On 01/11/11 02:47 AM, Jaime Cardoso wrote:
On 11-01-2011 10:29, Ryan Park wrote:
Hello all,
First I like to thank you for the help. Thank you.
I have created smb share on opensolaris 134.
joined windows 2008 active directory and map the share to the system.
I have couple acl access permission problem.
First, when I created the file and change delete permission to deny delete
permission from windows side.
but user still can delete the file.
Second, I have taken the snapshot and restored from windows folder/file
property-->previous version tab
When I delete the file and restores is using different user account.
that account has access to the file.
Please give me light to guide throught this problem
Thank you
Ryan
Hello Ryan
Where are you trying to create your ACL's?
Last time I was in your shoes, I decided to simply create the ACLs in zfs
(are you using zfs?) and they worked like a sharm.
a simple google search on ZFS ACL will take you to
http://blogs.sun.com/marks/entry/zfs_acls where the ZFS's ACL model is
pretty neatly explained. Actually, He explains the NFSv4 acl model but never
noticed any differences and his examples work.
(just remember to change the permissions to the file and, if it's a
directory, to the inheritance)
As for your restore issue, you had the user restore the file from his
Windows machine?
If that is the case, a file that is written by a user will be owned by that
user, Solaris doesn't know (or care) that it's the same restored file - as
he sees it, it isn't.
Not necessarily. It depends on the inheritance specified in the
parent directory ACL.
ACLs to the rescue again, you can simply remove the delete privileges from
that directory (hint: also use inherence so your ACLs spread to sub dirs and
new files) for that user.
Privileges are different from permissions. On Windows, privileges
are typically granted to groups whereas access permissions/rights
are granted/denied on shares, files and directories. Privileges
always override ACLs. For example, members of the Administrators
group are granted Take Ownership privilege, which means members
of that group can take ownership of a file even if the ACL doesn't
grant take ownership permission.
I suspect the issue is File Delete Child (FDC) permission, which is
hidden (not displayed) on the Windows desktop but is automatically
granted if an ACE is set to Full Control. You can see FDC (the 'D'
bit) using /bin/ls -V on Solaris.
Alan
Now, forgive me if you know a lot about solaris, I have no way of knowing
that so, if I'm being too basic, forgive me but, since this ACLs are in ZFS
and not in samba, you can simply try them by creating a new directory with
some files inside your zfs pool instead of having a test share for your
users. you know the user name of your samba clients so, simply by using su -
<user> you can test whatever you want without compromising production.
_______________________________________________
storage-discuss mailing list
storage-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
_______________________________________________
storage-discuss mailing list
storage-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/storage-discuss
