Please enable javascript, or click here to visit my ecommerce web site powered by Shopify.

Community Forum > Questions regarding GlusterFS, shares and file permissions

Hi all,

today I'm trying to set up the scale-out NAS (GlusterFS) of QuantaStor as new file server for my environment. Actually I have 6 network shares on my old storage system. With GlusterFS I have only one network share per Gluster volume, right? There's no possibilty to set up sub-shares or anything equivalent. Or is there a way to do this? It's not really important to set up more than one share but it would make the migration to QuantaStor easier.

I'm going on with setting up the folder permissions. Is there a way to give the permissions to user groups which are configured locally on the QunataStor storage grid? With the Windows permission configuration I can't select the user groups. I can only select the users configured locally on the QunataStor storage grid. Using the user groups makes the permission administration better because adding or removing users don't need to elevate the complete folders for changing the file permissions.

And my last question: Does QuantaStor support Access Based Enumeration? This feature only shows the files and folders the actually logged in user has access to. How can I activate this feature if it's supported?

Kind Regards

Stefan

January 13, 2018 | Registered CommenterStefan Mössner

We have a Network Share 'aliases' and 'subshares' feature and I think it is available to Gluster shares as well but need to check on that and confirm. Try right-clicking on the Network Share for your Gluster Volume and look for the option to create an alias/subshare. A subshare is a directory within a Network Share that you'd like to present as another Network Share without having to create additional Gluster Volumes. An alias is just another name for an existing Network Share so that it can be presented via multiple names.

>I'm going on with setting up the folder permissions. Is there a way to give the permissions to user groups which are configured locally on the QunataStor storage grid?

Yes, first create a User Group within the 'Users and Groups' tab then create the User Group. You may also specify the POSIX GID of the group. The group will be created on all storage appliances within the storage grid. From there you can assign CIFS/SMB permissions or ownership to that group in the Modify Share / SMB Access dialog.

>And my last question: Does QuantaStor support Access Based Enumeration? This feature only shows the files and folders the actually logged in user has access to. How can I activate this feature if it's supported?

From a storage grid management perspective or from a SMB / NFS perspective? From a storage management/grid perspective we have Resource Groups and an RBAC system that will allow one to group resources (Volumes, Shares, Pools) with users so that a given subset of users can only view their objects. This also requires adjusting the Roles so that the users only have Network Share 'view' level permissions at the 'Group' level. Not sure that you can access those features in the Community Edition though, I think it will give you a license key error.
Best,
-Steve

January 15, 2018 | Registered CommenterSteve

Hello Steve,

it's not possible to set subshares on the GlusterFS volume. This would be the better solution than defining more GlusterFS volumes. Creating more GlusterFS volumes need further virtual IP interfaces (for HA) because you can't assign a virtual IP interface to more than one GlusterFS volumes.

Folder permissions: I don't want to change the share permissions. I want to change the folder permissions. There might be folders in a share which have to be accessible by different users. So I have to set these permissions with my SMB client, right? But I don't see the groups specified in the storage grid to give the needed permissions.

Access Based Enumeration: I mean from a SMB / NFS perspective. When accessing a network share which contains folders with different permissions like described above the user will only see the folders for which he has the permissions to access these folders.

Kind Regards

Stefan

January 17, 2018 | Registered CommenterStefan Mössner

Hi all,

any ideas?

Thank you

Stefan

January 23, 2018 | Registered CommenterStefan Mössner

Hi Stefan,
I had an engineer look at it and you're right we have not yet added the alias and subshare support for Gluster but I think that is what's needed. I'll see if we can get that into the QuantaStor 4.5 release at the end of Feb.

>Access Based Enumeration: I mean from a SMB / NFS perspective. When accessing a network share which contains folders with different permissions like described above the user will only see the folders for which he has the permissions to access these folders.

Yes, I did some checking and this looks like an easy thing to add, essentially it amounts to customizing the SMB configuration options to hide unreadable and unwriteable files. We'll look into adding this to 4.5 as well.

