n...@leopard-4:/$ ./bigmirror/cifs-chkcfg.sh n...@leopard-4:/$ ./bigmirror/cifs-gendiag.sh Mon Mar 30 11:39:17 PDT 2009 ...
Cifs-chkcfg.sh returned no errors. Cifs-gendiag.sh returned a lot of results. Should I post the entire output here or are you looking for something specific for the following data gathered? # The following information is gathered by this script: # # o OS and hardware # o /etc/nsswitch.conf # o /etc/resolv.conf # o /etc/krb5/krb5.conf # o network and routing information # o list of zpools # o list of zfs datasets # o properties for all zpools and datasets # o idmap properties, rules, cache # o list of shares # o ACL of CIFS shared directories # o CIFS server configuration and status # o pam_smb_passwd line in /etc/pam.conf (if exists) # o list of usernames in /var/smb/smbpasswd (if any) # o last 50 lines of /var/adm/messages # o last 50 lines of smb/server SMF log Thanks. -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Monday, March 30, 2009 11:32 AM To: John Keiffer Cc: [email protected] Subject: Re: [cifs-discuss] FW: multi-protocol (cifs/nfs) access to same files - help please Seems like you're using Samba but just to make sure run the following two scripts on your system and post the output: http://opensolaris.org/os/project/cifs-server/files/cifs-chkcfg http://opensolaris.org/os/project/cifs-server/files/cifs-gendiag Afshin John Keiffer wrote: > n...@leopard-4:/$ ls -Vd bigmirror/big/ > drwxr-xr-x+ 5 root root 12 Mar 27 17:40 bigmirror/big/ > user:nfs:rwxp-D-ARW-Co-:-------:allow > user:smb:rwxp-D-ARW-Co-:-------:allow > owner@:--------------:-------:deny > owner@:rwxp---A-W-Co-:-------:allow > group@:-w-p----------:-------:deny > group@:r-x-----------:-------:allow > everyone@:-w-p---A-W-Co-:-------:deny > everyone@:r-x---a-R-c--s:-------:allow > > n...@leopard-4:/$ show folder bigmirror/big share cifs -v > PROPERTY VALUE > folder bigmirror/big > protocol cifs > share_name big > nested 0 > comment "" > anonymous_rw true > > I'm not exactly sure how to answer your second question, but I think it's the > Solaris CIFS server through Nexenta? > > Thanks. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > Sent: Monday, March 30, 2009 11:23 AM > To: John Keiffer > Cc: [email protected] > Subject: Re: [cifs-discuss] FW: multi-protocol (cifs/nfs) access to same > files - help please > >> *Nexenta configuration* >> *=================* >> No specific workgroup >> No AD or LDAP configuration >> Acls on folder bigmirror/big: local users smb and nfs, owner@ have full >> access, everyone@ and group@ (root) are denied write access >> >> owner@ Allow:list_directory, read_data, add_file, write_data, >> add_subdirectory, append_data, write_xattr, execute, write_attributes, >> write_acl, write_owner >> group@ Allow:list_directory, read_data, execute Deny:add_file, >> write_data, add_subdirectory, append_data >> everyone@ Allow:list_directory, read_data, read_xattr, execute, >> read_attributes, read_acl, synchronize Deny:add_file, write_data, >> add_subdirectory, append_data, write_xattr, write_attributes, write_acl, >> write_owner >> user:nfs Allow:list_directory, read_data, add_file, write_data, >> add_subdirectory, append_data, read_xattr, write_xattr, execute, >> delete_child, write_attributes, write_acl, write_owner >> user:smb Allow:list_directory, read_data, add_file, write_data, >> add_subdirectory, append_data, read_xattr, write_xattr, execute, >> delete_child, write_attributes, write_acl, write_owner >> > > Can you provide the output of "ls -Vd", this is hard to read. > >> CIFS share (named big) has anonymous access enable > > What do you mean by this? Are you using Solaris CIFS server or Samba? > > Afshin > >> NFS share has anonymous access enable, and root field is set to >> <ip>:<ip> which are the 2 interfaces on a unix client, so that root >> shows up as "root" and not "4294967294" (nfs nobody) >> No identity mapping yet >> >> *Tests* >> *=====* >> *Test1: mount the nfs share from unix client 10.2.15.33 as root and >> create a directory* >> [r...@c33r15-rhel4 leo4]# mkdir testdir2 >> [r...@c33r15-rhel4 leo4]# ls -l >> total 1 >> drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2 >> >> *Test2: connect to the cifs share from a windows client using user smb, >> **default **password, and write a directory* >> ths ahre shows up under default workgroup "Workgroup" when browsing >> \\<ip>\big >> >> new directory "cifsdircreatedbysmb" created >> when viewing Security tab, ACEs are smb (LEOPARD-4\smb) and SYSTEM, none >> of the permissions are checked. >> when going to Advanced, it shows that smb and SYSTEM (whatever this is) >> have full control, and owner is smb >> >> smb can write the file "cifsfilecreatedbysmb" under the folder >> "cifsdircreatedbysmb" >> >> Here's how the permissions show from the unix client: >> [r...@c33r15-rhel4 leo4]# ls -l >> total 5 >> d--------- 2 61001 bin 3 Mar 20 16:26 cifsdircreatedbysmb >> [r...@c33r15-rhel4 leo4]# ls -l cifsdircreatedbysmb >> total 1 >> ---------- 1 61001 bin 0 Mar 20 16:25 cifsfilecreatedby smb.txt >> [r...@c33r15-rhel4 leo4]# >> >> *Test3: create directory from unix client as root and access from windows* >> new directory "nfsdircreatebyroot" >> [r...@c33r15-rhel4 leo4]# ls -l >> total 5 >> d--------- 2 61001 bin 3 Mar 20 16:26 cifsdircreatedbysmb >> drwxrwxrwx 2 root root 3 Mar 20 16:14 nfsdircreatebyroot >> drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2 >> >> From windows client, when viewing Security tab, ACEs are Everyone, root >> (LEOPARD-4\root), S-1-5-21-10.... (some SID, maybe maps to smb user?), >> none of the permissions are checked. >> when going to Advanced, it shows that those 3 users are denied and >> allowed some permissions, need to click on Edit to find out which ones. >> Only shows that Everyone is denied "Write attributes, Write Extended >> atributes, Change permissions and Change ownership". Root is allowed >> "Traverse, List folder, Create files, Create folders, Write attributes, >> Write extended attributes, Change permissions, Take ownership". The SID >> is allowed "Traverse, List folder, Create files, Create folders". >> Everyone is allowed ""Traverse, List folder, Read attributes, Read >> extended attributes, Create files, Create folders, Read permissions" >> >> *Test4: create file from windows and write to it from unix* >> From unix, give world access to "nfsdircreatebyroot" >> [r...@c33r15-rhel4 leo4]# chmod 777 nfsdircreatebyroot >> From windows, create file "cifsfilecreatedbysmb" under >> "nfsdircreatebyroot". >> From unix, vi the file and write to it >> [r...@c33r15-rhel4 leo4]# cd nfsdircreatebyroot/ >> [r...@c33r15-rhel4 nfsdircreatebyroot]# vi cifsfilecreatedbysmb.txt >> [r...@c33r15-rhel4 nfsdircreatebyroot]# cat cifsfilecreatedbysmb.txt >> writing from nfs by root >> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l >> total 1 >> ---------- 1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt >> >> Once this is done, the file can no longer be viewed from Windows, gets >> access denied. After being accessed from nfx, I assume the security blob >> is now nfs. (I don't know what security style Nexenta has on file >> systems, I would assume it's mixed by default?) >> Properties show that Everyone is denied write access, and owner smb has >> only special permissions. Among those, he can change permissions, so he >> can allow full control to himself. But even after this change, smb still >> cannot read the file from Windows. >> >> From unix I can change ownership and permissions on the file >> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l >> total 1 >> ---------- 1 61001 bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt >> [r...