Hi again, You're the man. This looks very promising. If I get this right the ZFS ACEs are behaving more like a (u)mask to newly created files via CIFS on folder with traditional Unix permissions. So there are really no additional ACEs required. This is perfect.
E.g. If I remove all ACEs on the subfolder Unix root@omnios02:/tank/ReferenceSU/TEST/Software# chmod A- Unix/ It will leave just the default ones: root@omnios02:/tank/ReferenceSU/TEST/Software# ls -V total 1 drwxrws--- 4 tuser Up TEST de_dt Da Lg 6 Jun 28 11:42 Unix owner@:rwxp-DaARWcCos:-------:allow group@:rwxp-Da-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow Trying to access the folder Unix via CIFS works fine as user utest2 as he is a member of the " Up TEST de_dt Da Lg" group and this groups has rws unix permissions. Excellent. :) root@omnios02:/tank/ReferenceSU/TEST/Software# groups utest2 10000 Up TEST de_dt Da Lg Now I can control the access fine using the normal traditional unix permissions. If I change the group to a group that he is not a member of his access is denied. Excellent again :) root@omnios02:/tank/ReferenceSU/TEST/Software# chgrp "Up BCSIM De_dt Da Lg" Unix root@omnios02:/tank/ReferenceSU/TEST/Software# ls -al total 3 drwxr-xr-x+ 3 root root 3 Jun 27 15:03 . d---------+ 4 root root 4 Jun 27 15:04 .. drwxrws--- 4 tuser Up BCSIM De_Dt Da Lg 6 Jun 28 11:42 Unix Switching back to the "Up test ..." group and creating a file "testcifs.txt" via CIFS. root@omnios02:/tank/ReferenceSU/TEST/Software# chgrp "Up TEST De_dt Da Lg" Unix root@omnios02:/tank/ReferenceSU/TEST/Software# ls -al total 3 drwxr-xr-x+ 3 root root 3 Jun 27 15:03 . d---------+ 4 root root 4 Jun 27 15:04 .. drwxrws--- 4 tuser Up TEST de_dt Da Lg 6 Jun 28 11:42 Unix The file gets the following traditional Unix permissions: root@omnios02:/tank/ReferenceSU/TEST/Software/Unix# ls -al total 4 drwxrws--- 2 tuser Up TEST de_dt Da Lg 4 Jun 28 12:00 . drwxr-xr-x+ 3 root root 3 Jun 27 15:03 .. -rwx------+ 1 utest2 Up TEST de_dt Da Lg 14 Jun 28 12:00 testcifs.txt Only the owner can rwx. Not so good. But with your awesome chmod command applied to the Unix folder. chmod A- Unix chmod A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d f:allow Unix The permissions are just right when creating a file from CIFS: root@omnios02:/tank/ReferenceSU/TEST/Software/Unix# ls -al total 4 drwxrws---+ 3 tuser Up TEST de_dt Da Lg 4 Jun 28 12:20 . drwxr-xr-x+ 3 root root 3 Jun 27 15:03 .. drwxrws---+ 2 utest2 Up TEST de_dt Da Lg 2 Jun 28 12:20 New folder -rwxrwx---+ 1 utest2 Up TEST de_dt Da Lg 3 Jun 28 12:20 testcifs_aclset.txt root@omnios02:/tank/ReferenceSU/TEST/Software/Unix# ls -V total 2 drwxrws---+ 2 utest2 Up TEST de_dt Da Lg 2 Jun 28 12:20 New folder owner@:rwxp-DaARWcCos:fd----I:allow group@:rwxp-DaARWcCos:fd----I:allow everyone@:--------------:fd----I:allow -rwxrwx---+ 1 utest2 Up TEST de_dt Da Lg 3 Jun 28 12:20 testcifs_aclset.txt owner@:rwxp-DaARWcCos:------I:allow group@:rwxp-DaARWcCos:------I:allow everyone@:--------------:------I:allow root@omnios02:/tank/ReferenceSU/TEST/Software/Unix# This looks perfect. I will need to do some more testing. Especially with aclmode and aclinherit. But so far this could be the solution I was looking for. :) -----Original Message----- From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] Sent: Mittwoch, 28. Juni 2017 08:09 To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions Yeah, AD with IDMU According to this page (very old, but still the truth), you can't live without ACLs. https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro blem/ You have to inherit the ACLs to newly created files. At first I switched to the passthrough acl properties: zfs set aclmode=passthrough