Ok, as a long term windows admin, I'm going to chip in with a couple of comments here.
Firstly, I should make clear that I think the CIFS team have done a cracking job with this. An OpenSolaris file server works pretty much exactly like a windows fileserver, which is a huge improvement over Samba. We looked at Samba and found that it was completely unworkable in a windows environment. OpenSolaris on the other hand allows us to keep our existing windows permissions and migrate them directly over. However, having said that, I suspect that you will be able to run things how you like as well. I have a feeling you're jumping in at the deep end here, and have just been caught out by the fact that the CIFS server and ZFS permissions model is very different to the way Samba works. I'm going to add a few comments to your message below, to see if I can help at all: On Thu, Apr 9, 2009 at 12:44 PM, Michael Herf <[email protected]> wrote: > I am continuing to have loads of trouble with this system. > > Some examples: > > 1. If you do a backup of a PC using xcopy, you'll find that Microsoft's > system files are typically marked with multiple ACLs..."Administrator=>full > control" and "user=>no rights". Under windows, a user who's an admin can read > the entire thing. But after a copy to Solaris, the containing folder is > copied solely as "user=>no rights" (with no administrator entry)...the folder > becomes basically unwritable and the copy fails. You can't delete the > resulting unwritable folder easily, either. This might be happening because you have deny entries on the folder. Windows and Unix treat deny entries very differently. Personally, every time I set up a CIFS share, I grant rights to everybody and from that point on do all my permission setting from windows. From the top of my head, the syntax is something like: # chmod A=everyone@:full_set:fd /path > > 2. If you restore a backup from an existing samba system, Windows users will > have quite a bit of difficulty resetting permissions on read-only files. I > was only able to fix this reliably by using Nautilus (!) for each user, where > the UI is actually quite a bit better, and doesn't randomly fail fixing up > read-only bits on large folder structures. As a windows admin, this is just weird. Why do Windows users want to be changing permissions, and are you talking about the read-only flag, or read only permissions here? I suspect this may be linked to the deny permissions issue I mentioned above. > Aside from my assertion that nobody on Windows understands ACLs, here's > another examples of a failure. If a folder in Windows contains files owned by > various groups (but by the same user), Windows will refuse to display the ACL > UI entirely, making the only solution a fix on the UNIX side. Files can only have a single owner in windows, so I'm not sure what you're asking here. If windows won't display the permissions UI, it sounds like you have no permissions on the file, and we're again talking about the same problem. > Also, the command-line chmod syntax is extremely verbose and confusing. Any > hope of an easy tool? The only thing that saved me here was the Nautilus ACL > UI. I agree, I just use the Windows GUI :) > 3. Have you looked at Windows APIs for security descriptors? It is no wonder > basically no apps except Windows explorer support them. Every app I know > about uses SetFileAttributes. Really not sure what you're complaining about here. Windows permissions work just fine, and yes, Explorer is probably the main tool for managing them. File permissions are absolutely central to windows, I have no idea why you're wanting Sun to cripple the CIFS service by using file attributes instead. Right now the CIFS service when set up correctly works just like windows, and I really can't see them changing that. > Windows gets away with having a complex ACL system that nobody understands by > setting very permissive defaults. In effect, users never worry about it, > because they can write where they want to. I'm finding many cases where this > is not the case on Solaris. It is very easy to set a whole folder as > unwritable, and very hard to fix it. It's not that complex, honest. > I had some hope after using the quite nice Nautilus GUI tools to reset all > the Solaris ACLs, but the persistent accidents that occur "you can't write > here and it's a big pain to fix it" problems are convincing me mostly to go > back to Samba, where I have fewer features, but things basically keep working. > > Additionally, mapping basic things like "read-only" to "user writable" makes > my filesystem moveable to another system via "tar", which is a really nice > thing to have. It's movable via tar with the full ZFS windows compatible permissions too. > Finally I believe that mapping unix permissions (in particular read-only > bits) out to CIFS, but giving users only "set an ACL" as a fix is not > symmetric and is confusing. Looks like the best system to me. I can't think of any other way you can give us windows users the full power of windows permissions. Yes, it gets complex if you're working with files both in Windows and Unix, but that's what the user mapping functionality is for. > I really think you should consider an alternate, simpler scheme that avoids > some of these pitfalls. I know there's a huge investment in getting NFSv4 to > work (seriously, it is technically impressive), but the integration with > Windows is tough and this one has quite a few sharp edges for a typical > multi-platform user. This is really not what Windows users expect. On the contrary, standard permissions working just like a windows server, and managable with the windows tools is *exactly* what I expected. Yes, there's a bit of a learning curve to get OpenSolaris working, but I've been a windows admin for many years now, and I'm very, very impressed with this. Ross _______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
