Whenever you save an ACL from Windows Explorer, it will sort them before sending them to the server: Deny ACEs before Allow ACEs.
Unless you have specific security constraints that require Deny ACEs (which is unusual), don't use Deny ACEs. Setup your ACLs using only Allow ACEs. Alternatively, design your ACLS with the Deny ACEs first. Alan On 10/10/10 09:42 AM, James Lee wrote:
Hi, I am trying to construct a simple storage using OpenSolaris in order to access from Windows Server. 1. OpenSolaris side - default installation of ver.134 - server name: zfs-150 - samba package installed - successfully joined to a windows domain(e.g., winzdreamlab.local) 2. Windows Server side - Windows Server 2003 w/ SP2 installed With the above environment, I've tried the following procedures: I. In OpenSolaris system: 1. Created a pool in the OpenSolaris system -> pfexec zpool create -f -o autoreplace=on pool1 c5d0 2. Created an LV -> pfexec zfs create -o casesensitivity=mixed -o sharesmb=on -o nbmand=on pool1/lv1 3. Set a share name -> pfexec zfs set sharesmb=name=lv1 pool1/lv1 II. In Windows Server 2003 Enterprise, 1. Added a network drive /pool1/lv1 of zfs-150 III. In OpenSolaris System 1. Set a permission of the administrator of Windows 2003 server. -> pfexec /bin/chmod A+user:administra...@winzdreamlab.local:rwxpdDaARWcCos:fd-----:allow /pool1/lv1 -> r...@zfs-150:/ <mailto:r...@zfs-150:/># /bin/ls -Vd /pool1/lv1 drwxr-x---+ 2 root root 2 Oct 10 09:18 /pool1/lv1 user:administra...@winzd:rwxpdDaARWcCos:fd-----:allow owner@:--------------:-------:deny <mailto:owner@:--------------:-------:deny> owner@:rwxpdDaARWcCos:fd-----:allow <mailto:owner@:rwxpdDaARWcCos:fd-----:allow> group@:-w-p----------:-------:deny <mailto:group@:-w-p----------:-------:deny> group@:r-x-----------:fd-----:allow <mailto:group@:r-x-----------:fd-----:allow> everyone@:rwxp---A-W-Co-:-------:deny <mailto:everyone@:rwxp---A-W-Co-:-------:deny> everyone@:------a-R-c--s:-------:allow <mailto:everyone@:------a-R-c--s:-------:allow> IV. In Windows 2003 Server, 1. Removed "file creation/write date" permission V. In OpenSolaris -> pfexec /bin/ls -Vd /pool1/lv1 r...@z6s-150-123:/ <mailto:r...@z6s-150-123:/># /bin/ls -Vd /pool1/lv1 d---------+ 2 root root 2 Oct 10 09:18 /pool1/lv1 group@:-w-p----------:-------:deny <mailto:group@:-w-p----------:-------:deny> everyone@:rwxp---A-W-Co-:-------:deny <mailto:everyone@:rwxp---A-W-Co-:-------:deny> user:administra...@winzd:r-xpdDaARWcCos:fd-----:allow group@:r-x----------s:fd-----:allow <mailto:group@:r-x----------s:fd-----:allow> owner@:rwxpdDaARWcCos:fd-----:allow <mailto:owner@:rwxpdDaARWcCos:fd-----:allow> everyone@:------a-R-c--s:-------:allow <mailto:everyone@:------a-R-c--s:-------:allow> As you can see the above result, the order of ACEs has been changed; which means "Administrator" of Windows 2003 server does not have a right to read the LV, /pool1/lv1, although I didn't disallow "READ" permission. I am wondering if there's a way to preserve the order of ACEs even though I change the permission to the LV in Windows 2003 server. Please let me know if there's an existing thread for the above situation, if there's a way to preserve the order when an LV is created, or if there's any alternative way to avoid the above situatin... Any advice/comment will be greatly appreciated. Thanks. _______________________________________________ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
_______________________________________________ storage-discuss mailing list storage-discuss@opensolaris.org http://mail.opensolaris.org/mailman/listinfo/storage-discuss
