until I uncheck and recheck it through Windows. > Thus it seems that Windows is storing some extra metadata that I cannot access > or even view on the server. Has anyone encountered this before or do you have > any suggestions for what else can I try to attempt to properly set the > permissions on these files from the server?
I'm not sure it is related, but you might want to look at this: https://github.com/Nexenta/illumos-nexenta/commit/f360b07ec371df666ee6bb29182e387f57c948f7 -- +-------------------------------------------+ | Marcel Telka e-mail: [email protected] | | homepage: http://telka.sk/ | | jabber: [email protected] | +-------------------------------------------+ _______________________________________________ openindiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
