On June 28, 2017 8:08:40 AM GMT+02:00, Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> wrote: >Yeah, AD with IDMU > >According to this page (very old, but still the truth), you can't live >without ACLs. >https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro >blem/ > >You have to inherit the ACLs to newly created files. >At first I switched to the passthrough acl properties: >zfs set aclmode=passthrough tank >zfs set aclinherit=passthrough tank >Then you have to define an initial ACL for your datasets > >For this example I just assume you have the pool tank and one dataset >test >- first set your sticky bit >chmod g+s /tank/test >- then set the ACLs >chmod >A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d >f:allow /tank/test >so nearly full permission for the owner and the group, and nothing for >others; all ACLs are inherited to new created files and directories >[the >"df"] >8<--- >ls -Vd /tank/test >drwxrws---+ 5 root IT 5 Jun 28 07:55 /tank/test > owner@:rwxp-DaARWcCos:fd-----:allow > group@:rwxp-DaARWcCos:fd-----:allow > everyone@:--------------:fd-----:allow >8<--- >(This inheritance doesnt apply to new datesets you create via zfs, btw) > >But care: When you ever doing a chmod operation or a chgrp on >/tank/test (or >every other dateset,), the owner,group and everyone ACEs get >overwritten >(according to >http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html) >8<--- >chgrp 0 /tank/test >ls -Vd /tank/test >drwxrws--- 5 root root 5 Jun 28 07:55 /tank/test > owner@:rwxp-DaARWcCos:-------:allow > group@:rwxp-Da-R-c--s:-------:allow > everyone@:------a-R-c--s:-------:allow >See the missing "+" and "fd"? >8<--- >(This doesn't apply to folders or files) > >I hope this helps and I'm not telling lies here. >But that is my experience with that. > >Jens > >> -----Original Message----- >> From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] >> Sent: Dienstag, 27. Juni 2017 15:21 >> To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> >> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> (owner:group:other) Unix permissions >> >> Mine has ldap only for passwd and group. >> >> So on your system it really works with just having the traditional >unix >> permissions set. There are no ACLs in place? >> >> Do you have an Active Directory domain with IDMU? >> >> -----Original Message----- >> From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] >> Sent: Dienstag, 27. Juni 2017 15:19 >> To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> >> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> (owner:group:other) Unix permissions >> >> also r151022 >> >> What is your /etc/nsswitch.conf saying? >> Mine has nearly everywhere "files ldap", except hosts and ipnodes. >> >> > -----Original Message----- >> > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] >> > Sent: Dienstag, 27. Juni 2017 14:49 >> > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> >> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> > (owner:group:other) Unix permissions >> > >> > What version of omnios are you using? I'm using R151022. >> > >> > -----Original Message----- >> > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] >> > Sent: Dienstag, 27. Juni 2017 14:47 >> > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> >> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> > (owner:group:other) Unix permissions >> > >> > Hm, >> > >> > maybe I should share my ldap config. >> > ldapclient -v manual \ >> > -a credentialLevel=proxy \ >> > -a authenticationMethod=simple \ >> > -a proxyDN="cn=XXX" \ >> > -a proxyPassword=SECRET \ >> > -a defaultSearchBase=dc=ipk=de \ >> > -a domainName=DOMAINNAME \ >> > -a defaultServerList=<IPs of DCs> \ >> > -a attributeMap=group:userpassword=userPassword \ >> > -a attributeMap=group:uniqueMember=member \ >> > -a attributeMap=group:gidnumber=gidNumber \ >> > -a attributeMap=passwd:gecos=cn \ >> > -a attributeMap=passwd:gidnumber=gidNumber \ >> > -a attributeMap=passwd:uidnumber=uidNumber \ >> > -a attributeMap=passwd:uid=sAMAccountName \ >> > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ >> > -a attributeMap=passwd:loginshell=loginShell \ >> > -a attributeMap=shadow:shadowflag=shadowFlag \ >> > -a attributeMap=shadow:userpassword=userPassword \ >> > -a objectClassMap=group:posixGroup=group \ >> > -a objectClassMap=passwd:posixAccount=user \ >> > -a objectClassMap=shadow:shadowAccount=user \ >> > -a serviceSearchDescriptor="passwd:<OUs of users I want to lookup>" >\ >> > -a serviceSearchDescriptor=group: <OUs of groups I want to lookup> >\ >> > -a followReferrals=true >> > >> > Maybe also a restart of the smb service? >> > >> > Jens >> > >> > > -----Original Message----- >> > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] >> > > Sent: Dienstag, 27. Juni 2017 14:40 >> > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> >> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> > > (owner:group:other) Unix permissions >> > > >> > > Hi, >> > > >> > > >> > > >> > > Now I get cant access domain info in the smb log and users are >prompted >> > to >> > > enter a password when accessing the shares. :( >> > > >> > > >> > > >> > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] >> > > Sent: Dienstag, 27. Juni 2017 09:37 >> > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> >> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> > > (owner:group:other) Unix permissions >> > > >> > > >> > > >> > > Hi, >> > > >> > > >> > > >> > > I fixed this problem after executing this: >> > > >> > > idmap add winname:"*@<DOMAINNAME>" unixuser:"*" >> > > >> > > idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*" >> > > >> > > svcadm restart idmap >> > > >> > > All new created files has now the uid and gid from the IDMU >> > > >> > > >> > > >> > > Jens >> > > >> > > >> > > >> > > From: OmniOS-discuss [mailto:omnios-discuss- >> boun...@lists.omniti.com] >> > > On Behalf Of Oliver Weinmann >> > > Sent: Dienstag, 27. Juni 2017 08:25 >> > > To: omnios-discuss <omnios-discuss@lists.omniti.com ><mailto:omnios- >> > > disc...@lists.omniti.com> > >> > > Subject: [OmniOS-discuss] CIFS access to a folder with >traditional >> > > (owner:group:other) Unix permissions >> > > >> > > >> > > >> > > Hi, >> > > >> > > >> > > >> > > we are currently migrating all our data from a NetAPP system to >an >> OmniOS >> > > sytem. >> > > >> > > >> > > >> > > The OmniOS system is joined to AD and LDAP client is configured >to >pull >> > LDAP >> > > info from AD / IDMU. This works fine. >> > > >> > > >> > > >> > > However we cant manage to have access on folders where we have >Unix >> > > permissions from windows (CIFS). >> > > >> > > >> > > >> > > e.g. >> > > >> > > >> > > >> > > the user utest2 is member of the goup Up BCSIM De_Dt Da Lg: >> > > >> > > >> > > >> > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups >> utest2 >> > > >> > > 10000 Up BCSIM De_Dt Da Lg >> > > >> > > >> > > >> > > The folder Unix has the following permissions set: >> > > >> > > >> > > >> > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al >> > > >> > > total 47 >> > > >> > > d---------+ 4 root 2147483653 4 Apr 25 05:37 . >> > > >> > > d---------+ 4 root 2147483659 4 Apr 25 05:35 .. >> > > >> > > drwxrws--- 9 bcsim Up BCSIM De_Dt Da Lg 11 Mar 9 10:40 >Unix >> > > >> > > d---------+ 6 root 2147483653 6 Apr 25 05:37 Windows >> > > >> > > >> > > >> > > so User bcsim and all members of group Up BCSIM De_Dt Da Lg can >> > access >> > > the folder just fine via NFS. >> > > >> > > >> > > >> > > If the user utest2 tries to access this folder from windows via >CIFS >he >> > gets >> > > access denied. >> > > >> > > >> > > >> > > If I change the permissions so that other have r-x he can access >the >> > folder >> > > but then I have no control on who can access the folder. >> > > >> > > >> > > >> > > On our NetApp system this was working fine. I assume it has to do >with >> the >> > > IDMAP daemon using ephemeral mappings instead of pulling the >> > uidnumber >> > > and gidnumber from AD? >> > > >> > > >> > > >> > > I dont want to use extended ACLs on this folder. >> > > >> > > >> > > >> > > Any ideas? >> > > >> > > >> > > >> > > >> > > >> > > Oliver Weinmann >> > > Senior Unix VMWare, Storage Engineer >> > > >> > > Telespazio VEGA Deutschland GmbH >> > > Europaplatz 5 - 64293 Darmstadt - Germany >> > > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799 >> > > oliver.weinm...@telespazio-vega.de >> > <mailto:oliver.weinmann@telespazio- >> > > vega.de> >> > > http://www.telespazio-vega.de >> > > >> > > Registered office/Sitz: Darmstadt, Register >court/Registergericht: >> > Darmstadt, >> > > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller
Just one addition quickly comes to mind: when dealing with ACLs and similar advanced features, and if your setup includes GNU userland programs, be sure to use illumos /bin/chmod (perhaps explicitly). Jim -- Typos courtesy of K-9 Mail on my Redmi Android _______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss