Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
Hi, Thanks for pointing this out. Basically I would do the chmod on a Linux system where NFS share is mounted as root. Now that I have this working on my test system I have lots of problems on my production system. I can join it to AD but I get lots of errors like this: gedaspw02.a.space.corp: additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Client not found in Kerberos database) smbd.info: logon[A\someuser]: CANT_ACCESS_DOMAIN_INFO smbd.info: logon[A\someuser]: LOGON_FAILURE I checked all possible settings and compared them to my test system but can't find any difference. The only difference is that the production system was upgraded twice from 1510xx to 1510xx to 151022. I even deleted the computer object in AD and rejoined the domain but still the same errors occur. Oliver Weinmann Senior Unix VMWare, Storage Engineer Telespazio VEGA Deutschland GmbH Europaplatz 5 - 64293 Darmstadt - Germany Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799 oliver.weinm...@telespazio-vega.de http://www.telespazio-vega.de Registered office/Sitz: Darmstadt, Register court/Registergericht: Darmstadt, HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller-Original Message- From: Jim Klimov [mailto:jimkli...@cos.ru] Sent: Mittwoch, 28. Juni 2017 13:00 To: omnios-discuss@lists.omniti.com; Jens Bauernfeind <bauernfe...@ipk-gatersleben.de>; Oliver Weinmann <oliver.weinm...@telespazio-vega.de> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> Subject: Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions On June 28, 2017 8:08:40 AM GMT+02:00, Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> wrote: >Yeah, AD with IDMU > >According to this page (very old, but still the truth), you can't live >without ACLs. >https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-th >e-pro >blem/ > >You have to inherit the ACLs to newly created files. >At first I switched to the passthrough acl properties: >zfs set aclmode=passthrough tank >zfs set aclinherit=passthrough tank >Then you have to define an initial ACL for your datasets > >For this example I just assume you have the pool tank and one dataset >test >- first set your sticky bit >chmod g+s /tank/test >- then set the ACLs >chmod >A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyon >e@::d >f:allow /tank/test >so nearly full permission for the owner and the group, and nothing for >others; all ACLs are inherited to new created files and directories >[the "df"] >8<--- >ls -Vd /tank/test >drwxrws---+ 5 root IT5 Jun 28 07:55 /tank/test > owner@:rwxp-DaARWcCos:fd-:allow > group@:rwxp-DaARWcCos:fd-:allow > everyone@:--:fd-:allow >8<--- >(This inheritance doesnt apply to new datesets you create via zfs, btw) > >But care: When you ever doing a chmod operation or a chgrp on >/tank/test (or every other dateset,), the owner,group and everyone ACEs >get overwritten (according to >http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html) >8<--- >chgrp 0 /tank/test >ls -Vd /tank/test >drwxrws--- 5 root root 5 Jun 28 07:55 /tank/test > owner@:rwxp-DaARWcCos:---:allow > group@:rwxp-Da-R-c--s:---:allow > everyone@:--a-R-c--s:---:allow >See the missing "+" and "fd"? >8<--- >(This doesn't apply to folders or files) > >I hope this helps and I'm not telling lies here. >But that is my experience with that. > >Jens > >> -Original Message- >> From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] >> Sent: Dienstag, 27. Juni 2017 15:21 >> To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> >> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> (owner:group:other) Unix permissions >> >> Mine has ldap only for passwd and group. >> >> So on your system it really works with just having the traditional >unix >> permissions set. There are no ACLs in place? >> >> Do you have an Active Directory domain with IDMU? >> >> -Original Message- >> From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] >> Sent: Dienstag, 27. Juni 2017 15:19 >> To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> >> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> (owner:group:other) Unix permissions &
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
