linux CIFS clients corrupt ACL permissions on second write

[Jamie Gruener]

I originally posted this in another thread, but at the recommendation of user anodos, I'm creating a new thread.

We have a FreeNAS 9.2.1.5-RELASE instance with several CIFS shares. Accessing and using these shares from Windows 7 clients works just fine, until we throw some CentOS boxes into the mix.

My client is a bare-bones CentOS 6.5 client. I did all of the tests with the original mount.cifs command (version 4.8.1) and then upgraded to the current version (6.4) and then re-ran the tests with the same results.

My mount command:
mount -t cifs //server/share /mnt/share/ -o username=my_username,uid=root,gid=root,domain=my_domain,sec=ntlmv2,cifsacl

First I just create a file and get the permissions:
[root@localhost share]# touch file1
[root@localhost share]# getcifsacl file1
REVISION:0x1
CONTROL:0x8004
OWNER:S-1-5-21-[my_domain_id]-3360
GROUP:S-1-5-21-[my_domain_id]-513
ACL:S-1-5-21-[my_domain_id]-3360:ALLOWED/0x0/FULL
ACL:S-1-5-21-[my_domain_id]-513:ALLOWED/0x0/FULL

Looks good!

Then I edit the file and get permissions again:
[root@localhost share]# vi file1 (added a couple of words then saved)
[root@localhost share]# getcifsacl file1
REVISION:0x1
CONTROL:0x8004
OWNER:S-1-5-21-[my_domain_id]-3360
GROUP:S-1-5-21-[my_domain_id]-513
ACL:S-1-5-21-[my_domain_id]-3360:DENIED/0x0/0x27
ACL:S-1-5-21-[my_domain_id]-3360:ALLOWED/0x0/FULL
ACL:S-1-5-21-[my_domain_id]-3360:ALLOWED/0x0/0x1e0198
ACL:S-1-5-21-[my_domain_id]-513:ALLOWED/0x0/0x1200af
ACL:S-1-1-0:ALLOWED/0x0/0x120088

What happened?! This also happens if I use vi to create the file (permissions are good on first save) and then edit (permissions are wrong).

Windows permissions also accurately reflect these permissions.

If I create files in Windows, the permissions are assigned as expected upon file creation and are not changed after files are edited and saved. Editing and saving a file in CentOS will change the permissions of a file that was originally created in Windows.

So, why are the permissions changing on the second write of a file?

I've tried using or not using uid, gid, noperm, cifsacl, though I haven't done every possible permutation.

Attached is the smb.conf file (renamed smb.conf.txt to get past the file type upload limitation).

Any thoughts of things to try?

 

[Jamie Gruener]

Am I all alone in this? To much detail? Not enough? Any input useful.

Thanks,
--Jamie

 

[cyberjock]

I didn't respond because permissions are one of those things you have to do for yourself. We can't really help you. I do have a permissions guide that is "in the works" but I have no ETA on it so you're kind of stuck on your own. :/

 

[Jamie Gruener]

Thanks for replying! I fully understand that only I can determine what my permissions should be for my situation. My main concern is that the permissions are changing when they shouldn't be, and that's really disconcerting/debilitating.

The end result is that we can't use CIFS shares with linux boxes.

 

[dlavigne]

Did you ever figure it out?

 

[Jamie Gruener]

No. There's been no response beyond what you see here. I don't know if people don't believe me, if it isn't true for them, or what. I'm open to any suggestions.

 

[anodos]

Is this an AD environment? How are you setting ACLS? Are you right-clicking on your share in Windows explorer and using the 'security' tab?

 

[Jamie Gruener]

Yes.

 

[anodos]

I think you have an edge use case. Within the next couple of weeks I'm scheduled to join a CentOS server to our domain. I'll do some testing with mount.cifs at that time. How are you setting ACLS? Are you right-clicking on your share in Windows explorer and using the 'security' tab?

 

[Jamie Gruener]

That sounds like a plan! I'm very eager to hear your results.

The initial permissions were done on the FreeNAS web GUI, of course, but after that initial setup, we're setting the ACLs in Windows 2008 R2 using the Security tab like you would any other Windows share.

What do you think makes it edge use case? Linux using CIFS shares, CentOS using CIFS shares, or Linux + Windows clients using the same CIFS shares?

 

[anodos]

That sounds like a plan! I'm very eager to hear your results.

The initial permissions were done on the FreeNAS web GUI, of course, but after that initial setup, we're setting the ACLs in Windows 2008 R2 using the Security tab like you would any other Windows share.

What do you think makes it edge use case? Linux using CIFS shares, CentOS using CIFS shares, or Linux + Windows clients using the same CIFS shares?

I meant for people on the forums (AD + Linux + FreeNAS).

 

[Jamie Gruener]

Ah, I see what you mean.

So it's been a month, how's the test going? I keed, I keed.

I tried using a Folio-based user (i.e., not from AD) and also with an NFS share (both with an AD user and a Folio-based user). In all cases the second write to a file caused new ACEs to be created and changes to the existing ACEs. Really, really weird!