mattwilson.org

I’m going to be switching my home file server over to Solaris soon (or, more specifically, Solaris Express Community Edition [SXCE] build 99), and one of the primary goals of this server is to serve up a few directories to Windows or other SMB clients. One of the reasons I’m switching from Linux to Solaris is because I’m significantly increasing the disk space and I want to use ZFS for my storage pool. At the same time, I’m hoping to take advantage of SXCE’s built-in CIFS server to serve SMB shares.

To prepare for the big switch, I installed the latest build on a test machine and am playing around with setting up a configuration similar to what I’ll want. Unfortunately, it became clear quickly that I was going to hit problems with the new NFSv4 ACLs implemented in ZFS and how the CIFS server interacts with those ACLs on behalf of Windows clients.

So, in this post, I’ll walk through what I want to have happen, and what’s actually happening instead.

I have several users. They all belong to a group named data. There is a directory, /export/sandbox, that is for group project resources for everyone in the data group. All users in the group should be able to create files and directories in sandbox, and everyone else in the data group should be able to modify the files and directories. All users on the system should have read access to the sandbox tree.

This is very easy with traditional Unix permissions. You set the sandbox directory to mode 775, set the group to data, and set the setgid bit. For example, if I’m going to make sandbox a ZFS dataset, I can do:

# zfs create -o casesensitivity=mixed rpool/export/sandbox
# chown root:data /export/sandbox
# chmod 775 /export/sandbox
# chmod g+s /export/sandbox

(The casesensitivity option is to make it play well with Windows as a file share)

Finally, in each user’s profile I can set umask 002 and everything works as desired. Let’s log in as mwilson and do some tests:

$ umask
002
$ cd /export/sandbox
$ ls -l
total 0
$ touch test-file
$ mkdir test-dir
$ ls -l
total 2
drwxrwsr-x   2 mwilson  data           2 Oct  7 17:35 test-dir/
-rw-rw-r--   1 mwilson  data           0 Oct  7 17:35 test-file

Excellent! This is exactly what we wanted: the file’s group is set to data and it remains writable by the group, as does the directory. Both are read-only for the world. The setgid bit on the new directory is set, so this method will work as users continue making subdirectories deeper in the tree.

But now, we’re going to add a new requirement: some users will access the sandbox from Windows using SMB. My server is already set up to run the Solaris CIFS server, so it’s easy to share this folder:

# zfs set sharesmb=name=sandbox rpool/export/sandbox

Now from a Windows client, I can go to \\server\sandbox and sure enough I see the directory and its contents. I’m authenticated as a user that maps to the mwilson Unix user. Now I’ll create a text file from Windows, then look at the directory listing back in Unix:

$ ls -l
total 5
drwxrwsr-x   2 mwilson  data           2 Oct  7 17:35 test-dir/
-rw-rw-r--   1 mwilson  data           0 Oct  7 17:35 test-file
----------+  1 mwilson  data           0 Oct  7 17:47 windows-file.txt

Whoa! Look at the file we created, windows-file.txt. That’s different… the ZFS ACLs are beginning to rear their ugly heads. The + next to the Unix permissions indicates that this file contains extended ACLs. Let’s look at the ACL on this file:

$ ls -v windows-file.txt
----------+  1 mwilson  data           0 Oct  7 17:47 windows-file.txt
     0:user:mwilson:read_data/write_data/append_data/read_xattr/write_xattr
         /execute/delete_child/read_attributes/write_attributes/delete
         /read_acl/write_acl/write_owner/synchronize:allow
     1:group:2147483648:read_data/write_data/append_data/read_xattr
         /write_xattr/execute/delete_child/read_attributes/write_attributes
         /delete/read_acl/write_acl/write_owner/synchronize:allow

Okay. Deep breath. This file has ACL entries that say the user named mwilson is allowed to do, well, just about everything you could ever want to do to the file. The group with ID 2147483648 also has full permissions. Why the weird group number? It’s something to do with the mapping of Windows users and groups to Unix users and groups…honestly, I don’t know where it’s coming from. Since I’m mapped to the mwilson user, I wish it would just apply the Unix user’s group as the effective group if nothing else.

In any case, there seems to be a problem here: the data group no longer has any access to this file! Nor, it seems, does the world have read access.

Let’s log in as another user, jsmith, who is in the data group and look at the sandbox directory.

$ cd /export/sandbox
$ ls -l
./windows-file.txt: Permission denied
total 4
drwxrwsr-x   2 mwilson  data           2 Oct  7 17:35 test-dir
-rw-rw-r--   1 mwilson  data           0 Oct  7 17:35 test-file

Wow… ls gives us an error just trying to list the directory! That’s pretty bad…

Just for kicks, we’ll make a directory from Windows and see what that looks like, as mwilson:

$ ls
total 6
drwxrwsr-x   2 mwilson  data           2 Oct  7 17:35 test-dir/
-rw-rw-r--   1 mwilson  data           0 Oct  7 17:35 test-file
d-----S---+  2 mwilson  data           2 Oct  7 20:45 windows-dir/
----------+  1 mwilson  data           0 Oct  7 17:47 windows-file.txt

Okay, there’s the directory (windows-dir) but it’s again different than what we’re used to. It looks like the Windows file, but has a capital S in the group mode. That indicates that the setgid bit is set, but the execute bit is not set for the group. Let’s check the ACL that’s in place:

$ ls -dv windows-dir
d-----S---+  2 mwilson  data           2 Oct  7 20:45 windows-dir/
     0:user:mwilson:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:allow
     1:group:2147483648:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:allow

This is just like the file, but with the directory versions of the permission names instead of the file versions of the names.

Where does that leave us? Creating files and directories from the Unix command line gives me the behavior I want, but creating files from Windows through the SMB share leads to dreadful results.

The problem definitely lies with ACL inheritance: I suspect I will need to define the ACLs that I want on the sandbox directory and set the appropriate inheritance flags, then files created in an “ACL-aware” fashion, such as by the CIFS server, will end up with the permissions I want. We shall see…hopefully soon I’ll have a follow-up post walking through the solution.

For several years, I ran my own server to handle my email. At first it was a fun project, gave me good real-world experience, and provided flexibility that I wouldn’t have had with most hosted options. Procmail and mutt were my friends. Over time, though, it became more of a burden than it was fun to keep up with anti-spam measures, and in the grand scheme of things I just didn’t feel like spending my free time maintaining caring for and feeding a production mail server.

The death knell for my own server was the introduction of Google Apps For Your Domain. Having played with regular GMail in the past, I liked the interface and its threading model, and I buy into the philosophy of searching email archives instead of trying to organize them. For those and other reasons, moving email to Google Apps sounds like a good option, so I set up a test domain and eventually moved mattwilson.org to Google Apps.

In short, I’ve been happy with the service and their spam filter is amazingly accurate. So I’m a happy camper, but there is one area where I’d like to see a couple of improvements: handling email list subscriptions.

I subscribe to several mail lists, and GMail’s searching and conversation threading features particularly shine when reading list traffic. Each list gets its own label and messages “skip the inbox” so I can just go through and read the lists I’m interested in as I have time. But here’s where the problems arise:

First, GMail’s filters don’t allow me to reliably drop messages from particular lists in a particular label (for GMail neophytes, think of labels as folders). For some lists I’ve subscribed to, the only way to identify that I received the message from that list is by looking for a specific header. Unfortunately, I can’t filter based on headers with GMail so the messages from those lists couldn’t be filed correctly. Even for the majority of my lists which I filter based on the list address in the “To” field, I occasionally get messages in the inbox because the list was bcc’ed for the particular message. There’s another header that still identifies the list, but I can’t act on it. So feature request one: I’d like to filter based on headers.

Second, I don’t read every message on every list. My workflow is to click on a label, scan the subject lines, and read the messages that look interesting. This leaves several unread conversations, and in the best case it takes three clicks to mark the remaining conversations as read. If I’ve been on vacation or not reading list traffic for a couple days and the messages expand past the first list screen, it takes more work to mark them as read. So feature request two: while browsing a label, I’d like a “Catch Up” or “Mark All As Read” button right up there next to the Delete button.

GMail is inherently a natural fit for managing an email account that subscribes to mail lists. The search is great, and the conversation interface is wonderful for following threads. With the addition of header-based filtering and a quick way to mark everything from a list as read, it would be truly fantastic.

By now, of course, you know it happened: Apple, Inc. announced the iPhone.

As cool as the phone looked throughout the entire demo, I was upset the whole time (and continued to rant all day…) that it’s a GSM/EDGE device. I am in no way a fan of Verizon Wireless as a company, but the bottom line is that they have the best network (in all measurable areas: coverage area, call quality, call setup time, etc.) in the area I live. EvDO is also significantly faster than EDGE, which for a mobile device such as the iPhone is going to be important. But more on the cell carriers later.

First, the iPhone itself. There’s not much to say other than “drool.” How can you not want one?

Warning: boring digression!

Perhaps a digression is in order: the iPhone announcement comes at an interesting time for me because I recently evaluated—and briefly tried—the switch to smartphone-land. My first attempt was a BlackBerry Pearl with T-Mobile, which had a fabulous web browser but otherwise I wasn’t a fan of the interface and capabilities. RIM has its (admittedly large) niche, but I wasn’t necessarily looking for real-time Exchange integration to be my killer-feature. I was coming from fantastic call quality and coverage with Verizon Wireless, so my experience with the BlackBerry wasn’t quite doing it for me and I switched back to my old phone and old plan.

My other option, then, was the Treo 700p. I’d have to pay an arm and leg for the device, but I used Palms long ago and know I’ll like their PDA functionality, so it was just a question of online data access. Sadly, it was a joke. The web browser (if it could render the page at all) was horrendous compared to the BlackBerry web browser, and the most important feature for me in a smartphone is web browsing. Also, despite being on a data network that is an order of magnitude faster (EvDO) than what the BlackBerry had access to, browsing the web on the Treo was painfully slow. It was clear the whole device was single-threaded at the operating system level and it was just an awful experience. So I’m sure the Treo is fantastic in every other way, but if it couldn’t browse the web decently, why even sell it?

I’m not interested in Windows Mobile-based devices, and I have a huge financial incentive to stick with my current (voice-only) cell phone and plan, so I left off my thoughts of smartphones around the end of November and decided to give the market some time to get better.

End digression! 

Which brings us back to the topic at hand: the iPhone just came along. It looks to be exactly what I want: non-Windows-based smartphone with a fantastic web browser and nice interface. And a mail client that can do direct IMAP or POP3 on top of that (this was a problem with the BlackBerry and, as far as I could tell, the Treo—they each had to proxy IMAP or POP3 stuff through the wireless provider, I think. This was an extra charge with T-Mobile and I don’t know how Verizon handled it. I want the phone to make a direct TCP connection to my mail server to check mail!).

I want one.

But… there are snags:

1. Cingular??? Puh-leeze. They are the worst carrier (call quality/coverage/dropped calls) in this area from everything I’ve seen. At least Apple could have gone with T-Mobile to throw in the “hip and cool” angle.
2. GSM/EDGE? This one is understandable (sadly), but still not what I want. CDMA/EvDO is just plain better, if for no other reason than EvDO is truly broadband-like speeds and EDGE isn’t. The international market is almost exclusively GSM, though, which is why this decision is understandable. I don’t know much about higher-speed GSM data technologies but we’ll have to see how quickly Cingular builds out their network with better tech and if Apple follows with a matching phone.
3. This is a very expensive setup. The phone is very pricey and really isn’t a suitable iPod replacement (8GB in the most expensive model which is a bit of a joke for their first “widescreen video iPod”) so you can’t use the “well you’re getting a phone and an iPod for the price of one” argument. You will still want to buy the real widescreen video iPod when it comes out, so budget another few hundred bucks for that. Also, I don’t think most people realize how much an unlimited data plan costs: expect your cell phone to double if you have a regular 450-900 minute a month plan. In the Cingular case, unlimited data looks to be $45/month on top of your voice plan.

Points 1 and 2 aren’t likely to affect the mass market, I just don’t like them. Point 3, though, is interesting to me. What market is Apple going for with this phone? I don’t have any data on this, but I would guess that the majority of the cell phone accounts that have the extra $45/month data plan are corporate lines of service. There’s nothing out there yet indicating Apple has any kind of over-the-air Exchange integration story for the iPhone, which will prevent its adoption as a replacement for most of those corporate devices currently tied to data plans. That will still leave lots of people who are interested in doing this sort of setup on their own (like me), but this isn’t exactly something like an iPod where Mom-and-Dad can sink a one-time cost to buy the device and the kid is happy. Will this be a compelling device without a data plan? Perhaps. Is part of the Cingular/Apple deal a special service plan to get people on board? Perhaps. There are different data plan options (most BlackBerrys are on special BlackBerry data plans, with additional services like IMAP/POP3 mail checking requiring an additional charge), and Cingular looks to have a web-browsing only plan for certain smartphones, but in the case of the iPhone that gets back to the question of direct mail client connections versus proxying through some webmail service.

But forget all that: my big question about the iPhone: what does “runs Mac OS X” mean? It sure doesn’t mean that it’s literally the same operating system distribution that runs on my desktop machine. I suspect it does mean there’s parts of Darwin underneath with some key APIs to make it look like MacOS X for development purposes. (Which segues into the next question: what does developing for an iPhone look like? New XCode module? Will there be a simulator? etc…)

On that note, potentially show-stopper (for me, at least, not most people) news I ran across during my iPhone-news-roundup here at the end of the day: is it true that there will be no third-party development for the iPhone? This seems to be confirmed by another source on the show floor.

Anyway, at the moment, I want one. We’ll see what’s happening in the second half of this year.

Oh, and as promised, my quick thoughts on cell providers in the Portland, Oregon area:

• T-Mobile. I really like T-Mobile because they have great customer service and the best plans/prices. The downside is limited coverage area and GSM/EDGE.
• Cingular. Good luck actually getting through a complete call with someone and having both parties actually be able to understand each other the whole time! If you could even make good calls, it would be unfortunate that it’s GSM/EDGE.
• Verizon Wireless. Pure evil. They cripple their phones so that even if the phone is capable of (for example) sending pictures you took to your computer via BlueTooth, that feature is disabled so you have to use Verizon’s $0.25-per-picture over-the-air picture deliver service. There was a class-action suit against them because of this and folks got new phones, but unfortunately this didn’t result in Verizon changing the practice of crippling phones going forward, they just added more fine print to cover themselves from future lawsuits about it in the future. The most mega of the mega corps when it comes to cell phones. BUT (and this is important) they have the best network in terms of coverage, reliability, etc. They are also CDMA and have great EvDO service around the country. At the end of the day I’m not paying my cell phone company to let me take pictures with my phone, I’m paying them to move my voice and data. It’s incredible how much better Verizon does this than the other carriers I’ve dealt with, so…sadly…Verizon gets my business.
• Sprint/Nextel. Irrelevant. (yeah, I know, harsh! But at the moment, they are. Come on, you go to Radio Shack to buy them. That can’t be a good sign!)

That’s it for now. As I said, I’ll be curious to revisit the iPhone after the first round of people gets them and takes them for a spin.

Fonts seem to be broken slightly in Nevada builds 45 and 46. To correct, go to /usr/openwin/lib/X11/fonts/F3bitmaps/ and copy fonts.alias.all to fonts.alias.

(Forum thread here)

Wow, well over a year since I’ve posted anything here. I guess I’m just not cool enough to truly jump on the blogging bandwagon!

Since I feel, for some reason, obligated to add something new at least once per calendar year, let me just say this:

Thank you, Sun Microsystems, for Solaris 10.

Seriously, Solaris 10 may be the best operating system ever. Zones, by themselves, would make this release of Solaris a Big Deal. But as an added bonus, we get ZFS as well. And while I haven’t quite figured out DTrace yet, it’s also a valuable new addition. I’m sure Sun’s marketing department would also want you to know about hundreds of other new features, but Zones and ZFS are what have been keeping me busy and having fun.

And don’t forget, it’s all open source now, so nobody has any reason not to run it!

I went to the beach Friday evening with camera in hand. Here are the results:

The Hitchhiker’s Guide to the Galaxy motion picture is arriving April 29th. I love the trailer!

This weekend saw a trip out to “OMSI(Oregon Museum of Science and Industry)’s”:http://www.omsi.org Camp Hancock for a star party. The site is about 190 miles and a nice, scenic drive a little over three hours away from my apartment. Such a distance takes you sufficiently away from Portland to have wonderfully dark skies.

Friday night’s weather was generally cooperative; observers will tell you the transparency was relatively poor, but I think most of us were more than happy that two far more important considerations, darkness and lack of cloud cover, were decent. I spent a good portion of the night trying my hand at astrophotography, the results of which were, as one might expect for my first serious attempt, rather lacking in success. However, it was a good learning experience and a necessary first step.

Saturday night I stuck with visual observing, but unfortunately the weather was far less cooperative and clouds covered us up early in the night. That didn’t stop me from hopping around the sky and catching a number of Messier objects while I had the chance. I wrote down the list of what I looked at that night, so without further ado I present Saturday Night’s Hit List:

The evening started with *M11*, an open cluster in Scutum. I tend not to be particularly impressed with most of the open clusters in Messier’s catalog, although from time to time one comes up that has nicely colored stars or an interesting arrangement. But M11, the Wild Duck Cluster, is really spectacular. It’s much more populated and compact than any other open cluster I’ve seen — at least 680 stars covering 13′ — making it appear significantly more like a globular than any other open cluster I’ve seen. It also has a distinctly brighter and more colorful single star near its center.

Next up were *M10* and *M12*, both globular clusters, in Ophiuchus. Their relative closeness and the fact that Ophiuchus was already partially obscured by the horizon at this point made it hard for me to get my exact bearings within the constellation; I had to find both of them and compare their positions to determine if I was looking at M10 or M12. Average globulars, I’d say.