On June 28, 2017 8:08:40 AM GMT+02:00, Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> wrote: >Yeah, AD with IDMU > >According to this page (very old, but still the truth), you can't live >without ACLs. >https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro >blem/ > >You have to inherit the ACLs to newly created files. >At first I switched to the passthrough acl properties: >zfs set aclmode=passthrough tank >zfs set aclinherit=passthrough tank >Then you have to define an initial ACL for your datasets > >For this example I just assume you have the pool tank and one dataset >test >- first set your sticky bit >chmod g+s /tank/test >- then set the ACLs >chmod >A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d >f:allow /tank/test >so nearly full permission for the owner and the group, and nothing for >others; all ACLs are inherited to new created files and directories >[the >"df"] >8<--- >ls -Vd /tank/test >drwxrws---+ 5 root IT5 Jun 28 07:55 /tank/test > owner@:rwxp-DaARWcCos:fd-:allow > group@:rwxp-DaARWcCos:fd-:allow > everyone@:--:fd-:allow >8<--- >(This inheritance doesnt apply to new datesets you create via zfs, btw) > >But care: When you ever doing a chmod operation or a chgrp on >/tank/test (or >every other dateset,), the owner,group and everyone ACEs get >overwritten >(according to >http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html) >8<--- >chgrp 0 /tank/test >ls -Vd /tank/test >drwxrws--- 5 root root 5 Jun 28 07:55 /tank/test > owner@:rwxp-DaARWcCos:---:allow > group@:rwxp-Da-R-c--s:---:allow > everyone@:--a-R-c--s:---:allow >See the missing "+" and "fd"? >8<--- >(This doesn't apply to folders or files) > >I hope this helps and I'm not telling lies here. >But that is my experience with that. > >Jens > >> -Original Message- >> From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] >> Sent: Dienstag, 27. Juni 2017 15:21 >> To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> >> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> (owner:group:other) Unix permissions >> >> Mine has ldap only for passwd and group. >> >> So on your system it really works with just having the traditional >unix >> permissions set. There are no ACLs in place? >> >> Do you have an Active Directory domain with IDMU? >> >> -Original Message- >> From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] >> Sent: Dienstag, 27. Juni 2017 15:19 >> To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> >> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> (owner:group:other) Unix permissions >> >> also r151022 >> >> What is your /etc/nsswitch.conf saying? >> Mine has nearly everywhere "files ldap", except hosts and ipnodes. >> >> > -Original Message- >> > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] >> > Sent: Dienstag, 27. Juni 2017 14:49 >> > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> >> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> > (owner:group:other) Unix permissions >> > >> > What version of omnios are you using? I'm using R151022. >> > >> > -Original Message- >> > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] >> > Sent: Dienstag, 27. Juni 2017 14:47 >> > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> >> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> >> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with >traditional >> > (owner:group:other) Unix permissions >> > >> > Hm, >> > >> > maybe I should share my ldap config. >> > ldapclient -v manual \ >> > -a credentialLevel=proxy \ >> > -a authenticationMethod=simple \ >> > -a proxyDN="cn=XXX" \ >> > -a proxyPassword=SECRET \ >> > -a defaultSearchBase=dc=ipk=de \ >> > -a domainName=DOMAINNAME \ >> > -a defaultServerList= \ >> > -a attrib
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
