[gpfsug-discuss] Snapshots / Windows previous versions
Christof Schmitt
christof.schmitt at us.ibm.com
Wed Jul 6 15:45:57 BST 2016
The message in the trace confirms that this is triggered by:
https://git.samba.org/?p=samba.git;a=commitdiff;h=acbb4ddb6876c15543c5370e6d27faacebc8a231
I suspect that the Samba version used misses the patch
https://git.samba.org/?p=samba.git;a=commitdiff;h=fdbca5e13a0375d7f18639679a627e67c3df647a
The CES build of Samba shippied in Spectrum Scale includes the mentioned
patch, and that should avoid the problem seen. Would it be possible to
build Samba again with the mentioned patch to test whether that fixes the
issue seen here?
Regards,
Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com || +1-520-799-2469 (T/L: 321-2469)
From: "Sobey, Richard A" <r.sobey at imperial.ac.uk>
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Date: 07/06/2016 05:23 AM
Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
Sent by: gpfsug-discuss-bounces at spectrumscale.org
Thanks Daniel – sorry to be dense, but does this indicate working as
intended, or a bug? I assume the former. So, the question still remains
how has this suddenly broken, when:
[root at server ict]# mmgetacl -k nfs4 .snapshots/
.snapshots/: Operation not permitted
…appears to be the correct output and is consistent with someone else’s
GPFS cluster where it is working.
Cheers
Richard
From: gpfsug-discuss-bounces at spectrumscale.org [
mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Daniel
Kidger
Sent: 06 July 2016 12:51
To: gpfsug-discuss at spectrumscale.org
Cc: gpfsug-discuss at spectrumscale.org
Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
Looking at recent patches to SAMBA I see from December 2015:
https://download.samba.org/pub/samba/patches/security/samba-4.1.21-security-2015-12-16.patch
,
(link found at https://bugzilla.samba.org/show_bug.cgi?id=11658 which
includes the comment:
Failing that, smbd_check_access_rights should check Unix perms at that
point.
)
diff --git a/source3/modules/vfs_shadow_copy2.c
b/source3/modules/vfs_shadow_copy2.c
index fca05cf..07e2f8a 100644
--- a/source3/modules/vfs_shadow_copy2.c
+++ b/source3/modules/vfs_shadow_copy2.c
@@ -30,6 +30,7 @@
*/
#include "includes.h"
+#include "smbd/smbd.h"
#include "system/filesys.h"
#include "include/ntioctl.h"
#include <ccan/hash/hash.h>
@@ -1138,6 +1139,42 @@ static char *have_snapdir(struct vfs_handle_struct
*handle,
return NULL;
}
+static bool check_access_snapdir(struct vfs_handle_struct *handle,
+ const char *path)
+{
+ struct smb_filename smb_fname;
+ int ret;
+ NTSTATUS status;
+
+ ZERO_STRUCT(smb_fname);
+ smb_fname.base_name = talloc_asprintf(talloc_tos(),
+ "%s",
+ path);
+ if (smb_fname.base_name == NULL) {
+ return false;
+ }
+
+ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
+ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+
+ status = smbd_check_access_rights(handle->conn,
+ &smb_fname,
+ false,
+ SEC_DIR_LIST);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("user does not have list permission "
+ "on snapdir %s\n",
+ smb_fname.base_name));
+ TALLOC_FREE(smb_fname.base_name);
+ return false;
+ }
+ TALLOC_FREE(smb_fname.base_name);
+ return true;
+}
+
Daniel
Dr Daniel Kidger
IBM Technical Sales Specialist
Software Defined Solution Sales
+44-07818 522 266
daniel.kidger at uk.ibm.com
----- Original message -----
From: "Sobey, Richard A" <r.sobey at imperial.ac.uk>
Sent by: gpfsug-discuss-bounces at spectrumscale.org
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Cc:
Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
Date: Wed, Jul 6, 2016 10:55 AM
Sure. It might be easier if I just post the entire smb.conf:
[global]
netbios name = store
workgroup = IC
security = ads
realm = IC.AC.UK
kerberos method = secrets and keytab
vfs objects = shadow_copy2 syncops gpfs fileid
ea support = yes
store dos attributes = yes
map readonly = no
map archive = no
map system = no
map hidden = no
unix extensions = no
allocation roundup size = 1048576
disable netbios = yes
smb ports = 445
# server signing = mandatory
template shell = /bin/bash
interfaces = bond2 lo bond0
allow trusted domains = no
printing = bsd
printcap name = /dev/null
load printers = no
disable spoolss = yes
idmap config IC : default = yes
idmap config IC : cache time = 180
idmap config IC : backend = ad
idmap config IC : schema_mode = rfc2307
idmap config IC : range = 500 - 2000000
idmap config * : range = 3000000 - 3500000
idmap config * : backend = tdb2
winbind refresh tickets = yes
winbind nss info = rfc2307
winbind use default domain = true
winbind offline logon = true
winbind separator = /
winbind enum users = true
winbind enum groups = true
winbind nested groups = yes
winbind expand groups = 2
winbind max clients = 10000
clustering = yes
ctdbd socket = /tmp/ctdb.socket
gpfs:sharemodes = yes
gpfs:winattr = yes
gpfs:leases = yes
gpfs:dfreequota = yes
# nfs4:mode = special
# nfs4:chown = no
nfs4:chown = yes
nfs4:mode = simple
nfs4:acedup = merge
fileid:algorithm = fsname
force unknown acl user = yes
shadow:snapdir = .snapshots
shadow:fixinodes = yes
shadow:snapdirseverywhere = yes
shadow:sort = desc
syncops:onclose = no
syncops:onmeta = no
kernel oplocks = yes
level2 oplocks = yes
oplocks = yes
notify:inotify = no
wide links = no
async smb echo handler = yes
smbd:backgroundqueue = False
use sendfile = no
dmapi support = yes
aio write size = 1
aio read size = 1
enable core files = no
#debug logging
log level = 2
log file = /var/log/samba.%m
max log size = 1024
debug timestamp = yes
[IC]
comment = Unified Group Space Area
path = /gpfs/prd/groupspace/ic
public = no
read only = no
valid users = "@domain users"
From: gpfsug-discuss-bounces at spectrumscale.org [
mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Barry Evans
Sent: 06 July 2016 10:47
To: gpfsug-discuss at spectrumscale.org
Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
Can you cut/paste your full VFS options for gpfs and shadow copy from
smb.conf?
On 06/07/2016 10:37, Sobey, Richard A wrote:
Quick followup on this. Doing some more samba debugging (i.e. increasing
log levels!) and come up with the following:
[2016/07/06 10:07:35.602080, 3]
../source3/smbd/vfs.c:1322(check_reduced_name)
check_reduced_name:
admin/ict/serviceoperations/slough_project/Slough_Layout reduced to
/gpfs/prd/groupspace/ic/admin/ict/serviceoperations/slough_project/Slough_Layout
[2016/07/06 10:07:35.611881, 3] ../source3/smbd/dosmode.c:196(unix_mode)
unix_mode(admin/ict/serviceoperations/slough_project/Slough_Layout)
returning 0644
[2016/07/06 10:07:35.613374, 0]
../source3/modules/vfs_shadow_copy2.c:1211(check_access_snapdir)
user does not have list permission on snapdir
/gpfs/prd/groupspace/ic/admin/ict/.snapshots
[2016/07/06 10:07:35.613416, 0]
../source3/modules/vfs_shadow_copy2.c:1380(shadow_copy2_get_shadow_copy_data)
access denied on listing snapdir
/gpfs/prd/groupspace/ic/admin/ict/.snapshots
[2016/07/06 10:07:35.613434, 0]
../source3/modules/vfs_default.c:1145(vfswrap_fsctl)
FSCTL_GET_SHADOW_COPY_DATA: connectpath /gpfs/prd/groupspace/ic, failed
- NT_STATUS_ACCESS_DENIED.
[2016/07/06 10:07:47.648557, 3]
../source3/smbd/service.c:1138(close_cnum)
155.198.55.14 (ipv4:155.198.55.14:51298) closed connection to service
IPC$
Any takers? I cannot run mmgetacl on the .snapshots folder at all, as
root. A snapshot I just created to make sure I had full control on the
folder: (39367 is me, I didn’t run this command on a CTDB node so the UID
mapping isn’t working).
