Re: [OmniOS-discuss] ZFS ACL Solaris CIFS and Windows client
ZFS properties, see Oracke docs ex http://docs.oracle.com/cd/E19120-01/open.solaris/817-2271/gbaaz/index.html <http://docs.oracle.com/cd/E19120-01/open.solaris/817-2271/gbaaz/index.html> If you want full permissions on files on an SMB share, you must either connect as user root or as an AD user that is idmapped to Unix root Adding a user to the SMB group administrators is needed for some administration tasks (ex remote computer management) but root permission is the key for any file permission problems. Gea > Am 30.04.2015 um 08:56 schrieb Sebastian Gabler : > > Am 29.04.2015 um 20:07 schrieb omnios-discuss-requ...@lists.omniti.com: >> Message: 3 >> Date: Tue, 28 Apr 2015 19:22:34 +0200 >> From: G?nther Alka >> To: omnios-discuss >> Subject: Re: [OmniOS-discuss] ZFS ACL Solaris CIFS and Windows client >> Message-ID: <9d064aa0-0c34-444f-9ff0-900f32eff...@hfg-gmuend.de> >> Content-Type: text/plain; charset=utf-8 >> >> Lets?s begin with ZFS properties >> - aclinhert: passthrough > Thanks. It was on "restricted". I applied the change, but that makes no > difference to my original problem. >> - aclmode: does not matter for CIFS > Thanks. Do you have any sources for that for futher studies? >> >> Next, set idmappings >> - in Workgroup mode: do not set any user mappings (only group mappings) >> - in Domain mode: set domainadmins => root > That's already the case. On that occasion: how would one delegate operator > permissions for ACL assignment to other users. i.e. if I want certain Domain > Users to change ACLs, permissions, and privileges, on shares of the illumos > machine, who are not member of the domain admin group? >> >> Next: join AD Domain (for domain mode) >> >> Next: SMB connect >> - use root (requires a passwd root to generate s SMB password) or >> - use an Domain Admin account (requires the idmapping to root) > I am using the domain admin account. Note: what specifically is not working > is to set ownership on behalf of a different domain user. >> >> Windows version: >> - you need Windows Pro or Windows server (no home edition) > Known. >> >> Now you should be able to set ownership and ACL on files and folders. >> >> If you want to set ACL on shares, you must >> - SMB connect as a user that is a member of the Administrators group >> - use Computer Management on Windows and connect OmniOS > Trying the latter ends up in "access denied". > Maybe there is something broken with the user mapping. (i.e., the domain > admin >root mapping was done, but how do I check if it is in effect, how do I > check if root (who is in my understanding the provider of the permissions to > domain admin, right?) has the required privs? >> >> >> Gea >> >> >>> Am 28.04.2015 um 14:09 schrieb Sebastian Gabler : >>> >>> Hi, >>> >>> I am a bit stuck in getting my ACL management straight for the CIFS shares >>> I run. What I would like to do is to set all the ACLs from Windows. What >>> does not work right now is to assign ownership to a sharepoint or an object >>> below it to a different user, i.e. to set ownership as the Domain >>> Administrator to a specific user. I get an error message that a "Restore" >>> privilege would be missing, but the error message is unclear if that >>> applies to the current context (Domain Administrator), or the prospective >>> owner. I can set full control for that user, however. >>> Specifically, >>> 1. I am wondering how to get, from my illumos machine, the privileges >>> applicable on an object for a certain user. >>> 2. finding out what is required to take/provide ownership, specifically of >>> a sharepoint, from Windows, (ACLs, idmap, ZFS acl modes and inhertiance >>> modes, etc), and in what hierarchy things apply. >>> I am aware that this may be a FAQ, but I didn't find comprehensive >>> documentation on the matter. The Oracle docs are focussed to explain how >>> things work from the Solaris side, most HowTos that include the Windows >>> side are not deep enough. >>> >>> Thanks for any hints. >>> >>> With best regards, >>> >>> Sebastian >>> ___ >>> OmniOS-discuss mailing list >>> OmniOS-discuss@lists.omniti.com >>> http://lists.omniti.com/mailman/listinfo/omnios-discuss >> > > ___ > OmniOS-discuss mailing list > OmniOS-discuss@lists.omniti.com > http://lists.omniti.com/mailman/listinfo/omnios-discuss ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] ZFS ACL Solaris CIFS and Windows client
Am 29.04.2015 um 20:07 schrieb omnios-discuss-requ...@lists.omniti.com: Message: 3 Date: Tue, 28 Apr 2015 19:22:34 +0200 From: G?nther Alka To: omnios-discuss Subject: Re: [OmniOS-discuss] ZFS ACL Solaris CIFS and Windows client Message-ID: <9d064aa0-0c34-444f-9ff0-900f32eff...@hfg-gmuend.de> Content-Type: text/plain; charset=utf-8 Lets?s begin with ZFS properties - aclinhert: passthrough Thanks. It was on "restricted". I applied the change, but that makes no difference to my original problem. - aclmode: does not matter for CIFS Thanks. Do you have any sources for that for futher studies? Next, set idmappings - in Workgroup mode: do not set any user mappings (only group mappings) - in Domain mode: set domainadmins => root That's already the case. On that occasion: how would one delegate operator permissions for ACL assignment to other users. i.e. if I want certain Domain Users to change ACLs, permissions, and privileges, on shares of the illumos machine, who are not member of the domain admin group? Next: join AD Domain (for domain mode) Next: SMB connect - use root (requires a passwd root to generate s SMB password) or - use an Domain Admin account (requires the idmapping to root) I am using the domain admin account. Note: what specifically is not working is to set ownership on behalf of a different domain user. Windows version: - you need Windows Pro or Windows server (no home edition) Known. Now you should be able to set ownership and ACL on files and folders. If you want to set ACL on shares, you must - SMB connect as a user that is a member of the Administrators group - use Computer Management on Windows and connect OmniOS Trying the latter ends up in "access denied". Maybe there is something broken with the user mapping. (i.e., the domain admin >root mapping was done, but how do I check if it is in effect, how do I check if root (who is in my understanding the provider of the permissions to domain admin, right?) has the required privs? Gea Am 28.04.2015 um 14:09 schrieb Sebastian Gabler : Hi, I am a bit stuck in getting my ACL management straight for the CIFS shares I run. What I would like to do is to set all the ACLs from Windows. What does not work right now is to assign ownership to a sharepoint or an object below it to a different user, i.e. to set ownership as the Domain Administrator to a specific user. I get an error message that a "Restore" privilege would be missing, but the error message is unclear if that applies to the current context (Domain Administrator), or the prospective owner. I can set full control for that user, however. Specifically, 1. I am wondering how to get, from my illumos machine, the privileges applicable on an object for a certain user. 2. finding out what is required to take/provide ownership, specifically of a sharepoint, from Windows, (ACLs, idmap, ZFS acl modes and inhertiance modes, etc), and in what hierarchy things apply. I am aware that this may be a FAQ, but I didn't find comprehensive documentation on the matter. The Oracle docs are focussed to explain how things work from the Solaris side, most HowTos that include the Windows side are not deep enough. Thanks for any hints. With best regards, Sebastian ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
Re: [OmniOS-discuss] ZFS ACL Solaris CIFS and Windows client
Lets’s begin with ZFS properties - aclinhert: passthrough - aclmode: does not matter for CIFS Next, set idmappings - in Workgroup mode: do not set any user mappings (only group mappings) - in Domain mode: set domainadmins => root Next: join AD Domain (for domain mode) Next: SMB connect - use root (requires a passwd root to generate s SMB password) or - use an Domain Admin account (requires the idmapping to root) Windows version: - you need Windows Pro or Windows server (no home edition) Now you should be able to set ownership and ACL on files and folders. If you want to set ACL on shares, you must - SMB connect as a user that is a member of the Administrators group - use Computer Management on Windows and connect OmniOS Gea > Am 28.04.2015 um 14:09 schrieb Sebastian Gabler : > > Hi, > > I am a bit stuck in getting my ACL management straight for the CIFS shares I > run. What I would like to do is to set all the ACLs from Windows. What does > not work right now is to assign ownership to a sharepoint or an object below > it to a different user, i.e. to set ownership as the Domain Administrator to > a specific user. I get an error message that a "Restore" privilege would be > missing, but the error message is unclear if that applies to the current > context (Domain Administrator), or the prospective owner. I can set full > control for that user, however. > Specifically, > 1. I am wondering how to get, from my illumos machine, the privileges > applicable on an object for a certain user. > 2. finding out what is required to take/provide ownership, specifically of a > sharepoint, from Windows, (ACLs, idmap, ZFS acl modes and inhertiance modes, > etc), and in what hierarchy things apply. > I am aware that this may be a FAQ, but I didn't find comprehensive > documentation on the matter. The Oracle docs are focussed to explain how > things work from the Solaris side, most HowTos that include the Windows side > are not deep enough. > > Thanks for any hints. > > With best regards, > > Sebastian > ___ > OmniOS-discuss mailing list > OmniOS-discuss@lists.omniti.com > http://lists.omniti.com/mailman/listinfo/omnios-discuss ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss
[OmniOS-discuss] ZFS ACL Solaris CIFS and Windows client
Hi, I am a bit stuck in getting my ACL management straight for the CIFS shares I run. What I would like to do is to set all the ACLs from Windows. What does not work right now is to assign ownership to a sharepoint or an object below it to a different user, i.e. to set ownership as the Domain Administrator to a specific user. I get an error message that a "Restore" privilege would be missing, but the error message is unclear if that applies to the current context (Domain Administrator), or the prospective owner. I can set full control for that user, however. Specifically, 1. I am wondering how to get, from my illumos machine, the privileges applicable on an object for a certain user. 2. finding out what is required to take/provide ownership, specifically of a sharepoint, from Windows, (ACLs, idmap, ZFS acl modes and inhertiance modes, etc), and in what hierarchy things apply. I am aware that this may be a FAQ, but I didn't find comprehensive documentation on the matter. The Oracle docs are focussed to explain how things work from the Solaris side, most HowTos that include the Windows side are not deep enough. Thanks for any hints. With best regards, Sebastian ___ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss