On 11/11/09 12:17, Chris Gerhard wrote:
Alan Wright wrote:
> Chris Gerhard wrote:
>> How can I map what appears to be the default the "SYSTEM" group on
>> windows XP to a group on Solaris? I always end up with an ephemeral
>> group for that?
>>
>> I've mapped my user "cjg" <-> "cg13442" and put it in the default
>> group smbstaff which I have also mapped. However every object I create
>> on XP on the CIFS server ends up with an additional ACL for an
>> ephemeral group which when viewed on XP is the "SYSTEM" group:
>
> SYSTEM is probably being inherited from the parent ACL.
Is that the ACL on the parent directory? If so it is not as there is not
one. The other thing that suggests to me that this is not the case is
that a Windows 2003 system does not add the ACL:
Then the problem is probably that the parent directory doesn't have
any inheritance specified. Without inheritance directives a default
ACL is assigned that contains two ACEs: one for the owner and another
for SYSTEM.
I've just raised the priority of 6844328 and will ask that someone
look at it.
Alan
v-ss7410b-gmp03# ls -ld .
drwxr-xr-x 3 cg13442 staff 7 Nov 11 12:41 .
v-ss7410b-gmp03#
> If that's the case, just remove it from the parent directory ACL.
>
>> v-ss7410b-gmp03# idmap list
>> add "winuser:cjg.uk.sun.com\\cjg" unixuser:cg13442
>> add "wingroup:cjg.uk.sun.com\\smbstaff" unixgroup:staff
>> add -d "wingroup:*\\SYSTEM" unixgroup:sys
>> v-ss7410b-gmp03# ls -dv My*
>> d---------+ 4 cg13442 staff 5 Nov 11 12:42 My Documents
>> 0:user:cg13442:list_directory/read_data/add_file/write_data
>> /add_subdirectory/append_data/read_xattr/write_xattr/execute
>> /delete_child/read_attributes/write_attributes/delete/read_acl
>> /write_acl/write_owner/synchronize:allow
>> 1:group:2147483648:list_directory/read_data/add_file/write_data
>> /add_subdirectory/append_data/read_xattr/write_xattr/execute
>> /delete_child/read_attributes/write_attributes/delete/read_acl
>> /write_acl/write_owner/synchronize:allow
>> v-ss7410b-gmp03#
>>
>> This in turn prevents me from listing the file over NFS:
>
> This (the SYSTEM ACE) almost certainly isn't related to whether
> or not you can list files over NFS.
Alas it is. Removing the ACL completely solves the problem. This appears
to be this bug:
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6844328
>
> If you can't list files, you probably don't have sufficient access
> in whatever ACEs are being associated with your credentials.
>
> Also, note that ls will only display permissions associated with
> owner@, group@ and everyone@, which is what leads to the
> d--------- thing.
So is it correct that windows is explicitly setting the ACL to be
user:XX and group:YY and not the owner@, group@ which causes this?
Seems a shame that we can't generate a default ACL for owner@ and
gr...@for the case when user:XX == owner etc.
_______________________________________________
cifs-discuss mailing list
[email protected]
http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
