Ross Smith wrote:
> On Wed, Nov 26, 2008 at 7:24 AM, Kevin Sumner <[EMAIL PROTECTED]> wrote:
>
>> Hi,
>>
>> I have installed OSol from 2008.11rc1 media (immediately updated to rc2 via
>> pkg) and have created a zpool called 'datapool' on a 500GB drive. I have
>> already moved some data to it, and while in the process of setting it up as
>> a CIFS/NFS NAS I ran into problem.
>>
>> I setup the CIFS server and set it to workgroup mode, using the article over
>> at the genunix wiki as a guide.. I've shared datapool as
>> sharesmb="name=media". I can authenticate and mount the media share via CIFS
>> from both my Vista SP1 box and my Ubuntu 8.10 laptop. Once mounted, though,
>> I can see the folders inside of the share, but I can't view their contents,
>> nor the permissions on the subdirectories, nor the permissions on the share
>> itself -- all these operations fail with an "Access is denied" message on
>> Vista (similar message on Ubuntu). I've tried mounting with both my local
>> account and root, with no difference in behavior. I've tried changing the
>> permissions to be less restrictive and still no change.
>>
>> To work with this issue, I've setup a test volume called 'datapool/test'
>> similar to how the other volumes were created (see below) and populated it
>> with a few files:
>> pfexec zfs create -o casesensitivity=mixed datapool/test
>>
>> Help getting this rolling would be greatly appreciated. As requested in
>> other threads, I've attached the output of cifs-chkcfg, cifs-gendiag, and a
>> snoop during authentication. The 'ls -V' output is below -- datapool has
>> somewhat strange permissions due to my previous attempts to fix this myself:
>> # ls -ldV /datapool /datapool/test
>> dr-xr-xr-x+ 9 root sysadmin 9 Nov 26 01:54 /datapool
>> everyone@:r-x---a-R-c--s:-------:allow
>> group:sysadmin:rwxpdDaARWcCos:fd-----:allow
>> group:users:r-x---a-R-c--s:fd-----:allow
>> drwxr-xr-x 4 root root 6 Nov 26 01:56 /datapool/test
>> owner@:--------------:-------:deny
>> owner@:rwxp---A-W-Co-:-------:allow
>> group@:-w-p----------:-------:deny
>> group@:r-x-----------:-------:allow
>> everyone@:-w-p---A-W-Co-:-------:deny
>> everyone@:r-x---a-R-c--s:-------:allow
>>
>> I don't think this is necessarily a bug, probably configuration error on my
>> part.
>>
>>
> You have deny entries in there which would tend to cause problems in
> windows, since there deny entries take precedence over everything
> else.
>
> In particular the everyone.... deny entry is likely to cause problems.
>
> I take a simple approach to security for CIFS, I grant everyone full
> permissions on the main folder, and then do my fine tuning from within
> windows.
>
> To grant full permissions, run:
> # /usr/bin/chmod everyone@:full_set:fd:allow /path
>
> I don't know how to propagate the changes down to sub-folders I'm
> afraid, but that will at least set your permissions so that the root
> folder can be managed from windows, and from there it's easy to reset
> permissions on child objects, and tighten up security to how you want
> it.
Those are pretty much vanilla ZFS ACLs. There are always deny entries
created, even when an ACL hasn't been set. For example,
webhost> ls -Vd .
drwxrwxrwx 4 ian staff 12 Nov 27 10:32 .
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:--------------:-------:deny
group@:rwxp----------:-------:allow
everyone@:-------A-W-Co-:-------:deny
everyone@:rwxp--a-R-c--s:-------:allow
Do you recommend changing all ZFS ACLs when using CIFS?
--
Ian.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