Thanks for the great feedback Stefan, if you're interested in getting an early copy of QS v4.5 once the above features are ready let me know and we'll share a beta or RC candidate with you next month.
Best,
-Steve

January 23, 2018 | Registered CommenterSteve

After further checking, was able to verify that we already have ABE in QuantaStor v4.4. Inside the Create Network Share and Modify Network Share dialogs select the Advanced Settings tab and then check these options:

[x] Hide Unreadable
[x] Hide Unwriteable Files


The other items around support for aliases and subshares on Gluster based Network Shares is being tracked in engineering ticket QSTOR-4406.
Best,
-Steve

January 23, 2018 | Registered CommenterSteve

Hi Steve,

thank you for your updates. Yes, I'm interested in getting an early copy of QS v4.5 if this is possible. Will this be a complete new installation or an inplace upgrade?

And what about my question regarding the folder permissions? I don't want to change the share permissions. I want to change the folder permissions. There might be folders in a share which have to be accessible by different users. So I have to set these permissions with my SMB client, right? But I don't see the groups specified in the storage grid to give the needed permissions - even if I activate the advanced properties for the share (like described on some Gluster related posts found with Google search). Or will this be obsolete if the there's a possibility to configure subshares / aliases for Gluster? But there will even be some circumstances needing different folder permissions inside a network share.

Kind Regards

Stefan

January 26, 2018 | Registered CommenterStefan Mössner

Hi Steve,

there's one more question: How can I change the workgroup name on the QuantaStor nodes or for GlusterFS? Now it's WORKGROUP but my clients belong to the workgroup ARBEITSGRUPPE.

Thank you

Stefan

January 26, 2018 | Registered CommenterStefan Mössner

Hi Stefan,
Yes, all our releases since 2014 are in-place upgrades. We had some challenges moving from Ubuntu 10.10/maverick to 12.04/precise back in 2013 but since then QuantaStor has been strictly derivative of Ubuntu LTS releases. This makes the platform upgrade process from 12.04 (QS3) -> 14.04 (QS4) -> 16.04 (QS5) and so on pretty straight forward. We recently shed our custom kernel too so that makes it easier for us to apply fixes for things like the Spectre and Meltdown bugs.

With regard to the QS core service and it's internal metadata / database, upgrades work from any older version to any newer version. The service dynamically analyzes and upgrades its internal database schema on the fly at service startup. You can also have different nodes in the grid running different versions of QuantaStor as long as they're within a few revisions but we don't recommend doing that for long.

>Or will this be obsolete if the there's a possibility to configure subshares / aliases for Gluster? But there will even be some circumstances needing different folder permissions inside a network share.

Yes, I think that the sub-share support will address much of that as you'll be able to apply different SMB owners to different sub-shares and apply ABE settings on all of them. With regard to needing different folder permissions inside a network share, that sounds like something you'd want to research on the Windows side. Windows will store extended attributes onto files and folders via the Samba service and perhaps there's a setting via the MMC security settings that can achieve what you're looking for there. Note, be sure to check the boxes in 'Modify Network Share; to enable extended attributes on the shares.

Best,
-Steve

January 26, 2018 | Registered CommenterSteve

With regard to the workgroup setting, you will want to join each QuantaStor appliance to your AD domain so that they're all in the same domain for a given Gluster cluster. If you don't have AD setup you might try manually editing the /etc/samba/smb.conf on each QuantaStor appliance to change WORKGROUP to ARBEITSGRUPPE.. not sure if that'll work but worth a try.

Best,
-Steve

January 26, 2018 | Registered CommenterSteve

Hi Steve,

>With regard to needing different folder permissions inside a network share, that sounds like something you'd want to research on the Windows side. Windows will store extended attributes onto files and folders via the Samba service and perhaps there's a setting via the MMC security settings that can achieve what you're looking for there. Note, be sure to check the boxes in 'Modify Network Share; to enable extended attributes on the shares.