tank zfs set aclinherit=passthrough tank Then you have to define an initial ACL for your datasets For this example I just assume you have the pool tank and one dataset test - first set your sticky bit chmod g+s /tank/test - then set the ACLs chmod A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d f:allow /tank/test so nearly full permission for the owner and the group, and nothing for others; all ACLs are inherited to new created files and directories [the "df"] 8<--- ls -Vd /tank/test drwxrws---+ 5 root IT 5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:fd-----:allow group@:rwxp-DaARWcCos:fd-----:allow everyone@:--------------:fd-----:allow 8<--- (This inheritance doesnt apply to new datesets you create via zfs, btw) But care: When you ever doing a chmod operation or a chgrp on /tank/test (or every other dateset,), the owner,group and everyone ACEs get overwritten (according to http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html) 8<--- chgrp 0 /tank/test ls -Vd /tank/test drwxrws--- 5 root root 5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:-------:allow group@:rwxp-Da-R-c--s:-------:allow everyone@:------a-R-c--s:-------:allow See the missing "+" and "fd"? 8<--- (This doesn't apply to folders or files) I hope this helps and I'm not telling lies here. But that is my experience with that. Jens > -----Original Message----- > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > Sent: Dienstag, 27. Juni 2017 15:21 > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > Mine has ldap only for passwd and group. > > So on your system it really works with just having the traditional unix > permissions set. There are no ACLs in place? > > Do you have an Active Directory domain with IDMU? > > -----Original Message----- > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > Sent: Dienstag, 27. Juni 2017 15:19 > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > also r151022 > > What is your /etc/nsswitch.conf saying? > Mine has nearly everywhere "files ldap", except hosts and ipnodes. > > > -----Original Message----- > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > > Sent: Dienstag, 27. Juni 2017 14:49 > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > What version of omnios are you using? I'm using R151022. > > > > -----Original Message----- > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > > Sent: Dienstag, 27. Juni 2017 14:47 > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > Hm, > > > > maybe I should share my ldap config. > > ldapclient -v manual \ > > -a credentialLevel=proxy \ > > -a authenticationMethod=simple \ > > -a proxyDN="cn=XXX" \ > > -a proxyPassword=SECRET \ > > -a defaultSearchBase=dc=ipk=de \ > > -a domainName=DOMAINNAME \ > > -a defaultServerList=<IPs of DCs> \ > > -a attributeMap=group:userpassword=userPassword \ > > -a attributeMap=group:uniqueMember=member \ > > -a attributeMap=group:gidnumber=gidNumber \ > > -a attributeMap=passwd:gecos=cn \ > > -a attributeMap=passwd:gidnumber=gidNumber \ > > -a attributeMap=passwd:uidnumber=uidNumber \ > > -a attributeMap=passwd:uid=sAMAccountName \ > > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ > > -a attributeMap=passwd:loginshell=loginShell \ > > -a attributeMap=shadow:shadowflag=shadowFlag \ > > -a attributeMap=shadow:userpassword=userPassword \ > > -a objectClassMap=group:posixGroup=group \ > > -a objectClassMap=passwd:posixAccount=user \ > > -a objectClassMap=shadow:shadowAccount=user \ > > -a serviceSearchDescriptor="passwd:<OUs of users I want to lookup>" \ > > -a serviceSearchDescriptor=group: <OUs of groups I want to lookup> \ > > -a followReferrals=true > > > > Maybe also a restart of the smb service? > > > > Jens > > > > > -----Original