Thank you very much. Both explanations from yourself and Alan were very useful.
John -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Tuesday, 8 December 2009 5:52 PM To: Ryan John Cc: Alan M Wright; [email protected] Subject: Re: [cifs-discuss] CIFS ACLs not making sense See all those "i"s in the inheritance column, where everything says "fdi"? That means: inherit_only (i) When placed on a directory, do not apply to the directory, only to newly created files and direc- tories. This flag requires that either file_inherit and or dir_inherit is also specified. Net result, none of those ACL entries apply to the directory. They all apply only to children of that directory. Since no ACL entries apply to the directory, all access is denied. Ryan John wrote: > Hi Alan, > > Thanks for the prompt help. > Unfortunately, I still have a problem. > > I think I followed you correctly, and did: > chmod A- /array0/john > chown ryanj:bsse-it /array0/john > chmod A=owner@:rwxpdDaARWcCos:fdi:allow /array0/john > chmod A+group@:rwxpdDaARWcCos:fdi:allow /array0/john > chmod A+user:ryanj:rwxpdDaARWcCos:fdi:allow /array0/john > chmod A+group:bsse-it:rwxpdDaARWcCos:fdi:allow /array0/john > > # ls -lVd john > d---------+ 3 ryanj bsse-it 3 Dec 8 09:24 john > group:bsse-it:rwxpdDaARWcCos:fdi----:allow > user:ryanj:rwxpdDaARWcCos:fdi----:allow > group@:rwxpdDaARWcCos:fdi----:allow > owner@:rwxpdDaARWcCos:fdi----:allow > > But I still get "Access denied" from Windows. > > John. > > -----Original Message----- > From: [email protected] [mailto:[email protected]] On Behalf Of Alan > M Wright > Sent: Tuesday, 8 December 2009 11:06 AM > To: Ryan John > Cc: [email protected] > Subject: Re: [cifs-discuss] CIFS ACLs not making sense > > Using chmod with UNIX permissions can lead to confusing results, as > can deny ACEs, unless you really need them. The deny ACEs in the > trivial ACL are primarily there to deal with corner cases (such as > inverted bitmaps that give the POSIX group more permission than the > owner) and for NFSv4 spec compliance. > > ZFS explicitly denies access if you get to the end of the ACL and > there are desired access bits that have not been granted. If your > access control requirements are typical, you may not need those deny > entries. > > If you want 770, you could start with something like this (below). > The inheritance bits (fd) help with Windows but they are not required > if you only use NFS. You may want to look at the aclinherit and > aclmode sections in the zfs(1M) man page. > > chown john:bsse-it /array0/jjohn > chmod A=owner@:full_set:allow:fd /array0/john > chmod A+group@:full_set:allow:fd /array0/john > > If you want the file owned by root: > > chown root:root /array0/john > chmod A=user:john:full_set:fd:allow /array0/john > chmod A+group:bsse-it:full_set:fd:allow /array0/john > > This will result in ---------+ appearing on NFS clients because the NFS > server only presents the owner@, group@ and everyone@ permissions (even > if the file is owned by john:bsse-it). This is an NFSv4 requirement > and it may or may not affect access depending on how applications check > permissions. So what you might want is: > > chown root:root /array0/john > chmod A=owner@:full_set:allow:fd /array0/john > chmod A+group@:full_set:allow:fd /array0/john > chmod A+user:john:full_set:fd:allow /array0/john > chmod A+group:bsse-it:full_set:fd:allow /array0/john > > I haven't tried this (beware typos) but you should see rwxrwx---+ and > you should have access via john and bsse-it. > > Alan > -- > > On 12/08/09 00:28, Ryan John wrote: >> Hi, >> >> I've been struggling with this for a while, and I'm either a bit thick, or >> I've got something wrong. >> I'm working in domain mode, and my OS is snv_123 >> My unix userids come from LDAP and my groups come from NIS. >> My nsswitch.conf is: >> passwd: files ldap ad >> group: files nis ad >> >> I've created a CIFS share: >> zfs create -o casesensitivity=mixed -o nbmand=on dataPool/john >> zfs set mountpoint=/array0/john >> zfs set aclmode=passthrough dataPool/john >> zfs set aclinherit=passthrough dataPool/john >> zfs set sharesmb=on dataPool/john >> zfs set sharesmb=name=john dataPool/john >> >> Then I set some ACLs >> chmod A- /array0/john >> chmod 770 /array0/john >> chmod A0=owner@::fdi:deny /array0/john >> chmod A1=owner@:rwxpdDaRcs:fdi:allow /array0/john >> chmod A2=group@::fdi:deny /array0/john >> chmod A3=group@:rwxpdDaRcs:fdi:allow /array0/john >> chmod A4=everyone@:rwxpaARWcCos:fdi:deny /array0/john >> chmod A5=everyone@::fdi:allow /array0/john >> chmod A+group:domain1:rwxpdDaRcs:fdi:allow /array0/john >> chmod A+group:bsse-it:rwxpdDaRcs:fdi:allow /array0/john >> >> Then it looks like this: >> # ls -lVd john >> d---------+ 2 root root 2 Dec 8 09:12 john >> group:bsse-it:rwxpdDa-R-c--s:fdi----:allow >> group:domain1:rwxpdDa-R-c--s:fdi----:allow >> owner@:--------------:fdi----:deny >> owner@:rwxpdDa-R-c--s:fdi----:allow >> group@:--------------:fdi----:deny >> group@:rwxpdDa-R-c--s:fdi----:allow >> everyone@:rwxp--aARWcCos:fdi----:deny >> everyone@:--------------:fdi----:allow >> >> John (ryanj) is a member of the bsse-it group, although it's not his primary >> group: >> # id -a ryanj >> uid=23975(ryanj) gid=1029(domain1) .... 12933(bsse-it),1029(domain1) >> >> I thought that would be enough to allow ryanj to access to the share, but on >> a Windows PC, I can see the share, but get "Access is >> denied" >> >> If I then set the normal POSIX permissions with: >> # chgrp bsse-it john >> # chmod 770 john >> # ls -lVd john >> drwxrwx---+ 2 root bsse-it 2 Dec 8 09:12 john >> group:bsse-it:rwxpdDa-R-c--s:fdi----:allow >> group:domain1:rwxpdDa-R-c--s:fdi----:allow >> owner@:--------------:fdi----:deny >> owner@:rwxpdDa-R-c--s:fdi----:allow >> group@:--------------:fdi----:deny >> group@:rwxpdDa-R-c--s:fdi----:allow >> everyone@:rwxp--aARWcCos:fdi----:deny >> everyone@:--------------:fdi----:allow >> owner@:--------------:-------:deny >> owner@:rwxp---A-W-Co-:-------:allow >> group@:--------------:-------:deny >> group@:rwxp----------:-------:allow >> everyone@:rwxp---A-W-Co-:-------:deny >> everyone@:------a-R-c--s:-------:allow >> >> I can access the share and create new folders. >> It seems like it's completely ignoring the NFSv4 ACLs. >> >> Can anyone help me? >> >> Thanks in advance >> John Ryan >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> cifs-discuss mailing list >> [email protected] >> http://mail.opensolaris.org/mailman/listinfo/cifs-discuss > > > ------------------------------------------------------------------------ > > _______________________________________________ > cifs-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ cifs-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/cifs-discuss
