----- Original Message ----- From: "Juris Krumins" <[EMAIL PROTECTED]> To: "Afshin Salek" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; "Jeff Cheeney" <[EMAIL PROTECTED]>; <[email protected]> Sent: Thursday, August 14, 2008 11:17 PM Subject: Re: [storage-discuss] [cifs-discuss] Settings up CIFS share's security from Windows XP system using Security tab
> What I've done is: > 1. Installed OpenSolaris 2008.05 with enabled smb server service. > 2. Joined Opensolaris system to the AD domain. > 3. Created zpool and zfs with sharesmb option turned on for zfs. > > This far everything is fine. I can seen OpenSolaris server using Windows > XP for example and I can see previosly (3. step) shared zfs partition. > It's clear, that it is possible to set ACL using chmod in OpenSolaris > and find SID <-> UID/GID mapping between Windows SID and OpenSolaris > UID/GID using idmap dump command. > But, the question is - is it possible to to set the same ACL on shared > ZFS filesystem from Windows XP system using Property->Security tab. > Cause if I try to do it pressing Add button in order to add user/group > and the trying to choose Location, the only thing I see is my > OpenSolaris server, no way to choose AD as as source for user/group > info. You should be able to add AD domain accounts to ZFS ACLs using the Windows XP Property->Security tab. If you are unable to do so, it may be due to a configuration problem. If the client cannot determine or verify the server's domain, it cannot or will not display the domain accounts. cifs-chkcfg.sh can be used to do a basic CIFS configuration sanity check and cifs-gendiag.sh can be used to gather diagnostic information. Both are available at http://opensolaris.org/os/project/cifs-server/files/ It may also be useful to look at network captures (wireshark, netmon, snoop) of the communication between XP, OpenSolaris and DC when you are working through the Property->Security tab scenario. Alan > As far as I understand based on your answer the is no way to accomplish > this, because OpenSolaris currently is only file system and know nothing > about AD users/groups. > > On Thu, 2008-08-14 at 11:45 -0700, Afshin Salek wrote: >> I'm not sure what exactly you are doing and what you are >> referring to as AD objects but here are two pieces of information: >> >> 1. We don't support shares' ACL yet >> >> 2. Generally, we only server file system objects not AD objects. >> We publish CIFS shares in AD if a container is specified in share >> definition. This is all as far as our AD object support goes. >> >> Afshin >> >> Jeff Cheeney wrote: >> > On 08/14/08 08:55, Juris Krumins wrote: >> >> Currently setup CIFS service in domain mode for Windows AD Domain. >> >> Idmapd is running in Ephemeral Mappings mode. >> >> Running SunOS 5.11 snv_86 i86pc i386 i86pc >> >> Everything running smoothly, except for settings share ACL from >> >> Windows XP Pro using AD objects. >> >> I've found couple threads in forum, saying that there is no way to >> >> enumerate AD objects and set ACL from Windows XP Security tab, using >> >> standard idmapd daemon. Is it true, or maybe misunderstand something. >> >> >> >> Thanks in advance. >> >> >> >> >> > >> > The guys on cifs-discuss should be able to help with your query. >> > >> > --jc >> > >> > --- >> > Jeff Cheeney | OpenSolaris Storage Community | >> > http://opensolaris.org/os/storage | http://blogs.sun.com/icedawn >> > _______________________________________________ >> > cifs-discuss mailing list >> > [EMAIL PROTECTED] >> > http://mail.opensolaris.org/mailman/listinfo/cifs-discuss >> >> > > _______________________________________________ > storage-discuss mailing list > [email protected] > http://mail.opensolaris.org/mailman/listinfo/storage-discuss > _______________________________________________ storage-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/storage-discuss
