DJ wrote:
> Thanks Mark,
>
> So would you be willing to run a test with the commands I provided and show
> me that difference? I would like to see how different that is.
>
Ok, here you go. This is with the latest bits and with a Windows 2003
server. I don't have a copy of xp handy
# zpool create -f sandbox c0t7d0
# zfs create -o case=mixed -o aclinherit=passthrough sandbox/testfs
# zfs set sharesmb=on sandbox/testfs
# chown marks:staff /sandbox/testfs
# chmod 770 /sandbox/testfs
# chmod g+s /sandbox/testfs
# chmod A1=owner@:full_set:fd:allow /sandbox/testfs
# chmod A3=group@:full_set:fd:allow /sandbox/testfs
# ls -dV /sandbox/testfs
drwxrws---+ 2 marks staff 2 Sep 28 12:58 /sandbox/testfs
owner@:--------------:-------:deny
owner@:rwxpdDaARWcCos:fd-----:allow
group@:--------------:-------:deny
group@:rwxpdDaARWcCos:fd-----:allow
everyone@:rwxp---A-W-Co-:-------:deny
everyone@:------a-R-c--s:-------:allow
# mkdir /sandbox/testfs/unix-dir
# share -F smb
sandbox_testfs /sandbox/testfs "" ""
The unix-dir created above has the following ACL
ls -dV unix-dir
drwxrws---+ 2 root staff 2 Sep 28 13:00 unix-dir
owner@:rwxpdDaARWcCos:fdi---I:allow
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxpdDaARWcCos:fdi---I:allow
group@:rwxpdDaARWcCos:------I:allow
Then I went onto my Windows 2003 Server and create two windows
directories. The first one in the root of the share and the second one
underneath the unix-dir. After I created the directory underneath
unix-dir I then created a single file in that directory from Windows.
After creating the files/dirs via windows, I then went back to Solaris
and created a file and directory in the newly created Windows directory.
$ ls -dV /sandbox/testfs;ls -VR /sandbox/testfs
drwxrws---+ 4 marks staff 4 Sep 28 13:06 /sandbox/testfs
owner@:--------------:-------:deny
owner@:rwxpdDaARWcCos:fd-----:allow
group@:--------------:-------:deny
group@:rwxpdDaARWcCos:fd-----:allow
everyone@:rwxp---A-W-Co-:-------:deny
everyone@:------a-R-c--s:-------:allow
/sandbox/testfs:
total 6
drwxrws---+ 3 root staff 3 Sep 28 13:10 unix-dir
owner@:rwxpdDaARWcCos:fdi---I:allow
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxpdDaARWcCos:fdi---I:allow
group@:rwxpdDaARWcCos:------I:allow
drwxrws---+ 2 marks staff 2 Sep 28 13:05 windows-folder
owner@:rwxpdDaARWcCos:fd----I:allow
group@:rwxpdDaARWcCos:fd----I:allow
/sandbox/testfs/unix-dir:
total 3
drwxrws---+ 3 marks staff 5 Sep 28 13:18 windows-dir2
owner@:rwxpdDaARWcCos:fd----I:allow
group@:rwxpdDaARWcCos:fd----I:allow
/sandbox/testfs/unix-dir/windows-dir2:
total 5
-rwxrwx---+ 1 marks staff 0 Sep 28 13:14 New Wordpad
Document.doc
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxpdDaARWcCos:------I:allow
These two files were created on Solaris via "mkdir and touch"
drwxrws---+ 2 marks staff 2 Sep 28 13:18 new-unix-dir
owner@:rwxpdDaARWcCos:fdi---I:allow
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxpdDaARWcCos:fdi---I:allow
group@:rwxpdDaARWcCos:------I:allow
-rwxrwx---+ 1 marks staff 0 Sep 28 13:18 unix-file
owner@:rwxpdDaARWcCos:------I:allow
group@:rwxpdDaARWcCos:------I:allow
/sandbox/testfs/unix-dir/windows-dir2/new-unix-dir:
total 0
/sandbox/testfs/windows-folder:
total 0
Unless I'm missing something this appears to work exactly as expected.
There have been a lot of changes in the CIFS server since snv_86 was
released. It may have been a bug that was fixed.
> I will also be interested to see what Afshin tells us. It appears that the
> ZFS inheritance actually takes the single ACL being inherited and then
> "splits" it into two, one that applies to the current directory and the other
> that contains the i--I so that it's only inherited but does not apply to the
> current directory. As shown in these two lines:
>
> group@:rwxpdDaARWcCos:fdi---I:allow
> group@:----dDaARWcCos:------I:allow
>
Yes, that is what ZFS does to propagate ACEs.
> Plus it creates the (for lack of a better way of saying it) standard ZFS ACL
> of:
>
> group@:--------------:-------:deny
> group@:rwxp----------:-------:allow
>
> Which all combined gives the unix permissions of:
>
> drwxrwsr-x+ 3 djc staff 4 Sep 28 09:02 unix-dir
>
> I think part of my confusion is that the CIFS server is doing what I would
> expect. Meaning that I actually need Afshin to explain why the ZFS
> inheritance is not doing the same thing? I actually expected to see that the
> newly created directory would have the user@: and group@: entries identical
> to the parent directory. Not some default created from the unix permissions
> and then two additional ACLs for each of user@: and group@: as it appears to
> do.
>
> I am also still confuse as to ordering of these ACLs. Because it would appear
> to me that you now have three entries each for owner:::allow and
> group@:::allow, and two of which conflict with each other. So, which gets
> used? The first one that applies or the last one that applies within the
> list? As you can see, I'm still struggling to understand how these two
> environments are supposed to work together seamlessly.
>
> Thanks again,
> DJ Coster
>
>
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
