ACL Problems

[dpankros]

I have a n8800 with 4x1.5 TB Seagates in a RAID6 array formatted with XFS. I'm using firmware 2.01.07.4 to resolve issues with the drives. The n8800 is part of a ADS/Windows 2003 Domain.

I create a new folder from the web interface: name: test; browseable: yes; public: no
I assign ACLs to the folder: domain users: writable; recursive: yes (checked)
From a Vista client I open the test share and create a folder: name: private
I right click on the folder and click properties. I go to the security tab and click advanced. I click edit. I uncheck "Include inheritable permissions from this object's parent" and click Remove on the dialog that pops up. Then I am listed as the only one with permission to the directory other than "CREATOR OWNER" and "CREATOR GROUP". I click "apply" and all the old permissions come back!

Now, I assume the recursive is overriding my ACLs. So I try it without:
I create a new folder from the web interface: name: test2; browseable: yes; public: no
I assign ACLs to the folder: domain users: writable; recursive: no (unchecked)
From a Vista client I open the test2 share and I create a folder: name: private
I right click on the folder and click properties. I go to the security tab and click advanced. I click edit. I uncheck "Include inheritable permissions from this object's parent" and click Remove on the dialog that pops up. Then I am listed as the only one with permission to the directory other than "CREATOR OWNER" and "CREATOR GROUP". I click "apply" and . . .
All the old permissions come back, just like before.

Am I doing something wrong or is this a bug? Seems like the latter to me. Can anyone confirm this behavior in an ADS2003 domain? Thanks!

Dave

[philhu]

I don't think the N7700/8800 or any Thecus will let you set permissions except with the acl interface on the NAS's website.

Where did you read that you can change permissions from a OS's permission screens?

[dpankros]

I didn't read it anywhere. I thought it was implied partially in their use of samba. Our old NAS server used samba and the ACLs of subfolders were manageable from within the OS. Only the toplevel were set from within samba itself. It's a useful supported feature of samba, I don't why you would cripple a NAS by removing it.

Furthermore, their "recursive" option on the ACL page, unless I misunderstand the intent, seems to imply it also. Recursive, to me, implies that all the subfolders and files will have the same permissions. Without recursive set, doesn't that imply that all the subfolders and files will not have the same permissions? Because the web GUI only lets you set the top level ACL, the only other place to set any other ACLs is within the OS.

Regardless, if it is not allowed, it should be. In practical use, a company is not going to want to create separate shares for each user. For more than a few users creating separate shares becomes a major pain. Ideally, you can create one user share and then create a subdirectory for each user there permissioned so only the user, and maybe admins, has/have access. This NAS is clearly targeted at buinesses with ADS support and rack mounting. It seems like this feature shares the same target audience as well. Home users, by contrast, would require only minimal ACL control, if at all, and certainly not LDAP/ADS integration or rack mounting.

At least, that's my view.

Dave

[philhu]

You are preaching to the chior.

It is obvious they crippled permissions that should be standard in samba. I don't think they thought it through, ie, the recursive subdir option.

I have had samba-mounted shares from linux to windows and yes, permissions are exposed, like you'd expect.

Thecus? Are you listening?

[dpankros]

If that's the intended behavior (non-modifiable ACLs on subfolders), I'd guess the reason is to properly support ACLs across NFS, CIFS and AFP.

I think that's a bad resolution and, as I said before, it should be supported. Honestly, I would have thought twice about the n8800 if I had known about the ACL restrictions in advance.

[dpankros]

OK, I don't think I'm crazy anymore. At least for the time being.

I was looking at the n8800 spec sheet on the Thecus web site and under "File System" it has an "Authorization (ACL)" entry. That entry says "Read, Write or Deny option on individual users or groups for share and folder level" (emphasis added).

The problem I reported is that it is only working at the sharelevel. That's it, I'm filing a bug report on it.

[philhu]

You know, I remember that statement now

Good call.

Thecus, where is the ACL FOLDER LEVEL Support?

I just tried it, it lets you set it, but loses it when you save it. Exactly what you said.

[ericlh]

you are usig xfs and xfs support is experimental.
so i think thecus dont give any support on that and don't guarantee anything.

[philhu]

you are usig xfs and xfs support is experimental.
so i think thecus dont give any support on that and don't guarantee anything.

Not true.

XFS is fully supported, both by their replies here and the latest released firmware has XFS, so it is supported.

[dpankros]

XFS is fully supported, both by their replies here and the latest released firmware has XFS, so it is supported.

Regardless, I tried ext3 and it didn't work with that either. Thecus has pretty much confirmed this to be the expected behavior.

[ericlh]

so there is no acls on a share hosted on a thecus nas ? whatever filesystem is used (ext3,zfs,xfs) ?


in january, it was said that :
"At this time there is very limited information for the XFS file system support, as it is only available in beta firmware."
in http://forums.hexus.net/thecus-care-...n7700-xfs.html

so the firmware was beta.
xfs may not be experimental anymore.
xfs is supported now but not clearly documented :

"Multiple File System Support
To meet upcoming standards and ensure maximum compatibility and flexibility, the N8800 offers support for ext3 and ZFS file systems."
in http://www.thecus.com/products_over....nguage=english

[ericlh]

@dpankros :
"Our old NAS server used samba"
what was the brand of your old nas server ?

@dpankros
i read the documentation ...
so it's not that there is no acl, it's that you can't manage them from the os ?
how do you manage your folder permissions ? from the nas web administration interface ? do you manage to apply the permissions of the ads to the folders this way ?

I still don't get it ... is that shares that one creates via the web interface ? or folders ?
or do they mean shared folders (and not subfolders) each time they say folders in the web UI ?

[dpankros]

@dpankros : what was the brand of your old nas server ?

It was just server with several drives running a linux distro and samba.

@dpankros
i read the documentation ...
so it's not that there is no acl, it's that you can't manage them from the os ?
how do you manage your folder permissions ? from the nas web administration interface ? do you manage to apply the permissions of the ads to the folders this way ?

I still don't get it ... is that shares that one creates via the web interface ? or folders ?
or do they mean shared folders (and not subfolders) each time they say folders in the web UI ?

You can manage folder/share-level ACLs from the Thecus Web UI (referred to as "folders" within the Thecus UI or "shares" using common Windows nomenclature). You cannot manage directory-level ACLs from the Web UI or through a Windows OS (I used directory for clarity).

In other words, you can define an ACL at the root of a folder/share, but the subdirectories are stuck with those same permissions.

On a side-note, I've seen some behavior that differs from that, but I cannot directly reproduce it and I have not had time to investigate further.

I hope that helps. Let me know if you have further questions.

-Dave

[ericlh]

thank you dave for taking the time to answer. it's crystal clear now.

have you heard of a brand of nas that has acl on a subfolder level ?

or i may finally build a samba server myself so i have acl and drop the nas solution.

[dean.collins]

I have just been told by my internal technical support staff that the thecus N7700 isn't running the latest version of samba and this is why i cant use SVN on shares created on the N7700

Any thought son when Thecus will update the firmware to run the latest version of samba to fix this problem?

" tortoisesvn.tigris.org/faq.html#samba "

Does anyone know any work arounds?

[dpankros]

Does anyone know any work arounds?

Personally, I have a svn repo stored locally on the svn server and then I use a nightly cron job (using the hot-backup.py script) to copy the repo to the samba server. I keep full copies of the last 10 revisions. I do it nightly, but you could change the schedule to whatever your risk tolerance allows.

It doesn't really fix your problem, but it gives you a working subversion server and backups in case the SVN server goes down.

I do the same for trac, etc...

-Dave