> - When I restart the smb/server:default service I have to > 'rejoin' our domain in order to resolve SIDs again > (smbadm join -u administrator domain.gov.au) > Is there any bug for this or am I doing something wrong? > Should I have to re-join all the time.
You shouldn't have to re-join the domain. Once you've joined a domain, it should be valid across smb/server restart or system reboot. cifs-gendiag output is useful when diagnosing such problems. > I do remember reading that it has not been supported in a > domain with multiple domain controllers which we have here. Multiple domain controllers are supported. If you have a pointer to that, please pass it on and we'll try to have that fixed. Known restrictions are: When joining a domain, the kpasswd field in krb5.conf must match the domain controller being used to join the domain. If anyone runs into this, the workaround is: set pdc using sharectl to match the kpasswd server in krb5.conf while joining the domain. I can't remember if there's a CR for this but it is on our to-do list. If the domain controller being used by the CIFS service becomes unreachable, the service may not automatically find an alternate domain controller. If you restart the service, it should find another DC. 'smbadm list' shows the domain controller being used. The short term solution is to do it on refresh: 6772632 Refresh does not trigger DC discovery. There is a longer term plan to add automatic DC failover. > - The other main problem I have is that different areas with > the ZFS volume need specific groups allowed access. > I would love to be able to create AD groups and add that > group's access into the file systems ACL and have that > inherited nicely down the file system tree. I am making the > top level of my filesystem 777 within Opensolaris and allows > the ACL to control access as it is only exported via SMB. 777 isn't the same as Everyone:FullControl. Set the inheritance permissions using a Windows desktop or chmod. Try this: chmod 777 /pool chmod A=everyone@:rwxpdDaARWcCos:fd:allow /pool/fs fd enables inheritance: file_inherit (f): Inherit to all newly created files dir_inherit (d): Inherit to all newly created directories chmod also supports aliases for common settings to avoid having to figure out the permission bits: full_set All permissions modify_set All permissions except write_acl and write_owner read_set read_data, read_acl, read_attributes and read_xattr write_set write_data, append_data, write_attributes and write_xattr The man pages for 'ls' and 'chmod' have more details. Alan ----- Original Message ----- From: LEES, Cooper To: [email protected] Sent: Sunday, November 23, 2008 9:49 PM Subject: [cifs-discuss] Windows / AD ACLs on ZFS CIFS Share + Domain Membership [SEC=UNCLASSIFIED] Hi all SMB experts, I am testing (on a x4500 - Mirrored rpool and a big zfs raidz2 collection for another big storage pool) the use of Opensolaris and the SMB server on build snv_101b. I am particularly interested in the SMB server cause unfortunately our desktop fleet here is Windows, so a user group here wishes to control access to and use their data all from their Windows machines and schedule jobs to *nix boxes to analyse the data on other occasions. So I am stuck in using Windows ACL based file system ACLs to fulfill the needs of our user and also allow fast access for computation with our linux cluster. The other main reason I wish to use Opensolaris is so I can use ZFS send to another x4500 device that is stored off site for backup. I have read countless amounts of doco on this topic and have successfully got shares 'shared' but I am having difficulty with a few things, in particular: 1) - When I restart the smb/server:default service I have to 'rejoin' our domain in order to resolve SIDs again (smbadm join -u administrator domain.gov.au) Is there any bug for this or am I doing something wrong? Should I have to re-join all the time. I do remember reading that it has not been supported in a domain with multiple domain controllers which we have here. 2) - The other main problem I have is that different areas with the ZFS volume need specific groups allowed access. I would love to be able to create AD groups and add that group's access into the file systems ACL and have that inherited nicely down the file system tree. I am making the top level of my filesystem 777 within Opensolaris and allows the ACL to control access as it is only exported via SMB. e.g. create a dir at the root of my zfs, then on that folder add read/write to a Active Directory group and allow that to inherit. a) Is that possible with ZFS and the current SMB implementation? b) Am I going about this the wrong way? If you would like any output of the cifs-gendiag let me know. Feel free to contact me via any means. Any assistance would be appreciated, I don't want to have to run windows on the beautiful piece of hardware, --- Cooper Ry Lees UNIX Evangelist - Information Management Services (IMS) Australian Nuclear Science and Technology Organisation T +61 2 9717 3853 F +61 2 9717 9273 M +61 403 739 446 E [EMAIL PROTECTED] www.ansto.gov.au Important: This transmission is intended only for the use of the addressee. It is confidential and may contain privileged information or copyright material. If you are not the intended recipient, any use or further disclosure of this communication is strictly forbidden. If you have received this transmission in error, please notify me immediately by telephone and delete all copies of this transmission as well as any attachments. _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