The problem is that with my Windows client I can give permissions to the user accounts which are configured on the QuantaStor but I don't see the groups I built on the QuantaStor. It's better to allow the access for the groups instead for the single user because there's no long time taking process to set the permissions if there's a change regarding user access. I hope you understand what I mean. Even when opening the MMC with the snap-in 'Computer Management', connecting to the QuantaStor and going to 'Local Users and Groups' I can only see the local users but not the groups.

>Note, be sure to check the boxes in 'Modify Network Share; to enable extended attributes on the shares.

Where do I have to set this option?

>If you don't have AD setup you might try manually editing the /etc/samba/smb.conf on each QuantaStor appliance to change WORKGROUP to ARBEITSGRUPPE.. not sure if that'll work but worth a try.

Thank you. I will try this later. I don't know if this setting is really needed. I have access to the network share. I think the only thing is that the Windows client doesn't see the QuantaStor in it's network environment browser.

Kind Regards

Stefan

January 26, 2018 | Registered CommenterStefan Mössner

>Where do I have to set this option?

1) right-click on the Network Share then choose 'Modify Share & SMB Access...' from the pop-up menu
2) select the 'Advanced Settings' tab
3) in the 'CIFS/SMB Advanced Options' section check the box for [x] Windows Extended ACLs and the box for [x] Extended Attributes

that may fix the groups problem. Also, if you're using the Community Edition we don't allow creation of User Groups but we will in v4.5. Starting with 4.5 the Community Edition will be limited in the following ways:

- no High Availability failover support for ZFS pools (same as before)
- no DR/remote-replication support (same as before)
- no Encryption support (same as before)
- adds support for Host Groups
- adds support for User Groups
- adds support for sending logs
- adds support for storage grids up to 3x appliances
- increases default max capacity to 24TB
- adds support for a single Ceph cluster up to 3x nodes/appliances
- adds support for a single Gluster gluster up to 3x nodes/appliances

With the User Group support added that may help.

Best,
-Steve

January 30, 2018 | Registered CommenterSteve

Hi Steve,

I still have activated [x] Windows Extended ACLs and [x] Extended Attributes after researching in some Gluster forums but this doesn't help. I'm able to create local user groups on the QuantaStor but I can't assign them to folder permissions. So I will have to wait for QuantaStor 4.5.

Thank you for your detailed information regarding the capabilities and limitations of the community edition of QuantaStor 4.5. I have some further questions:

1. Will High Availability be supported for Gluster with XFS, Ceph and the management VIF?
2. Do you mean Syslog support with "sending logs"?
3. Will subshares and aliases be implemented in QuantaStor 4.5 for Gluster?

Kind Regards

Stefan

January 31, 2018 | Registered CommenterStefan Mössner

Hi Steve,

any news?

Thank you

Stefan

February 6, 2018 | Registered CommenterStefan Mössner

>1. Will High Availability be supported for Gluster with XFS, Ceph and the management VIF?

Yes.

>2. Do you mean Syslog support with "sending logs"?

In current versions is doesn't allow Community Edition to send a log report via the web interface 'Send Log Report..' dialog, v4.5 fixes that.

>3. Will subshares and aliases be implemented in QuantaStor 4.5 for Gluster?

Not certain yet, will have an update on that next week. Yes for the upgrade to 3.10.9.

Best,
-Steve

February 6, 2018 | Registered CommenterSteve

Hi Stefan,
Good news, alias and subshares is now in for QuantaStor v4.5.
Best,
-Steve

February 6, 2018 | Registered CommenterSteve

Hi Steve,

I have upgraded to v4.5.0 now. I'll give you feedback regarding my issues.

First I had to re-create the GlusterFS volume because there was an error after the upgrade. I had to delete the GlusterFS configuration and I had to restart the Gluster service manually on each node.

Then I have activated [x] Windows Extended ACLs and [x] Extended Attributes but it's still not possible to set file and folder permissions to local groups. I'm able to create local user groups on QuantaStor but I can't assign them to folder permissions within the security settings with a Windows client. I only see the local users that I configured locally on QuantaStor.

