Re: [cifs-discuss] CIFS and permission mapping

Thu, 09 Apr 2009 15:25:22 -0700 

On 04/09/09 14:46, Michael Herf wrote:

I hadn't realized that I *must* set an ACL on a folder

> if I want Windows to behave properly.

You may want to consider some of the following URLs:

http://www.opensolaris.org/os/project/cifs-server/
http://www.opensolaris.org/os/project/winchester/
http://www.opensolaris.org/os/community/zfs/

And the online documentation:

http://www.opensolaris.org/os/project/cifs-server/docs/
http://docs.sun.com/app/docs/doc/820-2429
http://opensolaris.org/os/community/zfs/docs/


If I set permissions for a folder as "chmod 755" with no ACL,

> and add files via CIFS, then new files created from Windows
> come out as "000+" with an ACL giving the owner full control,

That's probably due to an identity mapping issue: See the
CIFS and Winchester (idmap) links and documents.


and specifying a numbered group (2147483648) that doesn't

> seem to make sense to either Windows or UNIX. (The group
> behavior looks buggy to me - I'm using snv101b, in case
> there are any changes in later builds.)

That ((2147483648) is an ephemeral ID, which will have been
allocated because you don't have appropriate idmap rule to
relate a Windows group and to a UNIX group.  ID mapping is
described in the documentation.


On the other hand, if I create an ACL for the folder before

> adding the file, then things work as I expect. I guess I
> simply expect a 755 folder to allow files I write there

to be read by others, or I at least want a setting in CIFS
to determine the default ACL. In this case, even if the group
mapping is bad, I think "everyone" should have read access to

> this file. In effect, I expect a better mapping of UNIX
> permissions to Windows, and I think CIFS should work in a

mixed environment. It seems like the "no ACL" mode (with a
mixture of no-ACL and ACL permissions) is very hard to understand.

Once all my directories have an ACL, some of my problems with

> read-only files seem to be less of an issue - the read-only
> bugs I'm seeing are with pure "no ACL" standard UNIX permissions,
> and how they're inherited. But I will again say that upgrading

from an existing system (perhaps via tar) would appear to confuse

> a bunch of people.


Is there a simple fix for this, like maybe enabling directory-level
ACLs (or throwing a warning) when sharesmb is enabled?


Simple fix: read documentation.

Whenever you expect UNIX, NFS and SMB access to a ZFS file system:

        zfs create -o casesensitivity=mixed pool/fs

        Start with:
        chmod A=everyone@:full_set:fd:allow /pool/fs

        Set up idmap rules

        Use chmod with A=, A+ or A- to manage ACLs.
        Avoid chmod with traditional UNIX type permission
        masks (755 etc).
        The syntax is described the chmod man page.

Alan

_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

Reply via email to