Hi Alan, Thanks for the prompt help. Unfortunately, I still have a problem.
I think I followed you correctly, and did:
chmod A- /array0/john
chown ryanj:bsse-it /array0/john
chmod A=owner@:rwxpdDaARWcCos:fdi:allow /array0/john
chmod A+group@:rwxpdDaARWcCos:fdi:allow /array0/john
chmod A+user:ryanj:rwxpdDaARWcCos:fdi:allow /array0/john
chmod A+group:bsse-it:rwxpdDaARWcCos:fdi:allow /array0/john
# ls -lVd john
d---------+ 3 ryanj bsse-it 3 Dec 8 09:24 john
group:bsse-it:rwxpdDaARWcCos:fdi----:allow
user:ryanj:rwxpdDaARWcCos:fdi----:allow
group@:rwxpdDaARWcCos:fdi----:allow
owner@:rwxpdDaARWcCos:fdi----:allow
But I still get "Access denied" from Windows.
John.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of Alan M
Wright
Sent: Tuesday, 8 December 2009 11:06 AM
To: Ryan John
Cc: [email protected]
Subject: Re: [cifs-discuss] CIFS ACLs not making sense
Using chmod with UNIX permissions can lead to confusing results, as
can deny ACEs, unless you really need them. The deny ACEs in the
trivial ACL are primarily there to deal with corner cases (such as
inverted bitmaps that give the POSIX group more permission than the
owner) and for NFSv4 spec compliance.
ZFS explicitly denies access if you get to the end of the ACL and
there are desired access bits that have not been granted. If your
access control requirements are typical, you may not need those deny
entries.
If you want 770, you could start with something like this (below).
The inheritance bits (fd) help with Windows but they are not required
if you only use NFS. You may want to look at the aclinherit and
aclmode sections in the zfs(1M) man page.
chown john:bsse-it /array0/jjohn
chmod A=owner@:full_set:allow:fd /array0/john
chmod A+group@:full_set:allow:fd /array0/john
If you want the file owned by root:
chown root:root /array0/john
chmod A=user:john:full_set:fd:allow /array0/john
chmod A+group:bsse-it:full_set:fd:allow /array0/john
This will result in ---------+ appearing on NFS clients because the NFS
server only presents the owner@, group@ and everyone@ permissions (even
if the file is owned by john:bsse-it). This is an NFSv4 requirement
and it may or may not affect access depending on how applications check
permissions. So what you might want is:
chown root:root /array0/john
chmod A=owner@:full_set:allow:fd /array0/john
chmod A+group@:full_set:allow:fd /array0/john
chmod A+user:john:full_set:fd:allow /array0/john
chmod A+group:bsse-it:full_set:fd:allow /array0/john
I haven't tried this (beware typos) but you should see rwxrwx---+ and
you should have access via john and bsse-it.
Alan
--
On 12/08/09 00:28, Ryan John wrote:
> Hi,
>
> I've been struggling with this for a while, and I'm either a bit thick, or
> I've got something wrong.
> I'm working in domain mode, and my OS is snv_123
> My unix userids come from LDAP and my groups come from NIS.
> My nsswitch.conf is:
> passwd: files ldap ad
> group: files nis ad
>
> I've created a CIFS share:
> zfs create -o casesensitivity=mixed -o nbmand=on dataPool/john
> zfs set mountpoint=/array0/john
> zfs set aclmode=passthrough dataPool/john
> zfs set aclinherit=passthrough dataPool/john
> zfs set sharesmb=on dataPool/john
> zfs set sharesmb=name=john dataPool/john
>
> Then I set some ACLs
> chmod A- /array0/john
> chmod 770 /array0/john
> chmod A0=owner@::fdi:deny /array0/john
> chmod A1=owner@:rwxpdDaRcs:fdi:allow /array0/john
> chmod A2=group@::fdi:deny /array0/john
> chmod A3=group@:rwxpdDaRcs:fdi:allow /array0/john
> chmod A4=everyone@:rwxpaARWcCos:fdi:deny /array0/john
> chmod A5=everyone@::fdi:allow /array0/john
> chmod A+group:domain1:rwxpdDaRcs:fdi:allow /array0/john
> chmod A+group:bsse-it:rwxpdDaRcs:fdi:allow /array0/john
>
> Then it looks like this:
> # ls -lVd john
> d---------+ 2 root root 2 Dec 8 09:12 john
> group:bsse-it:rwxpdDa-R-c--s:fdi----:allow
> group:domain1:rwxpdDa-R-c--s:fdi----:allow
> owner@:--------------:fdi----:deny
> owner@:rwxpdDa-R-c--s:fdi----:allow
> group@:--------------:fdi----:deny
> group@:rwxpdDa-R-c--s:fdi----:allow
> everyone@:rwxp--aARWcCos:fdi----:deny
> everyone@:--------------:fdi----:allow
>
> John (ryanj) is a member of the bsse-it group, although it's not his primary
> group:
> # id -a ryanj
> uid=23975(ryanj) gid=1029(domain1) .... 12933(bsse-it),1029(domain1)
>
> I thought that would be enough to allow ryanj to access to the share, but on
> a Windows PC, I can see the share, but get "Access is
> denied"
>
> If I then set the normal POSIX permissions with:
> # chgrp bsse-it john
> # chmod 770 john
> # ls -lVd john
> drwxrwx---+ 2 root bsse-it 2 Dec 8 09:12 john
> group:bsse-it:rwxpdDa-R-c--s:fdi----:allow
> group:domain1:rwxpdDa-R-c--s:fdi----:allow
> owner@:--------------:fdi----:deny
> owner@:rwxpdDa-R-c--s:fdi----:allow
> group@:--------------:fdi----:deny
> group@:rwxpdDa-R-c--s:fdi----:allow
> everyone@:rwxp--aARWcCos:fdi----:deny
> everyone@:--------------:fdi----:allow
> owner@:--------------:-------:deny
> owner@:rwxp---A-W-Co-:-------:allow
> group@:--------------:-------:deny
> group@:rwxp----------:-------:allow
> everyone@:rwxp---A-W-Co-:-------:deny
> everyone@:------a-R-c--s:-------:allow
>
> I can access the share and create new folders.
> It seems like it's completely ignoring the NFSv4 ACLs.
>
> Can anyone help me?
>
> Thanks in advance
> John Ryan
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cifs-discuss mailing list
> [email protected]
> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
