LEES, Cooper wrote: > Hi Alan, > > Thankyou for your response. I have successfully changed the ACL to have > everyone have access then modify it from a windows box. I have also > modified the ACL inheritance properties: > > [EMAIL PROTECTED]:test> zfs get all cesspool/test | grep acl > cesspool/test aclmode passthrough local > cesspool/test aclinherit passthrough local > > It seems to be working as desired. Great stuff here. > > Just need to get this domain joining issue sorted. I try and set the > property of pdc to our domain controller and it says (even as root): > [EMAIL PROTECTED]:test> sharectl set -p pdc=mars.ansto.gov.au smb > Could not set property pdc: bad property value >
You need to specify an IP address. Afshin > My server matches the kpasswd server in the krb5.conf. Will look through > the cifs-gendiag output and see if I can notice anything. > > Thanks for you assistance. Will keep plugging along. Dam windows world > we live in ... :( > --- > Cooper Ry Lees > UNIX Evangelist - Information Management Services (IMS) > Australian Nuclear Science and Technology Organisation > T +61 2 9717 3853 > F +61 2 9717 9273 > M +61 403 739 446 > E [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > www.ansto.gov.au <http://www.ansto.gov.au> > > **Important****: ***This transmission is intended only for the use of > the addressee. It is confidential and may contain privileged information > or copyright material. If you are not the intended recipient, any use or > further disclosure of this communication is strictly forbidden. If you > have received this transmission in error, please notify me immediately > by telephone and delete all copies of this transmission as well as any > attachments.* > > On 24/11/2008, at 7:48 PM, Alan.M.Wright wrote: > >>> - When I restart the smb/server:default service I have to >>> 'rejoin' our domain in order to resolve SIDs again >>> (smbadm join -u administrator domain.gov.au) >>> Is there any bug for this or am I doing something wrong? >>> Should I have to re-join all the time. >> >> You shouldn't have to re-join the domain. Once you've joined >> a domain, it should be valid across smb/server restart or system >> reboot. cifs-gendiag output is useful when diagnosing such >> problems. >> >>> I do remember reading that it has not been supported in a >>> domain with multiple domain controllers which we have here. >> >> Multiple domain controllers are supported. If you have a >> pointer to that, please pass it on and we'll try to have that fixed. >> Known restrictions are: >> >> When joining a domain, the kpasswd field in krb5.conf must >> match the domain controller being used to join the domain. If >> anyone runs into this, the workaround is: set pdc using sharectl >> to match the kpasswd server in krb5.conf while joining the >> domain. I can't remember if there's a CR for this but it is on our >> to-do list. >> >> If the domain controller being used by the CIFS service becomes >> unreachable, the service may not automatically find an alternate >> domain controller. If you restart the service, it should find another >> DC. 'smbadm list' shows the domain controller being used. >> >> The short term solution is to do it on refresh: >> 6772632 Refresh does not trigger DC discovery. >> There is a longer term plan to add automatic DC failover. >> >>> - The other main problem I have is that different areas with >>> the ZFS volume need specific groups allowed access. >>> I would love to be able to create AD groups and add that >>> group's access into the file systems ACL and have that >>> inherited nicely down the file system tree. I am making the >>> top level of my filesystem 777 within Opensolaris and allows >>> the ACL to control access as it is only exported via SMB. >> >> 777 isn't the same as Everyone:FullControl. Set the inheritance >> permissions using a Windows desktop or chmod. Try this: >> >> chmod 777 /pool >> chmod A=everyone@:rwxpdDaARWcCos:fd:allow /pool/fs >> >> fd enables inheritance: >> file_inherit (f): Inherit to all newly created files >> dir_inherit (d): Inherit to all newly created directories >> >> chmod also supports aliases for common settings to avoid having to >> figure out the permission bits: >> >> full_set All permissions >> modify_set All permissions except write_acl and write_owner >> read_set read_data, read_acl, read_attributes and read_xattr >> write_set write_data, append_data, write_attributes and write_xattr >> >> The man pages for 'ls' and 'chmod' have more details. >> >> Alan >> >> ----- Original Message ----- From: LEES, Cooper >> To: [email protected] <mailto:[email protected]> >> Sent: Sunday, November 23, 2008 9:49 PM >> Subject: [cifs-discuss] Windows / AD ACLs on ZFS CIFS Share + Domain >> Membership [SEC=UNCLASSIFIED] >> >> Hi all SMB experts, >> >> I am testing (on a x4500 - Mirrored rpool and a big zfs raidz2 collection >> for another big storage pool) the use of Opensolaris and the SMB server on >> build snv_101b. I am particularly interested in the SMB server cause >> unfortunately our desktop fleet here is Windows, so a user group here >> wishes >> to control access to and use their data all from their Windows >> machines and >> schedule jobs to *nix boxes to analyse the data on other occasions. So >> I am >> stuck in using Windows ACL based file system ACLs to fulfill the needs of >> our user and also allow fast access for computation with our linux >> cluster. >> The other main reason I wish to use Opensolaris is so I can use ZFS >> send to >> another x4500 device that is stored off site for backup. >> >> I have read countless amounts of doco on this topic and have successfully >> got shares 'shared' but I am having difficulty with a few things, in >> particular: >> >> 1) >> - When I restart the smb/server:default service I have to 'rejoin' our >> domain in order to resolve SIDs again (smbadm join -u administrator >> domain.gov.au) >> Is there any bug for this or am I doing something wrong? Should I have to >> re-join all the time. I do remember reading that it has not been supported >> in a domain with multiple domain controllers which we have here. >> >> >> 2) >> - The other main problem I have is that different areas with the ZFS >> volume >> need specific groups allowed access. I would love to be able to create AD >> groups and add that group's access into the file systems ACL and have that >> inherited nicely down the file system tree. I am making the top level >> of my >> filesystem 777 within Opensolaris and allows the ACL to control access >> as it >> is only exported via SMB. >> >> e.g. create a dir at the root of my zfs, then on that folder add >> read/write >> to a Active Directory group and allow that to inherit. >> >> a) Is that possible with ZFS and the current SMB implementation? >> b) Am I going about this the wrong way? >> >> If you would like any output of the cifs-gendiag let me know. Feel free to >> contact me via any means. >> >> Any assistance would be appreciated, I don't want to have to run >> windows on >> the beautiful piece of hardware, >> --- >> Cooper Ry Lees >> UNIX Evangelist - Information Management Services (IMS) >> Australian Nuclear Science and Technology Organisation >> T +61 2 9717 3853 >> F +61 2 9717 9273 >> M +61 403 739 446 >> E [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> www.ansto.gov.au <http://www.ansto.gov.au> >> >> Important: This transmission is intended only for the use of the >> addressee. >> It is confidential and may contain privileged information or copyright >> material. If you are not the intended recipient, any use or further >> disclosure of this communication is strictly forbidden. If you have >> received >> this transmission in error, please notify me immediately by telephone and >> delete all copies of this transmission as well as any attachments. >> > > > ------------------------------------------------------------------------ > > _______________________________________________ > cifs-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/cifs-discuss _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