It's really a pity that it only works If I do touch the ZFS ACLs. :( Not at all. I made several approaches years ago to replace our Windows filers with Unix/Linux systems and failed always because permission wise it was impossible to create permissions comparable to what is possible with Windows and NTFS. Solaris CIFS was the first working Unix solution. It was able to use permission inheritance on files or folders with fine granular NTFS alike permissions, SMB compatible user groups, really working "previous versions" or using Windows SID in an AD environment what makes it possible to resore a filesystem to another AD server with permissions intact. This is not a ZFS item. ZFS is a Unix filesystem relying in UID and GID. If you use SAMBA you have what you may want. The real question is therefor if you want a filer with a behaviour like a conventional Linux/Unix filer or one that behaves like Windows and ntfs. Solaris CIFS is ACL only like Windows with ntfs what gives more powerfull options than with classical Unix permissions. You must only accept that you should not set permissions via commandline (best is using a Windows client). You should know the meaning of the ZFS properties aclinherit and aclmode. Unix alike behaviours (without the inheritance question) is achieveable with the trivial ACLs owner@, group@ and everyone@ see http://docs.oracle.com/cd/E19253-01/819-5461/gbace/index.html Gea -- ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
Hi again, You're the man. This looks very promising. If I get this right the ZFS ACEs are behaving more like a (u)mask to newly created files via CIFS on folder with traditional Unix permissions. So there are really no additional ACEs required. This is perfect. E.g. If I remove all ACEs on the subfolder Unix root@omnios02:/tank/ReferenceSU/TEST/Software# chmod A- Unix/ It will leave just the default ones: root@omnios02:/tank/ReferenceSU/TEST/Software# ls -V total 1 drwxrws--- 4 tuserUp TEST de_dt Da Lg 6 Jun 28 11:42 Unix owner@:rwxp-DaARWcCos:---:allow group@:rwxp-Da-R-c--s:---:allow everyone@:--a-R-c--s:---:allow Trying to access the folder Unix via CIFS works fine as user utest2 as he is a member of the " Up TEST de_dt Da Lg" group and this groups has rws unix permissions. Excellent. :) root@omnios02:/tank/ReferenceSU/TEST/Software# groups utest2 1 Up TEST de_dt Da Lg Now I can control the access fine using the normal traditional unix permissions. If I change the group to a group that he is not a member of his access is denied. Excellent again :) root@omnios02:/tank/ReferenceSU/TEST/Software# chgrp "Up BCSIM De_dt Da Lg" Unix root@omnios02:/tank/ReferenceSU/TEST/Software# ls -al total 3 drwxr-xr-x+ 3 root root 3 Jun 27 15:03 . d-+ 4 root root 4 Jun 27 15:04 .. drwxrws--- 4 tuserUp BCSIM De_Dt Da Lg 6 Jun 28 11:42 Unix Switching back to the "Up test ..." group and creating a file "testcifs.txt" via CIFS. root@omnios02:/tank/ReferenceSU/TEST/Software# chgrp "Up TEST De_dt Da Lg" Unix root@omnios02:/tank/ReferenceSU/TEST/Software# ls -al total 3 drwxr-xr-x+ 3 root root 3 Jun 27 15:03 . d-+ 4 root root 4 Jun 27 15:04 .. drwxrws--- 4 tuserUp TEST de_dt Da Lg 6 Jun 28 11:42 Unix The file gets the following traditional Unix permissions: root@omnios02:/tank/ReferenceSU/TEST/Software/Unix# ls -al total 4 drwxrws--- 2 tuserUp TEST de_dt Da Lg 4 Jun 28 12:00 . drwxr-xr-x+ 3 root root 3 Jun 27 15:03 .. -rwx--+ 1 utest2 Up TEST de_dt Da Lg 14 Jun 28 12:00 testcifs.txt Only the owner can rwx. Not so good. But with your awesome chmod command applied to the Unix folder. chmod A- Unix chmod A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d f:allow Unix The permissions are just right when creating a file from CIFS: root@omnios02:/tank/ReferenceSU/TEST/Software/Unix# ls -al total 4 drwxrws---+ 3 tuserUp TEST de_dt Da Lg 4 Jun 28 12:20 . drwxr-xr-x+ 3 root root 3 Jun 27 15:03 .. drwxrws---+ 2 utest2 Up TEST de_dt Da Lg 2 Jun 28 12:20 New folder -rwxrwx---+ 1 utest2 Up TEST de_dt Da Lg 3 Jun 28 12:20 testcifs_aclset.txt root@omnios02:/tank/ReferenceSU/TEST/Software/Unix# ls -V total 2 drwxrws---+ 2 utest2 Up TEST de_dt Da Lg 2 Jun 28 12:20 New folder owner@:rwxp-DaARWcCos:fdI:allow group@:rwxp-DaARWcCos:fdI:allow everyone@:--:fdI:allow -rwxrwx---+ 1 utest2 Up TEST de_dt Da Lg 3 Jun 28 12:20 testcifs_aclset.txt owner@:rwxp-DaARWcCos:--I:allow group@:rwxp-DaARWcCos:--I:allow everyone@:--:--I:allow root@omnios02:/tank/ReferenceSU/TEST/Software/Unix# This looks perfect. I will need to do some more testing. Especially with aclmode and aclinherit. But so far this could be the solution I was looking for. :) -Original Message- From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] Sent: Mittwoch, 28. Juni 2017 08:09 To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions Yeah, AD with IDMU According to this page (very old, but still the truth), you can't live without ACLs. https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro blem/ You have to inherit the ACLs to newly created files. At first I switched to the passthrough acl properties: zfs set aclmode=passthrough tank zfs set aclinherit=passthrough tank Then you have to define an initial ACL for your datasets For this example I just assume you have the pool tank and one dataset test - first set your sticky bit chmod g+s /tank/test - then set the ACLs chmod A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d f:allow /tank/test so nearly full permission for the owner and the group, and nothing for others; all ACLs are inherited to new created files and directories [the "df"] 8<--- ls -Vd /tank/test drwxrws---+ 5 root IT5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:fd-:allow
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
Hi Jens, Thanks a lot for your support. I really appreciate it. :) I will test this on my fresh install of omnios 151022 and report back. It's really a pity that it only works If I do touch the ZFS ACLs. :( -Original Message- From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] Sent: Mittwoch, 28. Juni 2017 08:09 To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions Yeah, AD with IDMU According to this page (very old, but still the truth), you can't live without ACLs. https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro blem/ You have to inherit the ACLs to newly created files. At first I switched to the passthrough acl properties: zfs set aclmode=passthrough tank zfs set aclinherit=passthrough tank Then you have to define an initial ACL for your datasets For this example I just assume you have the pool tank and one dataset test - first set your sticky bit chmod g+s /tank/test - then set the ACLs chmod A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d f:allow /tank/test so nearly full permission for the owner and the group, and nothing for others; all ACLs are inherited to new created files and directories [the "df"] 8<--- ls -Vd /tank/test drwxrws---+ 5 root IT5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:fd-:allow group@:rwxp-DaARWcCos:fd-:allow everyone@:--:fd-:allow 8<--- (This inheritance doesnt apply to new datesets you create via zfs, btw) But care: When you ever doing a chmod operation or a chgrp on /tank/test (or every other dateset,), the owner,group and everyone ACEs get overwritten (according to http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html) 8<--- chgrp 0 /tank/test ls -Vd /tank/test drwxrws--- 5 root root 5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:---:allow group@:rwxp-Da-R-c--s:---:allow everyone@:--a-R-c--s:---:allow See the missing "+" and "fd"? 8<--- (This doesn't apply to folders or files) I hope this helps and I'm not telling lies here. But that is my experience with that. Jens > -Original Message- > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > Sent: Dienstag, 27. Juni 2017 15:21 > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > Mine has ldap only for passwd and group. > > So on your system it really works with just having the traditional unix > permissions set. There are no ACLs in place? > > Do you have an Active Directory domain with IDMU? > > -Original Message- > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > Sent: Dienstag, 27. Juni 2017 15:19 > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > also r151022 > > What is your /etc/nsswitch.conf saying? > Mine has nearly everywhere "files ldap", except hosts and ipnodes. > > > -Original Message- > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > > Sent: Dienstag, 27. Juni 2017 14:49 > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > What version of omnios are you using? I'm using R151022. > > > > -Original Message- > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > > Sent: Dienstag, 27. Juni 2017 14:47 > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > Hm, > > > > maybe I should share my ldap config. > > ldapclient -v manual \ > > -a credentialLevel=proxy \ > > -a authenticationMethod=simple \ > > -a proxyDN="cn=XXX" \ > > -a proxyPassword=SECRET \ > > -a defaultSearchBase=dc=ipk=de \ > > -a domainName=DOMAINNAME \ > > -a defaultServerList= \ > > -a attributeMap=group:userpassword=userPas
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
