Re: [OpenIndiana-discuss] Default SMB file permission
Thanks very much for taking the time to go into all this detail. I'll grab a cuppa and give it a thorough read. Michelle. On Fri, 2023-03-31 at 02:38 +0200, Guenther Alka wrote: > Main open question is if you use SAMBA or the Solaris kernelbased > SMB > server. > I would always prefer the second due easier config and better > handling > of Windows SMB permissions > and zero config ZFS snaps= Windows previous versions. > > Due the lack of smb.conf, I asume you use the kernelbased SMB server: > - Settings are done via ZFS properties aclmode and aclinherit or > sharectl > https://illumos.org/man/8/sharectl > > or in napp-it > > > The kernelbased SMB server use (only and always) Windows ntfs alike > permissions > with inheritance based on Windows SID as security reference. This is > why > permissions ex > in an AD environment remaion intact after a restore from backup > without > any mappings. > https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-368594 > > Additionally to Unix groups you have Windows alike local SMB groups. > > ACL are superiour to classic Unix permissions like 750. > Never set classic permissions or gid as they delete inheritance > settings or reduce permissions, always use ACL. Permissions wise > Solaris > is like Windows not Unix. > > To set ACL > - set aclinherit to pass-through (Windows alike) > - prefer Windows. SMB connect as root and set ACL > > - for the shared filesystem: > allow at least read access for the shared folder only > > for folders below > set needed settings with inheritance to files and folders > ex modify for certain users/ groups > > A possible default is also: > - allow read for everyone@ (shared filesystem, this folder only) > - allow creation of files and folders for everyone > Default is then that a creator (=owner) has full permissions, others > lack permissions > > Additionally you can set share ACL. When you (re)create a share, the > are > always everyone@=full > Napp-it can store/ recreate share permissions as private ZFS > properties > on a re-share > https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356373 > > Gea > > > > more, > https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356845 > > I'm bashing my head a little. > > > > I have a newly built OI server and I've got a share out through ZFS > > smb > > share which is being accessed from a Linux client. > > > > Every file written comes in with 700 and I need to change that > > default > > to 740. > > > > I believed that was a setting in smb.conf rather than umask but I > > think > > I'm getting my linux and unix mixed up. But I can't find smb.conf > > anyway. > > > > Oddly the file does show -rwx--+ which potentially indicates an > > acl > > applying > > > > The guid bit for directory permission inheritance is working. It's > > just > > newly created files. > > > > I'm going to lie down because my head is hurting. > > > > > > ___ > > openindiana-discuss mailing list > > openindiana-discuss@openindiana.org > > https://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Default SMB file permission
Main open question is if you use SAMBA or the Solaris kernelbased SMB server. I would always prefer the second due easier config and better handling of Windows SMB permissions and zero config ZFS snaps= Windows previous versions. Due the lack of smb.conf, I asume you use the kernelbased SMB server: - Settings are done via ZFS properties aclmode and aclinherit or sharectl https://illumos.org/man/8/sharectl or in napp-it The kernelbased SMB server use (only and always) Windows ntfs alike permissions with inheritance based on Windows SID as security reference. This is why permissions ex in an AD environment remaion intact after a restore from backup without any mappings. https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-368594 Additionally to Unix groups you have Windows alike local SMB groups. ACL are superiour to classic Unix permissions like 750. Never set classic permissions or gid as they delete inheritance settings or reduce permissions, always use ACL. Permissions wise Solaris is like Windows not Unix. To set ACL - set aclinherit to pass-through (Windows alike) - prefer Windows. SMB connect as root and set ACL - for the shared filesystem: allow at least read access for the shared folder only for folders below set needed settings with inheritance to files and folders ex modify for certain users/ groups A possible default is also: - allow read for everyone@ (shared filesystem, this folder only) - allow creation of files and folders for everyone Default is then that a creator (=owner) has full permissions, others lack permissions Additionally you can set share ACL. When you (re)create a share, the are always everyone@=full Napp-it can store/ recreate share permissions as private ZFS properties on a re-share https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356373 Gea more, https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356845 I'm bashing my head a little. I have a newly built OI server and I've got a share out through ZFS smb share which is being accessed from a Linux client. Every file written comes in with 700 and I need to change that default to 740. I believed that was a setting in smb.conf rather than umask but I think I'm getting my linux and unix mixed up. But I can't find smb.conf anyway. Oddly the file does show -rwx--+ which potentially indicates an acl applying The guid bit for directory permission inheritance is working. It's just newly created files. I'm going to lie down because my head is hurting. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss -- Guenther Ernst Alka Dipl. Ing (FH) Rektor-Klaus Str.71 73525 Schw. Gmünd tel 07171 931393 ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Default SMB file permission
I'm bashing my head a little. I have a newly built OI server and I've got a share out through ZFS smb share which is being accessed from a Linux client. Every file written comes in with 700 and I need to change that default to 740. I believed that was a setting in smb.conf rather than umask but I think I'm getting my linux and unix mixed up. But I can't find smb.conf anyway. Oddly the file does show -rwx--+ which potentially indicates an acl applying The guid bit for directory permission inheritance is working. It's just newly created files. I'm going to lie down because my head is hurting. ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Firefox still reporting missing codecs
On 30/03/2023 17:26, russell wrote> Performed an update yesterday evening creating a new BE, rebooted and > checked access to youtube.> Some videos work without issue generating no alert but others will not > play because the video codec is not available firefox delegates some video playback to ffmpeg. Since the pkgin repository (https://pkgsrc.smartos.org) has much more plugins than the OI one, I have installed from there: fmpeg5-5.1.2nb4 Decoding, encoding and streaming software (v5.x) gst-ffmpeg-0.10.13nb29 GStreamer ffmpeg plugin gst-plugins1-libav-1.22.1 GStreamer libav/ffmpeg plugin and redirect firefox vi a script to load ffmpeg from there: LD_LIBRARY_PATH=/opt/local/lib/ffmpeg5:${LD_LIBRARY_PATH} /usr/lib/amd64/firefox/firefox $@ ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Firefox still reporting missing codecs
Good Afternoon Performed an update yesterday evening creating a new BE, rebooted and checked access to youtube. Some videos work without issue generating no alert but others will not play because the video codec is not available Russell ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss