n...@leopard-4:/$ ls -Vd bigmirror/big/
drwxr-xr-x+ 5 root root 12 Mar 27 17:40 bigmirror/big/
user:nfs:rwxp-D-ARW-Co-:-------:allow
user:smb:rwxp-D-ARW-Co-:-------:allow
owner@:--------------:-------:deny
owner@:rwxp---A-W-Co-:-------:allow
group@:-w-p----------:-------:deny
group@:r-x-----------:-------:allow
everyone@:-w-p---A-W-Co-:-------:deny
everyone@:r-x---a-R-c--s:-------:allow
n...@leopard-4:/$ show folder bigmirror/big share cifs -v
PROPERTY VALUE
folder bigmirror/big
protocol cifs
share_name big
nested 0
comment ""
anonymous_rw true
I'm not exactly sure how to answer your second question, but I think it's the
Solaris CIFS server through Nexenta?
Thanks.
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, March 30, 2009 11:23 AM
To: John Keiffer
Cc: [email protected]
Subject: Re: [cifs-discuss] FW: multi-protocol (cifs/nfs) access to same files
- help please
> *Nexenta configuration*
> *=================*
> No specific workgroup
> No AD or LDAP configuration
> Acls on folder bigmirror/big: local users smb and nfs, owner@ have full
> access, everyone@ and group@ (root) are denied write access
>
> owner@ Allow:list_directory, read_data, add_file, write_data,
> add_subdirectory, append_data, write_xattr, execute, write_attributes,
> write_acl, write_owner
> group@ Allow:list_directory, read_data, execute Deny:add_file,
> write_data, add_subdirectory, append_data
> everyone@ Allow:list_directory, read_data, read_xattr, execute,
> read_attributes, read_acl, synchronize Deny:add_file, write_data,
> add_subdirectory, append_data, write_xattr, write_attributes, write_acl,
> write_owner
> user:nfs Allow:list_directory, read_data, add_file, write_data,
> add_subdirectory, append_data, read_xattr, write_xattr, execute,
> delete_child, write_attributes, write_acl, write_owner
> user:smb Allow:list_directory, read_data, add_file, write_data,
> add_subdirectory, append_data, read_xattr, write_xattr, execute,
> delete_child, write_attributes, write_acl, write_owner
>
Can you provide the output of "ls -Vd", this is hard to read.
> CIFS share (named big) has anonymous access enable
What do you mean by this? Are you using Solaris CIFS server or Samba?
Afshin
> NFS share has anonymous access enable, and root field is set to
> <ip>:<ip> which are the 2 interfaces on a unix client, so that root
> shows up as "root" and not "4294967294" (nfs nobody)
> No identity mapping yet
>
> *Tests*
> *=====*
> *Test1: mount the nfs share from unix client 10.2.15.33 as root and
> create a directory*
> [r...@c33r15-rhel4 leo4]# mkdir testdir2
> [r...@c33r15-rhel4 leo4]# ls -l
> total 1
> drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2
>
> *Test2: connect to the cifs share from a windows client using user smb,
> **default **password, and write a directory*
> ths ahre shows up under default workgroup "Workgroup" when browsing
> \\<ip>\big
>
> new directory "cifsdircreatedbysmb" created
> when viewing Security tab, ACEs are smb (LEOPARD-4\smb) and SYSTEM, none
> of the permissions are checked.
> when going to Advanced, it shows that smb and SYSTEM (whatever this is)
> have full control, and owner is smb
>
> smb can write the file "cifsfilecreatedbysmb" under the folder
> "cifsdircreatedbysmb"
>
> Here's how the permissions show from the unix client:
> [r...@c33r15-rhel4 leo4]# ls -l
> total 5
> d--------- 2 61001 bin 3 Mar 20 16:26 cifsdircreatedbysmb
> [r...@c33r15-rhel4 leo4]# ls -l cifsdircreatedbysmb
> total 1
> ---------- 1 61001 bin 0 Mar 20 16:25 cifsfilecreatedby smb.txt
> [r...@c33r15-rhel4 leo4]#
>
> *Test3: create directory from unix client as root and access from windows*
> new directory "nfsdircreatebyroot"
> [r...@c33r15-rhel4 leo4]# ls -l
> total 5
> d--------- 2 61001 bin 3 Mar 20 16:26 cifsdircreatedbysmb
> drwxrwxrwx 2 root root 3 Mar 20 16:14 nfsdircreatebyroot
> drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2
>
> From windows client, when viewing Security tab, ACEs are Everyone, root
> (LEOPARD-4\root), S-1-5-21-10.... (some SID, maybe maps to smb user?),
> none of the permissions are checked.