No viewing session is complete without at least a quick look at *M13*, the globular in Hercules. Everything ever written about M13 includes a statement along the lines of “the finest globular cluster in the northern skies” (in this case from _The Messier Objects_ by Stephen James O’Meara), so I’ll just leave it at that!

*M15* is another globular, this time in Pegasus. It’s another of the brighter globulars in the sky.

Technically in Vulpecula’s territory, I find *M27* using stars in Cygnus as a guide (because, honestly, who really knows Vulpecula?). Known as the Dumbell Nebula, M27 is another staple of my oberving sessions. It’s amazing to think that when you’re looking at the nebula, it’s expanding at a rate of about 20 miles per second. From Earth, that translates to a growth rate of 6″ per century.

I have looked for *M40* a couple times before, but nothing stood out when I was looking. Sure enough, there’s a double star right where it’s supposed to be. The inclusion of M40 in Messier’s catalog strikes me as somewhat odd considering that it is just a double star (slightly above where the handle of the Big Dipper connects to the ladel), but according to my Messier Objects finder chart book Messier was apparently looking for a nebula in the area and ended up just finding this double.

Next I tried looking for M26, another open cluster, but ended up landing on a “faint fuzzy” that looked like either a faint globular or bright galaxy. I knew I wasn’t on M26, but I didn’t know what I had landed on instead. Careful consultation with a star chart (in this case Jim’s copy of _Uranometria 2000.0_ since I forgot my own atlas) led me to the hypothesis that I had stumbled upon *NGC 6712*, a magnitude 8.2 globular in Scutum. After some localized clouds in the area passed (they were beginning to become a problem by this point), I did find M26 and based on everything’s realitive positions was able to confirm I did find NGC 6712. Final confirmation was with a goto scope (you can’t be too careful, right?).

The quest for *M26*, as mentioned above, was also finally successful after an interesting diversion to NGC 6712. M26 is an open cluster in Scutum, and falls into that category of open clusters that just don’t excite me.

No observing session is complete without getting *M31*, *M32*, and *M110* in the same field of view of my telescope. The Andromeda Galaxy, and its companions, look quite marvelous in such dark skies.

*M33*, the Pinwheel Galaxy, is next on the list and close to Andromeda in the constellation Triangulum. Although moving from Andromeda on to M33 is completely unfair to M33, it is still a nice galaxy to look at. Apparently it may be a satellite galaxy of Andromeda, actually orbiting the larger galaxy.

Next up was *M34*, an open cluster in Perseus. I don’t really remember what this one looked like; I’ll have to take better notes next time. Easily overshadowed by the nearby Perseus Double Cluster, which I’m sure I prefer looking at.

While on open clusters, I next went to *M39*. I’m going to have to revisit this one with my new Messier book close at hand to see if I really did land on what is considered M39, it’s pretty open and lacking stars (only 30 stars across its 30′ size). Moving right along…

*M52* was the next open cluster, in Cassiopeia. Again, open cluster, not good notes, no idea what I thought of this one. Must take better notes on these things in the future!

Now on to a much more impressive open cluster: *M45*, the Pleiades in Taurus. Beautiful, bright stars that form a fuzzy splotch in the sky visible to the naked eye, and quite a sight in a nice wide-field view of the area.

Back to globulars, *M56* in Lyra was partially obscured by the clouds overhead, so I didn’t see it as much more than a spot that was brighter than the surrounding area. I’ll have to revisit this one on a clearer night to appreciate it more.

Perhaps the faintest fuzzy in the set of galaxies in Messier’s catalog, *M74* wasn’t too difficult to find in Pisces given the darkness of the skies out at Hancock. Definitely not one that I’ll be seeing too often outside of star parties given its 9.4 magnitude spread across 10′.5 by 9′.5.

Finally, before the clouds completely covered the sky, the last little opening in the sky was at the far end of Andromeda where we enter Perseus’ territory, home of the Little Dumbell Nebula, *M76*. This is another one reserved for skies much darker than those close to home; it’s a very small magnitude 10.1 planetary nebula. The transparency at this point was extremely poor (I may have actually been looking through a thin cloud given that the whole sky except this one spot was overcast), and I couldn’t really see the dumbell shape. I do know it deserves its name, though, because the other time I’ve seen this object was on a much better night for observing and there is a clear resemblance to the larger and brighter Dumbell Nebula.

That wraps up Saturday night’s batch of objects, sadly cut very short (10pm or so, compared to Friday night when I was up past 2am) by the clouds.

Some technical details about the objects in my descriptions above are from _The Messier Objects_, by Stephen James O’Meara. I don’t know magnitudes for these things off the top of my head, yet ;-).