[root at icgpfs01 .snapshots]# mmgetacl -k nfs4 @GMT-2016.07.06-08.00.06
#NFSv4 ACL
#owner:root
#group:root
group:74036:r-x-:allow:FileInherit:DirInherit:Inherited
(X)READ/LIST (-)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR (X)READ_NAMED
(-)DELETE (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL
(-)WRITE_ATTR (-)WRITE_NAMED
user:39367:rwxc:allow:FileInherit:DirInherit:Inherited
(X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL
(X)READ_ATTR (X)READ_NAMED
(X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL
(X)WRITE_ATTR (X)WRITE_NAMED
From: gpfsug-discuss-bounces at spectrumscale.org [
mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Sobey,
Richard A
Sent: 20 June 2016 16:03
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
Thanks Kevin. We are upgrading to GPFS 4.2 and CES in a few weeks but our
customers have come to like previous versions and indeed it is sort of a
selling point for us.
Samba is the only thing we’ve changed recently after the badlock debacle
so I’m tempted to blame that, but who knows.
If (when) I find out I’ll let everyone know.
Richard
From: gpfsug-discuss-bounces at spectrumscale.org [
mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Buterbaugh,
Kevin L
Sent: 20 June 2016 15:56
To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
Hi Richard,
I can’t answer your question but I can tell you that we have experienced
either the exact same thing you are or something very similar. It
occurred for us after upgrading from GPFS 3.5 to 4.1.0.8 and it persists
even after upgraded to GPFS 4.2.0.3 and the very latest sernet-samba.
And to be clear, when we upgraded from GPFS 3.5 to 4.1 we did *not*
upgrade SAMBA versions at that time. Therefore, I believe that something
changed in GPFS. That doesn’t mean it’s GPFS’ fault, of course. SAMBA
may have been relying on a bug<ctrl-h><ctrl-h><ctrl-h>undocumented feature
in GPFS that IBM fixed for all I know, and I’m obviously speculating here.
The problem we see is that the .snapshots directory in each folder can be
cd’d to but is empty. The snapshots are all there, however, if you:
cd /<mount point of fs>/.snapshots/<data and time snapshot was
taken>/rest/of/path/to/folder/in/question
This obviously prevents users from being able to do their own recovery of
files unless you do something like what you describe, which we are
unwilling to do for security reasons. We have a ticket open with DDN…
Kevin
On Jun 20, 2016, at 8:45 AM, Sobey, Richard A <r.sobey at imperial.ac.uk>
wrote:
Hi all
Can someone clarify if the ability for Windows to view snapshots as
Previous Versions is exposed by SAMBA or GPFS? Basically, if suddenly my
users cannot restore files from snapshots over a CIFS share, where should
I be looking?
I don’t know when this problem occurred, but within the last few weeks
certainly our users with full control over their data now see no previous
versions available, but if we export their fileset and set “force user =
root” all the snapshots are available.
I think the answer is SAMBA, right? We’re running GPFS 3.5 and
sernet-samba 4.2.9.
Many thanks
Richard
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
—
Kevin Buterbaugh - Senior System Administrator
Vanderbilt University - Advanced Computing Center for Research and
Education
Kevin.Buterbaugh at vanderbilt.edu - (615)875-9633
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
--
Barry Evans
Technical Director & Co-Founder
Pixit Media
Mobile: +44 (0)7950 666 248
http://www.pixitmedia.com
This email is confidential in that it is intended for the exclusive
attention of the addressee(s) indicated. If you are not the intended
recipient, this email should not be read or disclosed to any other person.
Please notify the sender immediately and delete this email from your
computer system. Any opinions expressed are not necessarily those of the
company from which this email was sent and, whilst to the best of our
knowledge no viruses or defects exist, no responsibility can be accepted
for any loss or damage arising from its receipt or subsequent use of this
email.
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
_______________________________________________
gpfsug-discuss mailing list
gpfsug-discuss at spectrumscale.org
http://gpfsug.org/mailman/listinfo/gpfsug-discuss
More information about the gpfsug-discuss
mailing list