*Nexenta configuration*
*=================*
No specific workgroup
No AD or LDAP configuration
Acls on folder bigmirror/big: local users smb and nfs, owner@ have full
access, everyone@ and group@ (root) are denied write access
owner@ Allow:list_directory, read_data, add_file, write_data,
add_subdirectory, append_data, write_xattr, execute, write_attributes,
write_acl, write_owner
group@ Allow:list_directory, read_data, execute Deny:add_file,
write_data, add_subdirectory, append_data
everyone@ Allow:list_directory, read_data, read_xattr, execute,
read_attributes, read_acl, synchronize Deny:add_file, write_data,
add_subdirectory, append_data, write_xattr, write_attributes, write_acl,
write_owner
user:nfs Allow:list_directory, read_data, add_file, write_data,
add_subdirectory, append_data, read_xattr, write_xattr, execute,
delete_child, write_attributes, write_acl, write_owner
user:smb Allow:list_directory, read_data, add_file, write_data,
add_subdirectory, append_data, read_xattr, write_xattr, execute,
delete_child, write_attributes, write_acl, write_owner
Can you provide the output of "ls -Vd", this is hard to read.
CIFS share (named big) has anonymous access enable
What do you mean by this? Are you using Solaris CIFS server or Samba?
Afshin
NFS share has anonymous access enable, and root field is set to
<ip>:<ip> which are the 2 interfaces on a unix client, so that root
shows up as "root" and not "4294967294" (nfs nobody)
No identity mapping yet
*Tests*
*=====*
*Test1: mount the nfs share from unix client 10.2.15.33 as root and
create a directory*
[r...@c33r15-rhel4 leo4]# mkdir testdir2
[r...@c33r15-rhel4 leo4]# ls -l
total 1
drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2
*Test2: connect to the cifs share from a windows client using user smb,
**default **password, and write a directory*
ths ahre shows up under default workgroup "Workgroup" when browsing
\\<ip>\big
new directory "cifsdircreatedbysmb" created
when viewing Security tab, ACEs are smb (LEOPARD-4\smb) and SYSTEM, none
of the permissions are checked.
when going to Advanced, it shows that smb and SYSTEM (whatever this is)
have full control, and owner is smb
smb can write the file "cifsfilecreatedbysmb" under the folder
"cifsdircreatedbysmb"
Here's how the permissions show from the unix client:
[r...@c33r15-rhel4 leo4]# ls -l
total 5
d--------- 2 61001 bin 3 Mar 20 16:26 cifsdircreatedbysmb
[r...@c33r15-rhel4 leo4]# ls -l cifsdircreatedbysmb
total 1
---------- 1 61001 bin 0 Mar 20 16:25 cifsfilecreatedby smb.txt
[r...@c33r15-rhel4 leo4]#
*Test3: create directory from unix client as root and access from windows*
new directory "nfsdircreatebyroot"
[r...@c33r15-rhel4 leo4]# ls -l
total 5
d--------- 2 61001 bin 3 Mar 20 16:26 cifsdircreatedbysmb
drwxrwxrwx 2 root root 3 Mar 20 16:14 nfsdircreatebyroot
drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2
From windows client, when viewing Security tab, ACEs are Everyone, root
(LEOPARD-4\root), S-1-5-21-10.... (some SID, maybe maps to smb user?),
none of the permissions are checked.
when going to Advanced, it shows that those 3 users are denied and
allowed some permissions, need to click on Edit to find out which ones.
Only shows that Everyone is denied "Write attributes, Write Extended
atributes, Change permissions and Change ownership". Root is allowed
"Traverse, List folder, Create files, Create folders, Write attributes,
Write extended attributes, Change permissions, Take ownership". The SID
is allowed "Traverse, List folder, Create files, Create folders".
Everyone is allowed ""Traverse, List folder, Read attributes, Read
extended attributes, Create files, Create folders, Read permissions"
*Test4: create file from windows and write to it from unix*
From unix, give world access to "nfsdircreatebyroot"
[r...@c33r15-rhel4 leo4]# chmod 777 nfsdircreatebyroot
From windows, create file "cifsfilecreatedbysmb" under
"nfsdircreatebyroot".
From unix, vi the file and write to it
[r...@c33r15-rhel4 leo4]# cd nfsdircreatebyroot/
[r...@c33r15-rhel4 nfsdircreatebyroot]# vi cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# cat cifsfilecreatedbysmb.txt
writing from nfs by root
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
---------- 1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
Once this is done, the file can no longer be viewed from Windows, gets
access denied. After being accessed from nfx, I assume the security blob
is now nfs. (I don't know what security style Nexenta has on file
systems, I would assume it's mixed by default?)
Properties show that Everyone is denied write access, and owner smb has
only special permissions. Among those, he can change permissions, so he
can allow full control to himself. But even after this change, smb still
cannot read the file from Windows.
From unix I can change ownership and permissions on the file
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
---------- 1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]#
[r...@c33r15-rhel4 nfsdircreatebyroot]# chown root cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
---------- 1 root bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# chgrp root cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
---------- 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# chmod 755 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
total 1
-rwxr-xr-x 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
[r...@c33r15-rhel4 nfsdircreatebyroot]#
Still cannot view it from windows.
Add an id mapping rule between winuser:[email protected] (matrix.lab is
still the default domain name for the appliance, even though we're not
joined to it) and unixuser:root
No changes, still cannot view the file from windows
=> if a file is written by cifs, then modified from nfs, I don't know
what to do to make it accessible by cifs again
*Test5: create file from unix and access it from windows*
[r...@c33r15-rhel4 leo4]# cd cifsdircreatedbysmb
[r...@c33r15-rhel4 cifsdircreatedbysmb]# vi nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 1
-rw-r--r-- 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]#
I was able to view it from windows but could not save it after writting
to it, had to save to a new file. When looking at Security tab, it says:
Unable to display information.
From unix:
[r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 2
-rw-r--r-- 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
---------- 1 61001 bin 28 Mar 20 17:09
nfsfilecreatedbyroot_wriitenbysmb.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]# cat
nfsfilecreatedbyroot_wriitenbysmb.txt
writing from windows by smb
[r...@c33r15-rhel4 cifsdircreatedbysmb]#
Changing permissions so that Everyone can write to the file now:
[r...@c33r15-rhel4 cifsdircreatedbysmb]# chmod 777 nfsfilecreatedbyroot.txt
[r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
total 2
-rwxrwxrwx 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
---------- 1 61001 bin 28 Mar 20 17:09
nfsfilecreatedbyroot_wriitenbysmb.txt
No changes from windows side.
=> if a file is created by nfs, it can be read but cannot be written to
from windows, even when posix permissions are set to 777.
*Test6: create a file from unix client as a local nis user (qacifs7077,
don't get fooled by the name)*
[r...@c33r15-rhel4 cifsdircreatedbysmb]# su qacifs7077
bash-3.00$ pwd
/mnt/leo4/cifsdircreatedbysmb
bash-3.00$ cd ..
bash-3.00$ ls -l
total 5
d--------- 2 61001 bin 4 Mar 20 17:09 cifsdircreatedbysmb
drwxrwxrwx 2 root root 3 Mar 20 16:14 nfsdircreatebyroot
drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2
bash-3.00$ cd nfsdircreatebyroot/
bash-3.00$ touch nfsfilecreatedbynisuser
bash-3.00$ ls -l
total 2
-rwxr-xr-x 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
-rw-r--r-- 1 qacifs7077 group1 0 Mar 20 17:25 nfsfilecreatedbynisuser
bash-3.00$
From windows, when looking at Security tab, it says: Unable to display
information.
------------------------------------------------------------------------
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
