Jordan Brown wrote:
Chris Gerhard wrote:SYSTEM (aka "Local System", S-1-5-18) is hardwired to 2147483648. It's not exactly an ephemeral ID; it's more of a reserved ID. I think this is so that something in the CIFS server can automatically add it to an ACL in some cases, but I don't know the details.So can you map this ID ? If so how?No. Hardwired mappings win over everything else.[ NFS failure retrieving ACL on files with SYSTEM in the ACL ]This appears to be a bug. ls gets an error from the call to get the ACL and then misbehaves:http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6844328Hmm. I'm not an expert on NFS and wouldn't immediately know where to look in the code to check, but my tentative bet is that NFS thinks the hardwired ID 2147483648 is an ephemeral ID (because it's in the ephemeral range) and is upset about the idea of passing an ephemeral ID across the wire.so having this default SYSTEM group which is unmapped is preventing NFS access working.It isn't exactly unmapped. It's unconditionally mapped to 2147483648.
So I could in theory add that group to NIS and all would be well?
I'll need to talk to the CIFS experts about this.
In practice though setting an ACL on the root of the file system of this: A+owner@:full_set:fd:allow,everyone@:read_set/execute:fd:allowhas solved the issue as it seems to prevent the XP system from using the SYSTEM group. Objects created on Windows now don't have the strange permissions they used to have:
: eacces.eu FSS 14 $; ls -vd 'XP folder'
drwxr-xr-x+ 2 cg13442 staff 2 Nov 12 09:41 XP folder
0:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/delete_child
/read_attributes/write_attributes/delete/read_acl/write_acl
/write_owner/synchronize:file_inherit/dir_inherit:allow
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner/synchronize:file_inherit/dir_inherit:allow
2:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl:file_inherit/dir_inherit:allow
3:group@:list_directory/read_data/execute/synchronize:file_inherit
/dir_inherit:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:file_inherit/dir_inherit
:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:file_inherit/dir_inherit:allow
: eacces.eu FSS 15 $;
compared with:
: eacces.eu FSS 20 $; ls -vd 'My Documents'
ls: can't read ACL on My Documents: Not owner
d--------- 4 cg13442 staff 5 Nov 11 12:42 My Documents
: eacces.eu FSS 21 $;
--
Chris Gerhard. __o __o __o
Systems TSC, Sun Service _`\<,`\<,`\<,_
Sun Microsystems Limited (*)/---/---/ (*)
Phone: +44 (0) 1252 426033 (ext 26033) http://blogs.sun.com/chrisg
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