I even changed the workgroup setting in the smb.conf file and restarted the samba and the quantastor services but neither there was a change regarding the issue with local groups nor do I see the GlusterFS cluster when browsing the network environment with my Windows client.

The configuration of sub-shares or aliases is now possible with v4.5.0. It takes some time until I have access to the share but it works.

Kind Regards

Stefan

March 10, 2018 | Registered CommenterStefan Mössner

Hi Steve,

I searched for possible solutions regarding the group issue and found this information at your wiki:

Enabling Global MMC Management
To enable MMC management of all network shares in a given appliance one must manually editing the smb.conf file. In the top section where the [global] stanza is specified add these items just after the [global] tag.

vfs objects = acl_xattr
map acl inherit = Yes
store dos attributes = Yes

After restarting samba and qs-service and opening the share settings with web uiI get the following error: System modification failed. [Error: Command 'wbinfo --all-domains' failed with error code 1. Error = '' [err=516]].

And it's still not possible to set file or folder permissions to local user groups. When using MMC with the snap-in computer management I can access the system but the local groups because aren't listed. I only see the users.

But the workgroup setting is OK now: I see the QuantaStor nodes in the network environment. Is it possible to make the virtual GlusterFS ressource (vip) also vissible as system in the network environment?

Kind Regards

Stefan

March 13, 2018 | Registered CommenterStefan Mössner

Hi Steve,

any news?

Thank you

Stefan

March 16, 2018 | Registered CommenterStefan Mössner

Hi Stefan,
Seems like the easiest fix would be to add an AD domain controller, then Samba can map users using RID, auto-RID or RFC2307 mode. Without that wbinfo won't be able to communicate with your local windows user information as it needs to talk to an AD server on the other side. (Those options to set the dos attributes and such are all in the 'Modify Share & SMB Access..' dialog so you can edit those on a per share basis but you've got the right idea for a global setting).

What output do you get from?

wbinfo --own-domain

Here's a quick patch that should solve the error you're seeing, to apply:


wget https://www.dropbox.com/s/7t5ayhlljmm3fx2/qs_service
chmod 755 ./qs_service
service quantastor stop
mv /opt/osnexus/quantastor/bin/qs_service /opt/osnexus/quantastor/bin/qs_service.bak
cp ./qs_service /opt/osnexus/quantastor/bin
service quantastor start

Best,
-Steve

March 16, 2018 | Registered CommenterSteve

Hi Steve,

thank you for the patch. I can confirm that there's no error anymore when opening the share settings.

I think there's a misunderstanding regarding the local groups: I have configured local groups on QuantaStor. These groups should be used for setting file and folder permissions on the GlusterFS-based scale-out NAS. But when I open the security settings of a folder on the NAS with my Windows client I can assign the user accounts located on the QunataStor but not the groups. The groups aren't shown. I don't think that this issue is related to the existence of a domain controller. And I don't want to install a domain controller for my little home lab.

What I can see is that the groups have no GID but the user accounts have one. Could this be the root cause for this issue?

Thank you

Stefan

March 16, 2018 | Registered CommenterStefan Mössner

Hi Steve,

after updating to QuantaStor 4.5.1 there's still no error anymore when opening the share settings. But I can't still assign local groups of QuantaStor to file and folder permissions. Even if I set POSIX GIDs to the groups it's not possible to assing them.

It would be very good to use the groups for the access rights to files and/or folders.

Kind Regards

Stefan

March 20, 2018 | Registered CommenterStefan Mössner

Hi Stefan,
I did some checking and found this article (https://askubuntu.com/questions/479505/why-is-samba-not-adding-a-new-user-with-samba-tool) which you might find helpful. In short, without AD I don't think groups can be added. I tried adding a group using the 'samba-tool group add NNNN' but no luck, it's looking for a domain specifier.
Best,
-Steve

March 21, 2018 | Registered CommenterSteve

Hi Steve,

yes, 'samba-tool' requires a domain controller. But if I read other sites it's possible to use local groups for permissions.

I checked the kernel parameters for POSIX acls: https://www.tecmint.com/secure-files-using-acls-in-linux/. The parameter is activated for XFS. Then I looked at the smb.conf for the existence of the global options 'vfs objects = acl_xattr' and 'map acl inherit = Yes'. These options are set. And with 'sudo cat /etc/group' I can see that the groups are configured with the local users I assigned to the groups.

So everything seems to be correct. But I don't see the groups on a Windows system. I only see the local users of Quantastor. I tried this with Windows 10 and Windows Server 2003 - in the past I had an issue with another storage system where the groups are only shown with an older Windows system.

Kind Regards

Stefan

March 22, 2018 | Registered CommenterStefan Mössner

Hi Steve,

did you find an option for using local groups on QuantaStor? It should be possible because SAMBA is capabable to use local groups and showing them in the file/folder security settings dialogue on a Windows client. But all things I tried didn't help. Maybe there's only one little setting that has to be configured but I can't find it.

Thank You

Stefan

April 3, 2018 | Registered CommenterStefan Mössner

Hi Stefan,
There's this article that you might find helpful.

https://www.techrepublic.com/article/how-to-set-up-samba-shares-for-groups/

I recommend creating a simple ZFS storage pool and then work on getting it working with a QS user group per the instructions in the article. Is the problem that you're seeing is that when you assign access to grid local (QuantaStor) User Groups that those groups do no appear from the Windows MMC side, correct? Or are you creating groups on the Windows server side and not able to use those groups on the QuantaStor side?

Let me know if the above helps.

Best,
-Steve

April 3, 2018 | Registered CommenterSteve

Hi Steve,

thank you. I know this article (https://www.techrepublic.com/article/how-to-set-up-samba-shares-for-groups/) well but I don't know where to set the permissions via the cli and don't want to change the settings of the samba.conf because it could be overwritten by updates of QuantaStor. And why are these steps not possible to do with the grid management UI?

"I recommend creating a simple ZFS storage pool and then work on getting it working with a QS user group per the instructions in the article."

--> Is ZFS now supported with Gluster? I thought you have to use XFS when configuring a scale-out NAS with Gluster. And I want to use QuantaStor as scale-out NAS.

"Is the problem that you're seeing is that when you assign access to grid local (QuantaStor) User Groups that those groups do not appear from the Windows MMC side, correct?"

--> Yes, I don't see the the groups on Windows - neither in the MMC nor in the security setting dialogue of files or folders. What do you mean by "when you assign access to grid local (QuantaStor) user groups"? Which access rights are needed for these local groups? And how can I assign these access rights? There's only the option to add or remove users and give local users rights to modify the group. I can't assign a role to a group, i. e. the role "Share Access" which might be the right role for the group to get access to the network shares and assigning them to files or folders. Maybe there's the root cause of my problem...

Kind Regards

Stefan

April 4, 2018 | Registered CommenterStefan Mössner

Hi Steve,

how to go on? I have some questions and I'm waiting for your answer.

I'm looking forward to migrate my data to the QuantaStor SDS because it's the best product I tested in the past. With EMC UnityVSA, EMC Isilon and Compuverde there's no problem to set access rights to files or folders with local groups. So why shouldn't this be possible with QunataStor? The used modules are ready to use local groups so there must be one little thing to change so that it's working with QunataStor, too.

It would be really great to get this feature working.

Thank You.

Stefan

April 10, 2018 | Registered CommenterStefan Mössner

Hi Steve,

any News?

Thank You.

Stefan

April 17, 2018 | Registered CommenterStefan Mössner

Hi Stefan,
I've opened an engineering ticket, QSTOR-4677, to look into this further. I'm traveling this week but would like to meet with you next week to dig into it further so I can capture more information for the engineering ticket. Let me know if next Thurs or Friday is good for you for a GoToMeeting.
Best,
Steve

April 17, 2018 | Registered CommenterSteve

Hi Steve,

next Friday, April 27, 2018 will be good. I think 20:00 CEST will be a good time. Will this time be OK for you?

Kind Regards

Stefan

April 19, 2018 | Registered CommenterStefan Mössner