Yeah, AD with IDMU According to this page (very old, but still the truth), you can't live without ACLs. https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro blem/ You have to inherit the ACLs to newly created files. At first I switched to the passthrough acl properties: zfs set aclmode=passthrough tank zfs set aclinherit=passthrough tank Then you have to define an initial ACL for your datasets For this example I just assume you have the pool tank and one dataset test - first set your sticky bit chmod g+s /tank/test - then set the ACLs chmod A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d f:allow /tank/test so nearly full permission for the owner and the group, and nothing for others; all ACLs are inherited to new created files and directories [the "df"] 8<--- ls -Vd /tank/test drwxrws---+ 5 root IT5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:fd-:allow group@:rwxp-DaARWcCos:fd-:allow everyone@:--:fd-:allow 8<--- (This inheritance doesnt apply to new datesets you create via zfs, btw) But care: When you ever doing a chmod operation or a chgrp on /tank/test (or every other dateset,), the owner,group and everyone ACEs get overwritten (according to http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html) 8<--- chgrp 0 /tank/test ls -Vd /tank/test drwxrws--- 5 root root 5 Jun 28 07:55 /tank/test owner@:rwxp-DaARWcCos:---:allow group@:rwxp-Da-R-c--s:---:allow everyone@:--a-R-c--s:---:allow See the missing "+" and "fd"? 8<--- (This doesn't apply to folders or files) I hope this helps and I'm not telling lies here. But that is my experience with that. Jens > -Original Message- > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > Sent: Dienstag, 27. Juni 2017 15:21 > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > Mine has ldap only for passwd and group. > > So on your system it really works with just having the traditional unix > permissions set. There are no ACLs in place? > > Do you have an Active Directory domain with IDMU? > > -Original Message- > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > Sent: Dienstag, 27. Juni 2017 15:19 > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > also r151022 > > What is your /etc/nsswitch.conf saying? > Mine has nearly everywhere "files ldap", except hosts and ipnodes. > > > -Original Message- > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > > Sent: Dienstag, 27. Juni 2017 14:49 > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > What version of omnios are you using? I'm using R151022. > > > > -Original Message- > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > > Sent: Dienstag, 27. Juni 2017 14:47 > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > Hm, > > > > maybe I should share my ldap config. > > ldapclient -v manual \ > > -a credentialLevel=proxy \ > > -a authenticationMethod=simple \ > > -a proxyDN="cn=XXX" \ > > -a proxyPassword=SECRET \ > > -a defaultSearchBase=dc=ipk=de \ > > -a domainName=DOMAINNAME \ > > -a defaultServerList= \ > > -a attributeMap=group:userpassword=userPassword \ > > -a attributeMap=group:uniqueMember=member \ > > -a attributeMap=group:gidnumber=gidNumber \ > > -a attributeMap=passwd:gecos=cn \ > > -a attributeMap=passwd:gidnumber=gidNumber \ > > -a attributeMap=passwd:uidnumber=uidNumber \ > > -a attributeMap=passwd:uid=sAMAccountName \ > > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ > > -a attributeMap=passwd:loginshell=loginShell \ > > -a attributeMap=shadow:shadowflag=shadowFlag \ > > -a attributeMap=shadow:userpassword=userPassword \ >
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
Mine has ldap only for passwd and group. So on your system it really works with just having the traditional unix permissions set. There are no ACLs in place? Do you have an Active Directory domain with IDMU? -Original Message- From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] Sent: Dienstag, 27. Juni 2017 15:19 To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions also r151022 What is your /etc/nsswitch.conf saying? Mine has nearly everywhere "files ldap", except hosts and ipnodes. > -Original Message- > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > Sent: Dienstag, 27. Juni 2017 14:49 > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > What version of omnios are you using? I'm using R151022. > > -Original Message- > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > Sent: Dienstag, 27. Juni 2017 14:47 > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > Hm, > > maybe I should share my ldap config. > ldapclient -v manual \ > -a credentialLevel=proxy \ > -a authenticationMethod=simple \ > -a proxyDN="cn=XXX" \ > -a proxyPassword=SECRET \ > -a defaultSearchBase=dc=ipk=de \ > -a domainName=DOMAINNAME \ > -a defaultServerList= \ > -a attributeMap=group:userpassword=userPassword \ > -a attributeMap=group:uniqueMember=member \ > -a attributeMap=group:gidnumber=gidNumber \ > -a attributeMap=passwd:gecos=cn \ > -a attributeMap=passwd:gidnumber=gidNumber \ > -a attributeMap=passwd:uidnumber=uidNumber \ > -a attributeMap=passwd:uid=sAMAccountName \ > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ > -a attributeMap=passwd:loginshell=loginShell \ > -a attributeMap=shadow:shadowflag=shadowFlag \ > -a attributeMap=shadow:userpassword=userPassword \ > -a objectClassMap=group:posixGroup=group \ > -a objectClassMap=passwd:posixAccount=user \ > -a objectClassMap=shadow:shadowAccount=user \ > -a serviceSearchDescriptor="passwd:" \ > -a serviceSearchDescriptor=group: \ > -a followReferrals=true > > Maybe also a restart of the smb service? > > Jens > > > -----Original Message- > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > > Sent: Dienstag, 27. Juni 2017 14:40 > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > Hi, > > > > > > > > Now I get cant access domain info in the smb log and users are prompted > to > > enter a password when accessing the shares. :( > > > > > > > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > > Sent: Dienstag, 27. Juni 2017 09:37 > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > > > > > Hi, > > > > > > > > I fixed this problem after executing this: > > > > idmap add winname:"*@" unixuser:"*" > > > > idmap add wingroup:"*@ " unixgroup:"*" > > > > svcadm restart idmap > > > > All new created files has now the uid and gid from the IDMU > > > > > > > > Jens > > > > > > > > From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com] > > On Behalf Of Oliver Weinmann > > Sent: Dienstag, 27. Juni 2017 08:25 > > To: omnios-discuss <omnios-discuss@lists.omniti.com <mailto:omnios- > > disc...@lists.omniti.com> > > > Subject: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > > > > > Hi, > > > > > > > > we are currently migrating all our data from a NetAPP system to an OmniOS > > sytem. > > > > > > > > The OmniOS system is joined to AD and LDAP client is configured to pull > LDAP > > info from AD / IDMU. This works fine. > > > > > > > > However we c
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
also r151022 What is your /etc/nsswitch.conf saying? Mine has nearly everywhere "files ldap", except hosts and ipnodes. > -Original Message- > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > Sent: Dienstag, 27. Juni 2017 14:49 > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > What version of omnios are you using? I'm using R151022. > > -Original Message- > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > Sent: Dienstag, 27. Juni 2017 14:47 > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > Cc: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > Hm, > > maybe I should share my ldap config. > ldapclient -v manual \ > -a credentialLevel=proxy \ > -a authenticationMethod=simple \ > -a proxyDN="cn=XXX" \ > -a proxyPassword=SECRET \ > -a defaultSearchBase=dc=ipk=de \ > -a domainName=DOMAINNAME \ > -a defaultServerList= \ > -a attributeMap=group:userpassword=userPassword \ > -a attributeMap=group:uniqueMember=member \ > -a attributeMap=group:gidnumber=gidNumber \ > -a attributeMap=passwd:gecos=cn \ > -a attributeMap=passwd:gidnumber=gidNumber \ > -a attributeMap=passwd:uidnumber=uidNumber \ > -a attributeMap=passwd:uid=sAMAccountName \ > -a attributeMap=passwd:homedirectory=unixHomeDirectory \ > -a attributeMap=passwd:loginshell=loginShell \ > -a attributeMap=shadow:shadowflag=shadowFlag \ > -a attributeMap=shadow:userpassword=userPassword \ > -a objectClassMap=group:posixGroup=group \ > -a objectClassMap=passwd:posixAccount=user \ > -a objectClassMap=shadow:shadowAccount=user \ > -a serviceSearchDescriptor="passwd:" \ > -a serviceSearchDescriptor=group: \ > -a followReferrals=true > > Maybe also a restart of the smb service? > > Jens > > > -Original Message- > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > > Sent: Dienstag, 27. Juni 2017 14:40 > > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > Hi, > > > > > > > > Now I get cant access domain info in the smb log and users are prompted > to > > enter a password when accessing the shares. :( > > > > > > > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > > Sent: Dienstag, 27. Juni 2017 09:37 > > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > > > > > Hi, > > > > > > > > I fixed this problem after executing this: > > > > idmap add winname:"*@" unixuser:"*" > > > > idmap add wingroup:"*@ " unixgroup:"*" > > > > svcadm restart idmap > > > > All new created files has now the uid and gid from the IDMU > > > > > > > > Jens > > > > > > > > From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com] > > On Behalf Of Oliver Weinmann > > Sent: Dienstag, 27. Juni 2017 08:25 > > To: omnios-discuss <omnios-discuss@lists.omniti.com <mailto:omnios- > > disc...@lists.omniti.com> > > > Subject: [OmniOS-discuss] CIFS access to a folder with traditional > > (owner:group:other) Unix permissions > > > > > > > > Hi, > > > > > > > > we are currently migrating all our data from a NetAPP system to an OmniOS > > sytem. > > > > > > > > The OmniOS system is joined to AD and LDAP client is configured to pull > LDAP > > info from AD / IDMU. This works fine. > > > > > > > > However we cant manage to have access on folders where we have Unix > > permissions from windows (CIFS). > > > > > > > > e.g. > > > > > > > > the user utest2 is member of the goup Up BCSIM De_Dt Da Lg: > > > > > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2 > > > > 1 Up BCSIM De_Dt Da Lg > > > > > > > > The folder Unix has the following permissions set: > > > > > > > > root@omnios01:/hgst4u60/ReferenceAC/BC
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
What version of omnios are you using? I'm using R151022. -Original Message- From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] Sent: Dienstag, 27. Juni 2017 14:47 To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> Cc: omnios-discuss <omnios-discuss@lists.omniti.com> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions Hm, maybe I should share my ldap config. ldapclient -v manual \ -a credentialLevel=proxy \ -a authenticationMethod=simple \ -a proxyDN="cn=XXX" \ -a proxyPassword=SECRET \ -a defaultSearchBase=dc=ipk=de \ -a domainName=DOMAINNAME \ -a defaultServerList= \ -a attributeMap=group:userpassword=userPassword \ -a attributeMap=group:uniqueMember=member \ -a attributeMap=group:gidnumber=gidNumber \ -a attributeMap=passwd:gecos=cn \ -a attributeMap=passwd:gidnumber=gidNumber \ -a attributeMap=passwd:uidnumber=uidNumber \ -a attributeMap=passwd:uid=sAMAccountName \ -a attributeMap=passwd:homedirectory=unixHomeDirectory \ -a attributeMap=passwd:loginshell=loginShell \ -a attributeMap=shadow:shadowflag=shadowFlag \ -a attributeMap=shadow:userpassword=userPassword \ -a objectClassMap=group:posixGroup=group \ -a objectClassMap=passwd:posixAccount=user \ -a objectClassMap=shadow:shadowAccount=user \ -a serviceSearchDescriptor="passwd:" \ -a serviceSearchDescriptor=group: \ -a followReferrals=true Maybe also a restart of the smb service? Jens > -Original Message- > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de] > Sent: Dienstag, 27. Juni 2017 14:40 > To: Jens Bauernfeind <bauernfe...@ipk-gatersleben.de> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > Hi, > > > > Now I get cant access domain info in the smb log and users are prompted to > enter a password when accessing the shares. :( > > > > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] > Sent: Dienstag, 27. Juni 2017 09:37 > To: Oliver Weinmann <oliver.weinm...@telespazio-vega.de> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > > > Hi, > > > > I fixed this problem after executing this: > > idmap add winname:"*@" unixuser:"*" > > idmap add wingroup:"*@ " unixgroup:"*" > > svcadm restart idmap > > All new created files has now the uid and gid from the IDMU > > > > Jens > > > > From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com] > On Behalf Of Oliver Weinmann > Sent: Dienstag, 27. Juni 2017 08:25 > To: omnios-discuss <omnios-discuss@lists.omniti.com <mailto:omnios- > disc...@lists.omniti.com> > > Subject: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > > > Hi, > > > > we are currently migrating all our data from a NetAPP system to an OmniOS > sytem. > > > > The OmniOS system is joined to AD and LDAP client is configured to pull LDAP > info from AD / IDMU. This works fine. > > > > However we cant manage to have access on folders where we have Unix > permissions from windows (CIFS). > > > > e.g. > > > > the user utest2 is member of the goup Up BCSIM De_Dt Da Lg: > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2 > > 1 Up BCSIM De_Dt Da Lg > > > > The folder Unix has the following permissions set: > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al > > total 47 > > d-+ 4 root 2147483653 4 Apr 25 05:37 . > > d-+ 4 root 2147483659 4 Apr 25 05:35 .. > > drwxrws--- 9 bcsimUp BCSIM De_Dt Da Lg 11 Mar 9 10:40 Unix > > d-+ 6 root 2147483653 6 Apr 25 05:37 Windows > > > > so User bcsim and all members of group Up BCSIM De_Dt Da Lg can access > the folder just fine via NFS. > > > > If the user utest2 tries to access this folder from windows via CIFS he gets > access denied. > > > > If I change the permissions so that other have r-x he can access the folder > but then I have no control on who can access the folder. > > > > On our NetApp system this was working fine. I assume it has to do with the > IDMAP daemon using ephemeral mappings instead of pulling the uidnumber > and gidnumber from AD? > > > > I dont want to use extended ACLs on this folder. > > > > Any ideas? > > > > > > Oliver Weinmann > Senior Unix VMWare, Storage Engineer > &g
Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions
Hi, I fixed this problem after executing this: idmap add winname:"*@" unixuser:"*" idmap add wingroup:"*@ " unixgroup:"*" svcadm restart idmap All new created files has now the uid and gid from the IDMU Jens > -Original Message- > From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com] > On Behalf Of Oliver Weinmann > Sent: Dienstag, 27. Juni 2017 08:25 > To: omnios-discuss <omnios-discuss@lists.omniti.com> > Subject: [OmniOS-discuss] CIFS access to a folder with traditional > (owner:group:other) Unix permissions > > Hi, > > > > we are currently migrating all our data from a NetAPP system to an OmniOS > sytem. > > > > The OmniOS system is joined to AD and LDAP client is configured to pull LDAP > info from AD / IDMU. This works fine. > > > > However we cant manage to have access on folders where we have Unix > permissions from windows (CIFS). > > > > e.g. > > > > the user utest2 is member of the goup Up BCSIM De_Dt Da Lg: > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2 > > 1 Up BCSIM De_Dt Da Lg > > > > The folder Unix has the following permissions set: > > > > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al > > total 47 > > d-+ 4 root 2147483653 4 Apr 25 05:37 . > > d-+ 4 root 2147483659 4 Apr 25 05:35 .. > > drwxrws--- 9 bcsimUp BCSIM De_Dt Da Lg 11 Mar 9 10:40 Unix > > d-+ 6 root 2147483653 6 Apr 25 05:37 Windows > > > > so User bcsim and all members of group Up BCSIM De_Dt Da Lg can access > the folder just fine via NFS. > > > > If the user utest2 tries to access this folder from windows via CIFS he gets > access denied. > > > > If I change the permissions so that other have r-x he can access the folder > but then I have no control on who can access the folder. > > > > On our NetApp system this was working fine. I assume it has to do with the > IDMAP daemon using ephemeral mappings instead of pulling the uidnumber > and gidnumber from AD? > > > > I dont want to use extended ACLs on this folder. > > > > Any ideas? > > > > > > Oliver Weinmann > Senior Unix VMWare, Storage Engineer > > Telespazio VEGA Deutschland GmbH > Europaplatz 5 - 64293 Darmstadt - Germany > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799 > oliver.weinm...@telespazio-vega.de <mailto:oliver.weinmann@telespazio- > vega.de> > http://www.telespazio-vega.de > > Registered office/Sitz: Darmstadt, Register court/Registergericht: Darmstadt, > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller smime.p7s Description: S/MIME cryptographic signature ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