> when going to Advanced, it shows that those 3 users are denied and
> allowed some permissions, need to click on Edit to find out which ones.
> Only shows that Everyone is denied "Write attributes, Write Extended
> atributes, Change permissions and Change ownership". Root is allowed
> "Traverse, List folder, Create files, Create folders, Write attributes,
> Write extended attributes, Change permissions, Take ownership". The SID
> is allowed "Traverse, List folder, Create files, Create folders".
> Everyone is allowed ""Traverse, List folder, Read attributes, Read
> extended attributes, Create files, Create folders, Read permissions"
>
> *Test4: create file from windows and write to it from unix*
> From unix, give world access to "nfsdircreatebyroot"
> [r...@c33r15-rhel4 leo4]# chmod 777 nfsdircreatebyroot
> From windows, create file "cifsfilecreatedbysmb" under
> "nfsdircreatebyroot".
> From unix, vi the file and write to it
> [r...@c33r15-rhel4 leo4]# cd nfsdircreatebyroot/
> [r...@c33r15-rhel4 nfsdircreatebyroot]# vi cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# cat cifsfilecreatedbysmb.txt
> writing from nfs by root
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> ---------- 1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
>
> Once this is done, the file can no longer be viewed from Windows, gets
> access denied. After being accessed from nfx, I assume the security blob
> is now nfs. (I don't know what security style Nexenta has on file
> systems, I would assume it's mixed by default?)
> Properties show that Everyone is denied write access, and owner smb has
> only special permissions. Among those, he can change permissions, so he
> can allow full control to himself. But even after this change, smb still
> cannot read the file from Windows.
>
> From unix I can change ownership and permissions on the file
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> ---------- 1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]#
> [r...@c33r15-rhel4 nfsdircreatebyroot]# chown root cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> ---------- 1 root bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# chgrp root cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> ---------- 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# chmod 755 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l
> total 1
> -rwxr-xr-x 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> [r...@c33r15-rhel4 nfsdircreatebyroot]#
>
> Still cannot view it from windows.
>
> Add an id mapping rule between winuser:[email protected] (matrix.lab is
> still the default domain name for the appliance, even though we're not
> joined to it) and unixuser:root
>
> No changes, still cannot view the file from windows
>
> => if a file is written by cifs, then modified from nfs, I don't know
> what to do to make it accessible by cifs again
>
>
> *Test5: create file from unix and access it from windows*
> [r...@c33r15-rhel4 leo4]# cd cifsdircreatedbysmb
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# vi nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
> total 1
> -rw-r--r-- 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]#
>
> I was able to view it from windows but could not save it after writting
> to it, had to save to a new file. When looking at Security tab, it says:
> Unable to display information.
>
> From unix:
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
> total 2
> -rw-r--r-- 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
> ---------- 1 61001 bin 28 Mar 20 17:09
> nfsfilecreatedbyroot_wriitenbysmb.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat
> nfsfilecreatedbyroot_wriitenbysmb.txt
> writing from windows by smb
> [r...@c33r15-rhel4 cifsdircreatedbysmb]#
>
> Changing permissions so that Everyone can write to the file now:
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# chmod 777 nfsfilecreatedbyroot.txt
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l
> total 2
> -rwxrwxrwx 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt
> ---------- 1 61001 bin 28 Mar 20 17:09
> nfsfilecreatedbyroot_wriitenbysmb.txt
>
> No changes from windows side.
>
> => if a file is created by nfs, it can be read but cannot be written to
> from windows, even when posix permissions are set to 777.
>
> *Test6: create a file from unix client as a local nis user (qacifs7077,
> don't get fooled by the name)*
> [r...@c33r15-rhel4 cifsdircreatedbysmb]# su qacifs7077
> bash-3.00$ pwd
> /mnt/leo4/cifsdircreatedbysmb
> bash-3.00$ cd ..
> bash-3.00$ ls -l
> total 5
> d--------- 2 61001 bin 4 Mar 20 17:09 cifsdircreatedbysmb
> drwxrwxrwx 2 root root 3 Mar 20 16:14 nfsdircreatebyroot
> drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2
> bash-3.00$ cd nfsdircreatebyroot/
> bash-3.00$ touch nfsfilecreatedbynisuser
> bash-3.00$ ls -l
> total 2
> -rwxr-xr-x 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt
> -rw-r--r-- 1 qacifs7077 group1 0 Mar 20 17:25 nfsfilecreatedbynisuser
> bash-3.00$
>
> From windows, when looking at Security tab, it says: Unable to display
> information.
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cifs-discuss mailing list
> [email protected]
> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
