Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1955204.1
Update Date:2018-05-02
Keywords:
Solution Type  Problem Resolution Sure

Solution  1955204.1 :   Oracle ZFS Storage Appliance: User and group names are limited to 19 or fewer characters when configuring root directory access for shares  

Related Items 
    

  • Sun ZFS Storage 7320
    •  
  • Sun Storage 7210 Unified Storage System
    •  
  • Oracle ZFS Storage ZS3-BA
    •  
  • Oracle ZFS Storage ZS3-2
    •  
  • Sun Storage 7410 Unified Storage System
    •  
  • Oracle ZFS Storage ZS3-4
    •  
  • Sun ZFS Storage 7420
    •  
  • Sun Storage 7310 Unified Storage System
    •  
  • Sun Storage 7110 Unified Storage System
    •  
  • Sun ZFS Storage 7120
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>ZFS Storage>SN-DK: 7xxx NAS
    •  






In this Document


Symptoms


Cause


Solution


References

Created from <SR 3-10010190758>


Applies to:  

Sun Storage 7310 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun Storage 7110 Unified Storage System - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7420 - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7320 - Version All Versions to All Versions [Release All Releases]
Sun ZFS Storage 7120 - Version All Versions to All Versions [Release All Releases]
7000 Appliance OS (Fishworks)



Symptoms


Configuration of root directory access for shares can be done in either the appliance BUI or via the command line interface (CLI).


In the BUI, navigate to "Shares", choose a share to edit, then click "Access":




 


In the CLI, navigate to "shares", select the share name then use the 'set' command to set the "root_user" and "root_group" properties:


appliance:shares <project/share> > set root_group=some_name
                    root_group = some_name (uncommitted)
appliance:shares <project/share> > set root_user=some_name
                     root_user = some_name (uncommitted)
appliance:shares <project/share> > commit


 


When entering a user or group, specifying a name greater than 19 characters causes the name to be truncated to 19 characters without giving an error or other indication that this has occurred.


The practical result is that any pre-defined ACLs cannot be changed.


In the following example, the root access of an Active Directory group called "A_REALLY_REALLY_LONG_GROUP" (25 characters) was defined using one of the above methods.


As a result, "ls -lV" output shows the group name as "A_REALLY_REALLY_LON":


-rwx------+  1 2147483721 Domain Users     716 Jul 13 11:00 800-P001-000-20140711.CSV
       group:2147483648:rwxpdDaARWcCos:-------:allow
       group:ADMIN:rwxpdDaARWcCos:-------:allow
      group:FTP:rwxpd-aARWc--s:-------:allow
        user:2147483652:rwxpdDaARWcCos:-------:allow
        user:2147483652:rwxpdDaARWcCos:------I:allow
        user:2147483722:rwxpd-aARWc--s:------I:allow
      group:FTP:rwxpd-aARWc--s:------I:allow
    group:FTP_2:rwxpd-aARWc--s:------I:allow
       group:ADMIN:rwxpdDaARWcCos:------I:allow
       group:2147483648:rwxpdDaARWcCos:------I:allow
        user:2147483721:rwxpdDaARWcCos:------I:allow
       group:RPM:r-x---a-R-c--s:------I:allow
        user:2147483655:r-x---a-R-c--s:------I:allow
         group:Everyone:r-x---a-R-c--s:------I:allow
    group:METEOR:r-x---a-R-c--s:------I:allow
        user:2147483656:rwxpdDaARWcCos:------I:allow
    group:A_REALLY_REALLY_LON:rwxp--aARWc--s:------I:allow   <---------------truncated
       group:2147483650:rwxpdDaARWcCos:------I:allow
        user:2147483715:rwxpdDaARWcCos:------I:allow





Cause


Known issue.


 




According to bug 15560763 filed for this issue, the set_acl() and get_acl() routines restrict the length of any named user or group in an ACL to 20 characters.


Any names over this length are truncated and silently applied.


When the ACL is read from the root directory of the filesystem, it's truncated and now represents an invalid group.


The code which reads and writes the ACL for the root directory uses this libsec interface, so the zfs.datasetProperties() method will return an incorrect truncated ACE for user or group names over 19 characters.





 


Solution


 To avoid the issue described above, user and group names must be limited to 19 or fewer characters when configuring root directory access for shares on the appliance.


 


A fix for this issue will be in our next Major code release ( AK9 ).




The 20 char limit is still present in AK8 but should be fixed in AK9 as it 


looks like the change that fixes this is in ON code that we did not


sync to in AK8 -  
 . 
 See /usr/src/lib/libsec/common/acltext.c 
 . 
 We picked up the change in Oct 2013 in ON ¿  
 . 
 Looks like we went from using ID_STR_MAX ( which is still 20 ) over to  
 LOGMAX_MAX which can be above that. 
 . 
 . 
 AK8 still uses old 2010 version of this code ¿  
   
 https://grok.cz.oracle.com/source/history/ak-2013-micro-on-clone/usr/src/lib/libsec/common/acltext.c 
   
   
 AK9 is built on S12 so it has the fixes ¿  
   
 https://grok.cz.oracle.com/source/history/ak-9-on-clone/usr/src/lib/libsec/common/acltext.c




 


 


References
 <BUG:15560763> - SUNBT6837560 GROUP NAMES NEED A LENGTH RESTRICTION DUE TO LIBSEC LIMITATIONS



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback