[gpfsug-discuss] vn511i7 / Windoqws prevmqq1qqqqqq2qqqqqqqqqqqqaqqaàaåio8iusk versions

Ken Atkinson hpc.ken.tw25qn at gmail.com
Wed Jul 6 16:37:56 BST 2016


9G4HTGTB kk38ģvv
On 6 Jul 2016 15:46, "Christof Schmitt" <christof.schmitt at us.ibm.com> wrote:
>
> The message in the trace confirms that this is triggered by:
> https://git.samba.org/?p=samba.git;a=commitdiff;h=4
>
> I 2asuspect that the Samba version used misses the patch
>
https://git.samba.org/?p=samba.git;a=commitdiff;h=fdbca5e13a0375d7f18639679a627e67c3df647a
>
> The CES build of Samba shippied in Spectrum Scale includes the mentioned
> patch, and that should avoid the problem seen. Would it be possible to
> build Samba again with the mentioned patch to test whether that fixes the
> issue seen here?
>
> Regards,
>
> Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
> christof.schmitt at us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)
>
>
>
> From:   "Sobey, Richard A" <r.sobey at imperial.ac.uk>
> To:     gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Date:   07/06/2016 05:23 AM
> Subject:        Re: [gpfsug-discuss] Snapshots / Windows previous versions
> Sent by:        gpfsug-discuss-bounces at spectrumscale.org
>
>
>
> Thanks Daniel – sorry to be dense, but does this indicate working as
> intended, or a bug? I assume the former. So, the question still remains
> how has this suddenly broken, when:
>
> [root at server ict]# mmgetacl -k nfs4 .snapshots/
> .snapshots/: Operation not permitted
>
> …appears to be the correct output and is consistent with someone else’s
> GPFS cluster where it is working.
>
> Cheers
>
> Richard
>
> From: gpfsug-discuss-bounces at spectrumscale.org [
> mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Daniel
> Kidger
> Sent: 06 July 2016 12:51
> To: gpfsug-discuss at spectrumscale.org
> Cc: gpfsug-discuss at spectrumscale.org
> Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
>
> Looking at recent patches to SAMBA I see from December 2015:
>
https://download.samba.org/pub/samba/patches/security/samba-4.1.21-security-2015-12-16.patch
> ,
> (link found at  https://bugzilla.samba.org/show_bug.cgi?id=11658 which
> includes the comment:
> Failing that, smbd_check_access_rights should check Unix perms at that
> point.
> )
>
> diff --git a/source3/modules/vfs_shadow_copy2.c
> b/source3/modules/vfs_shadow_copy2.c
> index fca05cf..07e2f8a 100644
> --- a/source3/modules/vfs_shadow_copy2.c
> +++ b/source3/modules/vfs_shadow_copy2.c
> @@ -30,6 +30,7 @@
>   */
>
>  #include "includes.h"
> +#include "smbd/smbd.h"
>  #include "system/filesys.h"
>  #include "include/ntioctl.h"
>  #include <ccan/hash/hash.h>
> @@ -1138,6 +1139,42 @@ static char *have_snapdir(struct vfs_handle_struct
> *handle,
>      return NULL;
>  }
>
> +static bool check_access_snapdir(struct vfs_handle_struct *handle,
> +                const char *path)
> +{
> +    struct smb_filename smb_fname;
> +    int ret;
> +    NTSTATUS status;
> +
> +    ZERO_STRUCT(smb_fname);
> +    smb_fname.base_name = talloc_asprintf(talloc_tos(),
> +                        "%s",
> +                        path);
> +    if (smb_fname.base_name == NULL) {
> +        return false;
> +    }
> +
> +    ret = SMB_VFS_NEXT_STAT(handle, &smb_fname);
> +    if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) {
> +        TALLOC_FREE(smb_fname.base_name);
> +        return false;
> +    }
> +
> +    status = smbd_check_access_rights(handle->conn,
> +                    &smb_fname,
> +                    false,
> +                    SEC_DIR_LIST);
> +    if (!NT_STATUS_IS_OK(status)) {
> +        DEBUG(0,("user does not have list permission "
> +            "on snapdir %s\n",
> +            smb_fname.base_name));
> +        TALLOC_FREE(smb_fname.base_name);
> +        return false;
> +    }
> +    TALLOC_FREE(smb_fname.base_name);
> +    return true;
> +}
> +
>
> Daniel
>
>
>
>
>
> Dr Daniel Kidger
> IBM Technical Sales Specialist
> Software Defined Solution Sales
>
> +44-07818 522 266
> daniel.kidger at uk.ibm.com
>
>
>
>
>
>
> ----- Original message -----
> From: "Sobey, Richard A" <r.sobey at imperial.ac.uk>
> Sent by: gpfsug-discuss-bounces at spectrumscale.org
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Cc:
> Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
> Date: Wed, Jul 6, 2016 10:55 AM
>
> Sure. It might be easier if I just post the entire smb.conf:
>
> [global]
>    netbios name = store
>    workgroup = IC
>    security = ads
>    realm = IC.AC.UK
>    kerberos method = secrets and keytab
>
>    vfs objects = shadow_copy2 syncops gpfs fileid
>    ea support = yes
>    store dos attributes = yes
>    map readonly = no
>    map archive = no
>    map system = no
>    map hidden = no
>    unix extensions = no
>    allocation roundup size = 1048576
>
>    disable netbios = yes
>    smb ports = 445
> #   server signing = mandatory
>
>    template shell = /bin/bash
>    interfaces = bond2 lo bond0
>    allow trusted domains = no
>
>    printing = bsd
>    printcap name = /dev/null
>    load printers = no
>    disable spoolss = yes
>
>    idmap config IC : default = yes
>    idmap config IC : cache time = 180
>    idmap config IC : backend = ad
>    idmap config IC : schema_mode = rfc2307
>    idmap config IC : range = 500 - 2000000
>    idmap config * : range = 3000000 - 3500000
>    idmap config * : backend = tdb2
>    winbind refresh tickets = yes
>    winbind nss info = rfc2307
>    winbind use default domain = true
>    winbind offline logon = true
>    winbind separator = /
>    winbind enum users = true
>    winbind enum groups = true
>    winbind nested groups = yes
>    winbind expand groups = 2
>
>    winbind max clients = 10000
>
>    clustering = yes
>    ctdbd socket = /tmp/ctdb.socket
>    gpfs:sharemodes = yes
>    gpfs:winattr = yes
>    gpfs:leases = yes
>    gpfs:dfreequota = yes
> #  nfs4:mode = special
> #   nfs4:chown = no
>    nfs4:chown = yes
>    nfs4:mode = simple
>
> nfs4:acedup = merge
>    fileid:algorithm = fsname
>    force unknown acl user = yes
>
>    shadow:snapdir = .snapshots
>    shadow:fixinodes = yes
>    shadow:snapdirseverywhere = yes
>    shadow:sort = desc
>
>    syncops:onclose = no
>    syncops:onmeta = no
>    kernel oplocks = yes
>    level2 oplocks = yes
>    oplocks = yes
>    notify:inotify = no
>    wide links = no
>    async smb echo handler = yes
>    smbd:backgroundqueue = False
>    use sendfile = no
>    dmapi support = yes
>
>    aio write size = 1
>    aio read size = 1
>
>    enable core files = no
>
> #debug logging
>    log level = 2
>    log file = /var/log/samba.%m
>    max log size = 1024
>    debug timestamp = yes
>
> [IC]
>    comment = Unified Group Space Area
>    path = /gpfs/prd/groupspace/ic
>    public = no
>    read only = no
>    valid users = "@domain users"
>
> From: gpfsug-discuss-bounces at spectrumscale.org [
> mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Barry Evans
> Sent: 06 July 2016 10:47
> To: gpfsug-discuss at spectrumscale.org
> Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
>
> Can you cut/paste your full VFS options for gpfs and shadow copy from
> smb.conf?
>
> On 06/07/2016 10:37, Sobey, Richard A wrote:
> Quick followup on this. Doing some more samba debugging (i.e. increasing
> log levels!) and come up with the following:
>
> [2016/07/06 10:07:35.602080,  3]
> ../source3/smbd/vfs.c:1322(check_reduced_name)
>   check_reduced_name:
> admin/ict/serviceoperations/slough_project/Slough_Layout reduced to
>
/gpfs/prd/groupspace/ic/admin/ict/serviceoperations/slough_project/Slough_Layout
> [2016/07/06 10:07:35.611881,  3] ../source3/smbd/dosmode.c:196(unix_mode)
>   unix_mode(admin/ict/serviceoperations/slough_project/Slough_Layout)
> returning 0644
> [2016/07/06 10:07:35.613374,  0]
> ../source3/modules/vfs_shadow_copy2.c:1211(check_access_snapdir)
>   user does not have list permission on snapdir
> /gpfs/prd/groupspace/ic/admin/ict/.snapshots
> [2016/07/06 10:07:35.613416,  0]
>
../source3/modules/vfs_shadow_copy2.c:1380(shadow_copy2_get_shadow_copy_data)
>   access denied on listing snapdir
> /gpfs/prd/groupspace/ic/admin/ict/.snapshots
> [2016/07/06 10:07:35.613434,  0]
> ../source3/modules/vfs_default.c:1145(vfswrap_fsctl)
>   FSCTL_GET_SHADOW_COPY_DATA: connectpath /gpfs/prd/groupspace/ic, failed
> - NT_STATUS_ACCESS_DENIED.
> [2016/07/06 10:07:47.648557,  3]
> ../source3/smbd/service.c:1138(close_cnum)
>   155.198.55.14 (ipv4:155.198.55.14:51298) closed connection to service
> IPC$
>
> Any takers? I cannot run mmgetacl on the .snapshots folder at all, as
> root. A snapshot I just created to make sure I had full control on the
> folder: (39367 is me, I didn’t run this command on a CTDB node so the UID
> mapping isn’t working).
>
> [root at icgpfs01 .snapshots]# mmgetacl -k nfs4 @GMT-2016.07.06-08.00.06
> #NFSv4 ACL
> #owner:root
> #group:root
> group:74036:r-x-:allow:FileInherit:DirInherit:Inherited
> (X)READ/LIST (-)WRITE/CREATE (-)MKDIR (X)SYNCHRONIZE (X)READ_ACL
> (X)READ_ATTR  (X)READ_NAMED
> (-)DELETE    (-)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL
> (-)WRITE_ATTR (-)WRITE_NAMED
>
> user:39367:rwxc:allow:FileInherit:DirInherit:Inherited
> (X)READ/LIST (X)WRITE/CREATE (X)MKDIR (X)SYNCHRONIZE (X)READ_ACL
> (X)READ_ATTR  (X)READ_NAMED
> (X)DELETE    (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL
> (X)WRITE_ATTR (X)WRITE_NAMED
>
> From: gpfsug-discuss-bounces at spectrumscale.org [
> mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Sobey,
> Richard A
> Sent: 20 June 2016 16:03
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
>
> Thanks Kevin. We are upgrading to GPFS 4.2 and CES in a few weeks but our
> customers have come to like previous versions and indeed it is sort of a
> selling point for us.
>
> Samba is the only thing we’ve changed recently after the badlock debacle
> so I’m tempted to blame that, but who knows.
>
> If (when) I find out I’ll let everyone know.
>
> Richard
>
> From: gpfsug-discuss-bounces at spectrumscale.org [
> mailto:gpfsug-discuss-bounces at spectrumscale.org] On Behalf Of Buterbaugh,
> Kevin L
> Sent: 20 June 2016 15:56
> To: gpfsug main discussion list <gpfsug-discuss at spectrumscale.org>
> Subject: Re: [gpfsug-discuss] Snapshots / Windows previous versions
>
> Hi Richard,
>
> I can’t answer your question but I can tell you that we have experienced
> either the exact same thing you are or something very similar.  It
> occurred for us after upgrading from GPFS 3.5 to 4.1.0.8 and it persists
> even after upgraded to GPFS 4.2.0.3 and the very latest sernet-samba.
>
> And to be clear, when we upgraded from GPFS 3.5 to 4.1 we did *not*
> upgrade SAMBA versions at that time.  Therefore, I believe that something
> changed in GPFS.  That doesn’t mean it’s GPFS’ fault, of course.  SAMBA
> may have been relying on a bug<ctrl-h><ctrl-h><ctrl-h>undocumented feature
> in GPFS that IBM fixed for all I know, and I’m obviously speculating here.
>
> The problem we see is that the .snapshots directory in each folder can be
> cd’d to but is empty.  The snapshots are all there, however, if you:
>
>  cd /<mount point of fs>/.snapshots/<data and time snapshot was
> taken>/rest/of/path/to/folder/in/question
>
> This obviously prevents users from being able to do their own recovery of
> files unless you do something like what you describe, which we are
> unwilling to do for security reasons.  We have a ticket open with DDN…
>
> Kevin
>
> On Jun 20, 2016, at 8:45 AM, Sobey, Richard A <r.sobey at imperial.ac.uk>
> wrote:
>
> Hi all
>
> Can someone clarify if the ability for Windows to view snapshots as
> Previous Versions is exposed by SAMBA or GPFS? Basically, if suddenly my
> users cannot restore files from snapshots over a CIFS share, where should
> I be looking?
>
> I don’t know when this problem occurred, but within the last few weeks
> certainly our users with full control over their data now see no previous
> versions available, but if we export their fileset and set “force user =
> root” all the snapshots are available.
>
> I think the answer is SAMBA, right? We’re running GPFS 3.5 and
> sernet-samba 4.2.9.
>
> Many thanks
>
> Richard
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>> Kevin Buterbaugh - Senior System Administrator
> Vanderbilt University - Advanced Computing Center for Research and
> Education
> Kevin.Buterbaugh at vanderbilt.edu - (615)875-9633
>
>
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
> --
> Barry Evans
> Technical Director & Co-Founder
> Pixit Media
> Mobile: +44 (0)7950 666 248
> http://www.pixitmedia.com
>
> This email is confidential in that it is intended for the exclusive
> attention of the addressee(s) indicated. If you are not the intended
> recipient, this email should not be read or disclosed to any other person.
> Please notify the sender immediately and delete this email from your
> computer system. Any opinions expressed are not necessarily those of the
> company from which this email was sent and, whilst to the best of our
> knowledge no viruses or defects exist, no responsibility can be accepted
> for any loss or damage arising from its receipt or subsequent use of this
> email.
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
>
>
>
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20160706/c2e78fa3/attachment.htm>


More information about the gpfsug-discuss mailing list