Hi Jens, Thanks a lot for your support. I really appreciate it. :)
I will test this on my fresh install of omnios 151022 and report back. It's really a pity that it only works If I do touch the ZFS ACLs. :( -----Original Message----- From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] Sent: Mittwoch, 28. Juni 2017 08:09 To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions Yeah, AD with IDMU According to this page (very old, but still the truth), you can't live without ACLs. https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro blem/ You have to inherit the ACLs to newly created files. At first I switched to the passthrough acl properties: zfs set aclmode=passthrough tank zfs set aclinherit=passthrough tank Then you have to define an initial ACL for your datasets For this example I just assume you have the pool tank and one dataset test - first set your sticky bit chmod g+s /tank/test - then set the ACLs chmod A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d f:allow /tank/test so nearly full permission for the owner and the group, and nothing for others; all ACLs are inherited to new created files and directories [the "df"] 8<--- ls -Vd /tank/test drwxrws---+ 5 root IT 5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:fd-----:allow group@:rwxp-DaARWcCos:fd-----:allow everyone@:--------------:fd-----:allow 8<--- (This inheritance doesnt apply to new datesets you create via zfs, btw) But care: When you ever doing a chmod operation or a chgrp on /tank/test (or every other dateset,), the owner,group and everyone ACEs get overwritten (according to http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html) 8<--- chgrp 0 /tank/test ls -Vd /tank/test drwxrws--- 5 root root 5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:-------:allow group@:rwxp-Da-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow See the missing "+" and "fd"? 8<--- (This doesn't apply to folders or files) I hope this helps and I'm not telling lies here. But that is my experience with that. Jens > -----Original Message----- > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > Sent: Dienstag, 27. Juni 2017 15:21 > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > Mine has ldap only for passwd and group. > > So on your system it really works with just having the traditional unix > permissions set. There are no ACLs in place? > > Do you have an Active Directory domain with IDMU? > > -----Original Message----- > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > Sent: Dienstag, 27. Juni 2017 15:19 > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > also r151022 > > What is your /etc/nsswitch.conf saying? > Mine has nearly everywhere "files ldap", except hosts and ipnodes. > > > -----Original Message----- > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > > Sent: Dienstag, 27. Juni 2017 14:49 > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > What version of omnios are you using? I'm using R151022. > > > > -----Original Message----- > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > > Sent: Dienstag, 27. Juni 2017 14:47 > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > Hm, > > > > maybe I should share my ldap config. > > ldapclient -v manual \ > > -a credentialLevel=proxy \ > > -a authenticationMethod=simple \ > > -a proxyDN="cn=XXX" \ > > -a proxyPassword=SECRET \ > > -a defaultSearchBase=dc=ipk=de \ > > -a domainName=DOMAINNAME \ > > -a defaultServerList=<IPs of DCs> \ > > -a attributeMap=group:userpassword=userPassword \ > > -a attributeMap=group:uniqueMember=member \ > > -a attributeMap=group:gidnumber=gidNumber \ > > -a attributeMap=passwd:gecos=cn \ > > -a attributeMap=passwd:gidnumber=gidNumber \ > > -a attributeMap=passwd:uidnumber=uidNumber \ > > -a attributeMap=passwd:uid=sAMAccountName \ > > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ > > -a attributeMap=passwd:loginshell=loginShell \ > > -a attributeMap=shadow:shadowflag=shadowFlag \ > > -a attributeMap=shadow:userpassword=userPassword \ > > -a objectClassMap=group:posixGroup=group \ > > -a objectClassMap=passwd:posixAccount=user \ > > -a objectClassMap=shadow:shadowAccount=user \ > > -a serviceSearchDescriptor="passwd:<OUs of users I want to lookup>" \ > > -a serviceSearchDescriptor=group: <OUs of groups I want to lookup> \ > > -a followReferrals=true > > > > Maybe also a restart of the smb service? > > > > Jens > > > > > -----Original Message----- > > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > > > Sent: Dienstag, 27. Juni 2017 14:40 > > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > > (owner:group:other) Unix permissions > > > > > > Hi, > > > > > > > > > > > > Now I get cant access domain info in the smb log and users are prompted > > to > > > enter a password when accessing the shares. :( > > > > > > > > > > > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > > > Sent: Dienstag, 27. Juni 2017 09:37 > > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > > (owner:group:other) Unix permissions > > > > > > > > > > > > Hi, > > > > > > > > > > > > I fixed this problem after executing this: > > > > > > idmap add winname:"*@<DOMAINNAME>" unixuser:"*" > > > > > > idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*" > > > > > > svcadm restart idmap > > > > > > All new created files has now the uid and gid from the IDMU > > > > > > > > > > > > Jens > > > > > > > > > > > > From: OmniOS-discuss [mailto:omnios-discuss- > boun...@lists.omniti.com] > > > On Behalf Of Oliver Weinmann > > > Sent: Dienstag, 27. Juni 2017 08:25 > > > To: omnios-discuss <omnios-discuss@lists.omniti.com <mailto:omnios- > > > disc...@lists.omniti.com> > > > > Subject: [OmniOS-discuss] CIFS access to a folder with traditional > > > (owner:group:other) Unix permissions > > > > > > > > > > > > Hi, > > > > > > > > > > > > we are currently migrating all our data from a NetAPP system to an > OmniOS > > > sytem. > > > > > > > > > > > > The OmniOS system is joined to AD and LDAP client is configured to pull > > LDAP > > > info from AD / IDMU. This works fine. > > > > > > > > > > > > However we cant manage to have access on folders where we have Unix > > > permissions from windows (CIFS). > > > > > > > > > > > > e.g. > > > > > > > > > > > > the user utest2 is member of the goup Up BCSIM De_Dt Da Lg: > > > > > > > > > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups > utest2 > > > > > > 10000 Up BCSIM De_Dt Da Lg > > > > > > > > > > > > The folder Unix has the following permissions set: > > > > > > > > > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al > > > > > > total 47 > > > > > > d---------+ 4 root 2147483653 4 Apr 25 05:37 . > > > > > > d---------+ 4 root 2147483659 4 Apr 25 05:35 .. > > > > > > drwxrws--- 9 bcsim Up BCSIM De_Dt Da Lg 11 Mar 9 10:40 Unix > > > > > > d---------+ 6 root 2147483653 6 Apr 25 05:37 Windows > > > > > > > > > > > > so User bcsim and all members of group Up BCSIM De_Dt Da Lg can > > access > > > the folder just fine via NFS. > > > > > > > > > > > > If the user utest2 tries to access this folder from windows via CIFS he > > gets > > > access denied. > > > > > > > > > > > > If I change the permissions so that other have r-x he can access the > > folder > > > but then I have no control on who can access the folder. > > > > > > > > > > > > On our NetApp system this was working fine. I assume it has to do with > the > > > IDMAP daemon using ephemeral mappings instead of pulling the > > uidnumber > > > and gidnumber from AD? > > > > > > > > > > > > I dont want to use extended ACLs on this folder. > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > > > > Oliver Weinmann > > > Senior Unix VMWare, Storage Engineer > > > > > > Telespazio VEGA Deutschland GmbH > > > Europaplatz 5 - 64293 Darmstadt - Germany > > > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799 > > > oliver.weinm...@telespazio-vega.de > > <mailto:oliver.weinmann@telespazio- > > > vega.de> > > > http://www.telespazio-vega.de > > > > > > Registered office/Sitz: Darmstadt, Register court/Registergericht: > > Darmstadt, > > > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss