[cifs-discuss] Clarification about setting up user maps for Windows Vista (workgroup mode)

Sun, 16 Aug 2009 07:02:18 -0700 

Hi.

I set up CIFS on Solaris Nevada b116 and I've got a doubt about what I can 
achieve setting up user maps. I've CIFS-shared some ZFS file systems and I'm 
observing a strange behavior that I cannot validate by reading the 
documentation. I've got a ZFS filesystem, rpool/testcifs, whose mountpoint is 
owned by the user enrico:

$ ls -ald testcifs
drwxr-xr-x   4 enrico   staff          4 Aug 16 15:39 testcifs

The first oddity I observe, when writing from a Windows Vista client (workgroup 
mode) is that the permissions of new files are such:

enr...@solaris:/rpool/testcifs$ ls -dV testwrite/
d---------+  2 enrico   staff          3 Aug 16 12:45 testwrite/
            user:enrico:rwxpdDaARWcCos:-------:allow
       group:2147483648:rwxpdDaARWcCos:-------:allow

Obviously, since I'm logging in with the enrico user, I'd just like to see a 
standard permission set without an ACL, although I understand, as of idmap 
output, that the group 2147483648 is a Local SID, hence that permission. The 
question is whether can I map it to an unix group given the fact that idmap add 
doesn't accept local SIDs as a parameter:

enr...@solaris:/rpool/testcifs$ pfexec idmap dump -nv
usid:S-1-5-21-4017759586-3356279743-3080844310-66535    ==      unixuser:enrico
Method: Local SID
gsid:S-1-5-21-4017759586-3356279743-3080844310-2147483658       ==      
unixgroup:staff
Method: Local SID
wingroup:Authenticated Users    ==      gid:2147483650
Method: Ephemeral
wingroup:Network        ==      gid:2147483651
Method: Ephemeral

I tried to map the unixgroup:staff into the wingroup:Administrators and it had 
no effect.

When it comes to the security permission I see on the Windows side, I observe 
the same oddity. I see three users (Everyone, 
S-1-5-21-4017759586-3356279743-3080844310-2147483658, SOLARIS\enrico) with 
special permission. The relevant ones seems to be the permissions associated 
with the user SOLARIS\enrico. The question is, then: why does Windows sees a 
SOLARIS\enrico user, corresponding to my Solaris enrico user, while it's 
necessary to generate a SID for the unix staff group? Can I avoid it or map it 
someway? 

Thanks for your help,
Enrico
-- 
This message posted from opensolaris.org
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss

Reply via email to