Yes, I generally replace all the permissions, and just realised my syntax above was wrong. It should be:
# /usr/bin/chmod A=everyone@:full_set:fd:allow /path That replaces all the default ACL's with just one for everyone. Ross On Wed, Nov 26, 2008 at 9:48 PM, Ian Collins <[EMAIL PROTECTED]> wrote: > Ross Smith wrote: >> On Wed, Nov 26, 2008 at 7:24 AM, Kevin Sumner <[EMAIL PROTECTED]> wrote: >> >>> Hi, >>> >>> I have installed OSol from 2008.11rc1 media (immediately updated to rc2 via >>> pkg) and have created a zpool called 'datapool' on a 500GB drive. I have >>> already moved some data to it, and while in the process of setting it up as >>> a CIFS/NFS NAS I ran into problem. >>> >>> I setup the CIFS server and set it to workgroup mode, using the article >>> over at the genunix wiki as a guide.. I've shared datapool as >>> sharesmb="name=media". I can authenticate and mount the media share via >>> CIFS from both my Vista SP1 box and my Ubuntu 8.10 laptop. Once mounted, >>> though, I can see the folders inside of the share, but I can't view their >>> contents, nor the permissions on the subdirectories, nor the permissions on >>> the share itself -- all these operations fail with an "Access is denied" >>> message on Vista (similar message on Ubuntu). I've tried mounting with >>> both my local account and root, with no difference in behavior. I've tried >>> changing the permissions to be less restrictive and still no change. >>> >>> To work with this issue, I've setup a test volume called 'datapool/test' >>> similar to how the other volumes were created (see below) and populated it >>> with a few files: >>> pfexec zfs create -o casesensitivity=mixed datapool/test >>> >>> Help getting this rolling would be greatly appreciated. As requested in >>> other threads, I've attached the output of cifs-chkcfg, cifs-gendiag, and a >>> snoop during authentication. The 'ls -V' output is below -- datapool has >>> somewhat strange permissions due to my previous attempts to fix this myself: >>> # ls -ldV /datapool /datapool/test >>> dr-xr-xr-x+ 9 root sysadmin 9 Nov 26 01:54 /datapool >>> everyone@:r-x---a-R-c--s:-------:allow >>> group:sysadmin:rwxpdDaARWcCos:fd-----:allow >>> group:users:r-x---a-R-c--s:fd-----:allow >>> drwxr-xr-x 4 root root 6 Nov 26 01:56 /datapool/test >>> owner@:--------------:-------:deny >>> owner@:rwxp---A-W-Co-:-------:allow >>> group@:-w-p----------:-------:deny >>> group@:r-x-----------:-------:allow >>> everyone@:-w-p---A-W-Co-:-------:deny >>> everyone@:r-x---a-R-c--s:-------:allow >>> >>> I don't think this is necessarily a bug, probably configuration error on my >>> part. >>> >>> >> You have deny entries in there which would tend to cause problems in >> windows, since there deny entries take precedence over everything >> else. >> >> In particular the everyone.... deny entry is likely to cause problems. >> >> I take a simple approach to security for CIFS, I grant everyone full >> permissions on the main folder, and then do my fine tuning from within >> windows. >> >> To grant full permissions, run: >> # /usr/bin/chmod everyone@:full_set:fd:allow /path >> >> I don't know how to propagate the changes down to sub-folders I'm >> afraid, but that will at least set your permissions so that the root >> folder can be managed from windows, and from there it's easy to reset >> permissions on child objects, and tighten up security to how you want >> it. > > Those are pretty much vanilla ZFS ACLs. There are always deny entries > created, even when an ACL hasn't been set. For example, > > webhost> ls -Vd . > drwxrwxrwx 4 ian staff 12 Nov 27 10:32 . > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:--------------:-------:deny > group@:rwxp----------:-------:allow > everyone@:-------A-W-Co-:-------:deny > everyone@:rwxp--a-R-c--s:-------:allow > > Do you recommend changing all ZFS ACLs when using CIFS? > > -- > Ian. > > _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