Message----- > > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > > > Sent: Dienstag, 27. Juni 2017 14:40 > > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > > (owner:group:other) Unix permissions > > > > > > Hi, > > > > > > > > > > > > Now I get cant access domain info in the smb log and users are prompted > > to > > > enter a password when accessing the shares. :( > > > > > > > > > > > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > > > Sent: Dienstag, 27. Juni 2017 09:37 > > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > > (owner:group:other) Unix permissions > > > > > > > > > > > > Hi, > > > > > > > > > > > > I fixed this problem after executing this: > > > > > > idmap add winname:"*@<DOMAINNAME>" unixuser:"*" > > > > > > idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*" > > > > > > svcadm restart idmap > > > > > > All new created files has now the uid and gid from the IDMU > > > > > > > > > > > > Jens > > > > > > > > > > > > From: OmniOS-discuss [mailto:omnios-discuss- > boun...@lists.omniti.com] > > > On Behalf Of Oliver Weinmann > > > Sent: Dienstag, 27. Juni 2017 08:25 > > > To: omnios-discuss <omnios-discuss@lists.omniti.com <mailto:omnios- > > > disc...@lists.omniti.com> > > > > Subject: [OmniOS-discuss] CIFS access to a folder with traditional > > > (owner:group:other) Unix permissions > > > > > > > > > > > > Hi, > > > > > > > > > > > > we are currently migrating all our data from a NetAPP system to an > OmniOS > > > sytem. > > > > > > > > > > > > The OmniOS system is joined to AD and LDAP client is configured to pull > > LDAP > > > info from AD / IDMU. This works fine. > > > > > > > > > > > > However we cant manage to have access on folders where we have Unix > > > permissions from windows (CIFS). > > > > > > > > > > > > e.g. > > > > > > > > > > > > the user utest2 is member of the goup Up BCSIM De_Dt Da Lg: > > > > > > > > > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups > utest2 > > > > > > 10000 Up BCSIM De_Dt Da Lg > > > > > > > > > > > > The folder Unix has the following permissions set: > > > > > > > > > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al > > > > > > total 47 > > > > > > d---------+ 4 root 2147483653 4 Apr 25 05:37 . > > > > > > d---------+ 4 root 2147483659 4 Apr 25 05:35 .. > > > > > > drwxrws--- 9 bcsim Up BCSIM De_Dt Da Lg 11 Mar 9 10:40 Unix > > > > > > d---------+ 6 root 2147483653 6 Apr 25 05:37 Windows > > > > > > > > > > > > so User bcsim and all members of group Up BCSIM De_Dt Da Lg can > > access > > > the folder just fine via NFS. > > > > > > > > > > > > If the user utest2 tries to access this folder from windows via CIFS he > > gets > > > access denied. > > > > > > > > > > > > If I change the permissions so that other have r-x he can access the > > folder > > > but then I have no control on who can access the folder. > > > > > > > > > > > > On our NetApp system this was working fine. I assume it has to do with > the > > > IDMAP daemon using ephemeral mappings instead of pulling the > > uidnumber > > > and gidnumber from AD? > > > > > > > > > > > > I dont want to use extended ACLs on this folder. > > > > > > > > > > > > Any ideas? > > > > > > > > > > > > > > > > > > Oliver Weinmann > > > Senior Unix VMWare, Storage Engineer > > > > > > Telespazio VEGA Deutschland GmbH > > > Europaplatz 5 - 64293 Darmstadt - Germany > > > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799 > > > oliver.weinm...@telespazio-vega.de > > <mailto:oliver.weinmann@telespazio- > > > vega.de> > > > http://www.telespazio-vega.de > > > > > > Registered office/Sitz: Darmstadt, Register court/Registergericht: > > Darmstadt, > > > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss