Re: [cifs-discuss] Windows / AD ACLs on ZFS CIFS Share + Domain Membership [SEC=UNCLASSIFIED]

Tue, 25 Nov 2008 15:12:40 -0800

Thanks Afshin,

I added the IP. I tried to restart the service but it would not shut down. It kept timing out, as you will see in the attached log output. I have now rebooted and still the same situation occurs. After a fresh reboot I get the following:

[EMAIL PROTECTED]:scripts> smbadm list
Domain: ansto
*** NO DOMAIN Server here in output ***

When I look at groups that I have inserted domain members all I get is their SIDS ... No resolving. This never works untill I 're-join' the domain with smbadm join -u administrator ansto.gov.au ....

| 9.4) SMB local groups
+------------------------------------------
administrators (Members can fully administer the computer/domain)
SID: S-1-5-32-544
Privileges: 
SeTakeOwnershipPrivilege: On
SeBackupPrivilege: Off
SeRestorePrivilege: Off
Members:
S-1-5-21-732830927-1338270547-930774774-17451
S-1-5-21-732830927-1338270547-930774774-4599
S-1-5-21-732830927-1338270547-930774774-1071
S-1-5-21-732830927-1338270547-930774774-15839
backup operators (Members can bypass file security to back up files)
SID: S-1-5-32-551
Privileges: 
SeTakeOwnershipPrivilege: Off
SeBackupPrivilege: On
SeRestorePrivilege: On
No members
power users (Members can share directories)
SID: S-1-5-32-547
Privileges: 
SeTakeOwnershipPrivilege: Off
SeBackupPrivilege: Off
SeRestorePrivilege: Off
No members

I have attached the output from cifs-gendiag after a fresh boot - For our policies I have had to remove some data ... But my network routes etc. are all good.

Attachment: ansto-fresh-boot-20081126.gz
Description: GNU Zip compressed data


Thanks,
---
Cooper Ry Lees
UNIX Evangelist - Information Management Services (IMS)
Australian Nuclear Science and Technology Organisation
T  +61 2 9717 3853
F  +61 2 9717 9273
M  +61 403 739 446

ImportantThis transmission is intended only for the use of the addressee. It is confidential and may contain privileged information or copyright material. If you are not the intended recipient, any use or further disclosure of this communication is strictly forbidden. If you have received this transmission in error, please notify me immediately by telephone and delete all copies of this transmission as well as any attachments.

On 25/11/2008, at 5:13 PM, Afshin Salek wrote:

LEES, Cooper wrote:
Hi Alan,
Thankyou for your response. I have successfully changed the ACL to have everyone have access then modify it from a windows box. I have also modified the ACL inheritance properties:
[EMAIL PROTECTED]:test> zfs get all cesspool/test | grep acl
cesspool/test  aclmode               passthrough            local
cesspool/test  aclinherit            passthrough            local
It seems to be working as desired. Great stuff here.
Just need to get this domain joining issue sorted. I try and set the property of pdc to our domain controller and it says (even as root):
[EMAIL PROTECTED]:test> sharectl set -p pdc=mars.ansto.gov.au smb
Could not set property pdc: bad property value

You need to specify an IP address.

Afshin

My server matches the kpasswd server in the krb5.conf. Will look through the cifs-gendiag output and see if I can notice anything.
Thanks for you assistance. Will keep plugging along. Dam windows world we live in ... :(
---
Cooper Ry Lees
UNIX Evangelist - Information Management Services (IMS)
Australian Nuclear Science and Technology Organisation
T  +61 2 9717 3853
F  +61 2 9717 9273
M  +61 403 739 446
E  [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
www.ansto.gov.au <http://www.ansto.gov.au>
**Important****: ***This transmission is intended only for the use of the addressee. It is confidential and may contain privileged information or copyright material. If you are not the intended recipient, any use or further disclosure of this communication is strictly forbidden. If you have received this transmission in error, please notify me immediately by telephone and delete all copies of this transmission as well as any attachments.*
On 24/11/2008, at 7:48 PM, Alan.M.Wright wrote:
- When I restart the smb/server:default service I have to
'rejoin' our domain in order to resolve SIDs again
(smbadm join -u administrator domain.gov.au)
Is there any bug for this or am I doing something wrong?
Should I have to re-join all the time.

You shouldn't have to re-join the domain.  Once you've joined
a domain, it should be valid across smb/server restart or system
reboot.  cifs-gendiag output is useful when diagnosing such
problems.

I do remember reading that it has not been supported in a
domain with multiple domain controllers which we have here.

Multiple domain controllers are supported.  If you have a
pointer to that, please pass it on and we'll try to have that fixed.
Known restrictions are:

When joining a domain, the kpasswd field in krb5.conf must
match the domain controller being used to join the domain.  If
anyone runs into this, the workaround is: set pdc using sharectl
to match the kpasswd server in krb5.conf while joining the
domain.  I can't remember if there's a CR for this but it is on our
to-do list.

If the domain controller being used by the CIFS service becomes
unreachable, the service may not automatically find an alternate
domain controller.  If you restart the service, it should find another
DC.  'smbadm list' shows the domain controller being used.

The short term solution is to do it on refresh:
6772632 Refresh does not trigger DC discovery.
There is a longer term plan to add automatic DC failover.

- The other main problem I have is that different areas with
the ZFS volume need specific groups allowed access.
I would love to be able to create AD groups and add that
group's access into the file systems ACL and have that
inherited nicely down the file system tree. I am making the
top level of my filesystem 777 within Opensolaris and allows
the ACL to control access as it is only exported via SMB.

777 isn't the same as Everyone:FullControl.  Set the inheritance
permissions using a Windows desktop or chmod.  Try this:

chmod 777 /pool
chmod A=everyone@:rwxpdDaARWcCos:fd:allow /pool/fs

fd enables inheritance:
file_inherit (f): Inherit to all newly created files
dir_inherit (d): Inherit  to  all  newly  created  directories

chmod also supports aliases for common settings to avoid having to
figure out the permission bits:

full_set          All permissions
modify_set    All   permissions except write_acl and write_owner
read_set       read_data, read_acl, read_attributes and read_xattr
write_set      write_data, append_data, write_attributes and write_xattr

The man pages for 'ls' and 'chmod' have more details.

Alan

----- Original Message ----- From: LEES, Cooper
To: [email protected] <mailto:[email protected]>
Sent: Sunday, November 23, 2008 9:49 PM
Subject: [cifs-discuss] Windows / AD ACLs on ZFS CIFS Share + Domain
Membership [SEC=UNCLASSIFIED]

Hi all SMB experts,

I am testing (on a x4500 - Mirrored rpool and a big zfs raidz2 collection
for another big storage pool) the use of Opensolaris and the SMB server on
build snv_101b. I am particularly interested in the SMB server cause
unfortunately our desktop fleet here is Windows, so a user group here wishes
to control access to and use their data all from their Windows machines and
schedule jobs to *nix boxes to analyse the data on other occasions. So I am
stuck in using Windows ACL based file system ACLs to fulfill the needs of
our user and also allow fast access for computation with our linux cluster.
The other main reason I wish to use Opensolaris is so I can use ZFS send to
another x4500 device that is stored off site for backup.

I have read countless amounts of doco on this topic and have successfully
got shares 'shared' but I am having difficulty with a few things, in
particular:

1)
- When I restart the smb/server:default service I have to 'rejoin' our
domain in order to resolve SIDs again (smbadm join -u administrator
domain.gov.au)
Is there any bug for this or am I doing something wrong? Should I have to
re-join all the time. I do remember reading that it has not been supported
in a domain with multiple domain controllers which we have here.


2)
- The other main problem I have is that different areas with the ZFS volume
need specific groups allowed access. I would love to be able to create AD
groups and add that group's access into the file systems ACL and have that
inherited nicely down the file system tree. I am making the top level of my
filesystem 777 within Opensolaris and allows the ACL to control access as it
is only exported via SMB.

e.g. create a dir at the root of my zfs, then on that folder add read/write
to a Active Directory group and allow that to inherit.

a) Is that possible with ZFS and the current SMB implementation?
b) Am I going about this the wrong way?

If you would like any output of the cifs-gendiag let me know. Feel free to
contact me via any means.

Any assistance would be appreciated, I don't want to have to run windows on
the beautiful piece of hardware,
---
Cooper Ry Lees
UNIX Evangelist - Information Management Services (IMS)
Australian Nuclear Science and Technology Organisation
T  +61 2 9717 3853
F  +61 2 9717 9273
M  +61 403 739 446
E  [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
www.ansto.gov.au <http://www.ansto.gov.au>

Important: This transmission is intended only for the use of the addressee.
It is confidential and may contain privileged information or copyright
material. If you are not the intended recipient, any use or further
disclosure of this communication is strictly forbidden. If you have received
this transmission in error, please notify me immediately by telephone and
delete all copies of this transmission as well as any attachments.

------------------------------------------------------------------------
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss


_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

Reply via email to