@c33r15-rhel4 nfsdircreatebyroot]# >> [r...@c33r15-rhel4 nfsdircreatebyroot]# chown root cifsfilecreatedbysmb.txt >> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l >> total 1 >> ---------- 1 root bin 26 Mar 20 16:14 cifsfilecreatedbysmb.txt >> [r...@c33r15-rhel4 nfsdircreatebyroot]# chgrp root cifsfilecreatedbysmb.txt >> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l >> total 1 >> ---------- 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt >> [r...@c33r15-rhel4 nfsdircreatebyroot]# chmod 755 cifsfilecreatedbysmb.txt >> [r...@c33r15-rhel4 nfsdircreatebyroot]# ls -l >> total 1 >> -rwxr-xr-x 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt >> [r...@c33r15-rhel4 nfsdircreatebyroot]# >> >> Still cannot view it from windows. >> >> Add an id mapping rule between winuser:[email protected] (matrix.lab is >> still the default domain name for the appliance, even though we're not >> joined to it) and unixuser:root >> >> No changes, still cannot view the file from windows >> >> => if a file is written by cifs, then modified from nfs, I don't know >> what to do to make it accessible by cifs again >> >> >> *Test5: create file from unix and access it from windows* >> [r...@c33r15-rhel4 leo4]# cd cifsdircreatedbysmb >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# vi nfsfilecreatedbyroot.txt >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l >> total 1 >> -rw-r--r-- 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# >> >> I was able to view it from windows but could not save it after writting >> to it, had to save to a new file. When looking at Security tab, it says: >> Unable to display information. >> >> From unix: >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l >> total 2 >> -rw-r--r-- 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt >> ---------- 1 61001 bin 28 Mar 20 17:09 >> nfsfilecreatedbyroot_wriitenbysmb.txt >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat nfsfilecreatedbyroot.txt >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# cat >> nfsfilecreatedbyroot_wriitenbysmb.txt >> writing from windows by smb >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# >> >> Changing permissions so that Everyone can write to the file now: >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# chmod 777 nfsfilecreatedbyroot.txt >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# ls -l >> total 2 >> -rwxrwxrwx 1 root root 0 Mar 20 17:07 nfsfilecreatedbyroot.txt >> ---------- 1 61001 bin 28 Mar 20 17:09 >> nfsfilecreatedbyroot_wriitenbysmb.txt >> >> No changes from windows side. >> >> => if a file is created by nfs, it can be read but cannot be written to >> from windows, even when posix permissions are set to 777. >> >> *Test6: create a file from unix client as a local nis user (qacifs7077, >> don't get fooled by the name)* >> [r...@c33r15-rhel4 cifsdircreatedbysmb]# su qacifs7077 >> bash-3.00$ pwd >> /mnt/leo4/cifsdircreatedbysmb >> bash-3.00$ cd .. >> bash-3.00$ ls -l >> total 5 >> d--------- 2 61001 bin 4 Mar 20 17:09 cifsdircreatedbysmb >> drwxrwxrwx 2 root root 3 Mar 20 16:14 nfsdircreatebyroot >> drwxr-xr-x 2 root root 2 Mar 20 16:04 testdir2 >> bash-3.00$ cd nfsdircreatebyroot/ >> bash-3.00$ touch nfsfilecreatedbynisuser >> bash-3.00$ ls -l >> total 2 >> -rwxr-xr-x 1 root root 26 Mar 20 16:14 cifsfilecreatedbysmb.txt >> -rw-r--r-- 1 qacifs7077 group1 0 Mar 20 17:25 nfsfilecreatedbynisuser >> bash-3.00$ >> >> From windows, when looking at Security tab, it says: Unable to display >> information. >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cifs-discuss mailing list >> [email protected] >> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
