Alan Wright wrote: > Chris Gerhard wrote: >> How can I map what appears to be the default the "SYSTEM" group on >> windows XP to a group on Solaris? I always end up with an ephemeral >> group for that? >> >> I've mapped my user "cjg" <-> "cg13442" and put it in the default >> group smbstaff which I have also mapped. However every object I create >> on XP on the CIFS server ends up with an additional ACL for an >> ephemeral group which when viewed on XP is the "SYSTEM" group: > > SYSTEM is probably being inherited from the parent ACL.
Is that the ACL on the parent directory? If so it is not as there is not one. The other thing that suggests to me that this is not the case is that a Windows 2003 system does not add the ACL:
v-ss7410b-gmp03# ls -ld . drwxr-xr-x 3 cg13442 staff 7 Nov 11 12:41 . v-ss7410b-gmp03# > If that's the case, just remove it from the parent directory ACL. > >> v-ss7410b-gmp03# idmap list >> add "winuser:cjg.uk.sun.com\\cjg" unixuser:cg13442 >> add "wingroup:cjg.uk.sun.com\\smbstaff" unixgroup:staff >> add -d "wingroup:*\\SYSTEM" unixgroup:sys >> v-ss7410b-gmp03# ls -dv My* >> d---------+ 4 cg13442 staff 5 Nov 11 12:42 My Documents >> 0:user:cg13442:list_directory/read_data/add_file/write_data >> /add_subdirectory/append_data/read_xattr/write_xattr/execute >> /delete_child/read_attributes/write_attributes/delete/read_acl >> /write_acl/write_owner/synchronize:allow >> 1:group:2147483648:list_directory/read_data/add_file/write_data >> /add_subdirectory/append_data/read_xattr/write_xattr/execute >> /delete_child/read_attributes/write_attributes/delete/read_acl >> /write_acl/write_owner/synchronize:allow >> v-ss7410b-gmp03# >> >> This in turn prevents me from listing the file over NFS: > > This (the SYSTEM ACE) almost certainly isn't related to whether > or not you can list files over NFS.Alas it is. Removing the ACL completely solves the problem. This appears to be this bug: http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6844328
> > If you can't list files, you probably don't have sufficient access > in whatever ACEs are being associated with your credentials. > > Also, note that ls will only display permissions associated with > owner@, group@ and everyone@, which is what leads to the > d--------- thing.So is it correct that windows is explicitly setting the ACL to be user:XX and group:YY and not the owner@, group@ which causes this?
Seems a shame that we can't generate a default ACL for owner@ and gr...@for the case when user:XX == owner etc.
-- Chris Gerhard. __o __o __o Systems TSC, Sun Service _`\<,`\<,`\<,_ Sun Microsystems Limited (*)/---/---/ (*) Phone: +44 (0) 1252 426033 (ext 26033) http://blogs.sun.com/chrisg
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
