So, to follow up with my own notes: The issue appears to be an order of operations issue on my end.
When I setup CIFS shares I do the following: - Create the ZFS set - - casesensitivity is mixed - - nbmand on - - sharesmb=name=share-name - Set initial ACL so AD Admins have total control - - /usr/bin/chmod A=group:2147483664:read_data/write_data/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/write_attributes/delete/read_acl/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow /pool/zfs-share/.zfs/shares/share-name - - /usr/bin/chmod A=group:2147483664:read_data/write_data/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/write_attributes/delete/read_acl/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow /pool/zfs-share - Adjust security from there via Windows client When I adjust the ACLs via Windows, /pool/zfs-share/.zfs/shares/share-name does not get touched. In this case it was still left as [email protected], while the ACL for /pool/zfs-share matched what I expected. This meant my problem user, who was a member of the target group but not in Administrators couldn't connect. Once I updated .zfs/shares/share-name to an ACL that included the problem user, issue solved. I need to dig more to determine the significance of .zfs/shares/share-name to determine if I can safely default to an ACL that covers all authenticated domain uses or if I should keep it narrow. Josh C On Mon, Nov 14, 2016 at 12:34 PM, Josh Coombs <[email protected]> wrote: > Hello, I've got an Omni box up and running, joined to my local AD domain. > It's been working well, I have two shares ACL'd by Windows groups and so > far so good. > > Until today, I have an 'IT' share restricted to the IT-Dev group, which > has four members. Two of those members can access the share just fine, the > other two are denied by ACL. I've flushed idmap's DB and still no joy. I > can see good SIDs for the users and group in question, but I can't seem to > get the box to accept that these two users are part of the group. Any > thoughts on how to further debug this? > > Josh C > ------------------------------------------- illumos-discuss Archives: https://www.listbox.com/member/archive/182180/=now RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be Modify Your Subscription: https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4 Powered by Listbox: http://www.listbox.com
