[OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

Oliver Weinmann oliver.weinmann at telespazio-vega.de
Wed Jun 28 08:52:10 UTC 2017 

Hi Jens,

Thanks a lot for your support. I really appreciate it. :)

I will test this on my fresh install of omnios 151022 and report back.

It's really a pity that it only works If I do touch the ZFS ACLs. :(

-----Original Message-----
From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de] 
Sent: Mittwoch, 28. Juni 2017 08:09
To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
(owner:group:other) Unix permissions

Yeah, AD with IDMU

According to this page (very old, but still the truth), you can't live
without ACLs.
https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro
blem/

You have to inherit the ACLs to newly created files.
At first I switched to the passthrough acl properties:
zfs set aclmode=passthrough tank
zfs set aclinherit=passthrough tank
Then you have to define an initial ACL for your datasets

For this example I just assume you have the pool tank and one dataset test
- first set your sticky bit
chmod g+s /tank/test
- then set the ACLs
chmod
A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d
f:allow /tank/test
so nearly full permission for the owner and the group, and nothing for
others; all ACLs are inherited to new created files and directories [the
"df"]
8<---
ls -Vd /tank/test
drwxrws---+  5 root     IT        5 Jun 28 07:55 /tank/test
                 owner@:rwxp-DaARWcCos:fd-----:allow
                 group@:rwxp-DaARWcCos:fd-----:allow
              everyone@:--------------:fd-----:allow
8<---
(This inheritance doesnt apply to new datesets you create via zfs, btw)

But care: When you ever doing a chmod operation or a chgrp on /tank/test (or
every other dateset,), the owner,group and everyone ACEs get overwritten
(according to http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html)
8<---
chgrp 0 /tank/test
ls -Vd /tank/test
drwxrws---   5 root     root           5 Jun 28 07:55 /tank/test
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:rwxp-Da-R-c--s:-------:allow
              everyone@:------a-R-c--s:-------:allow
See the missing "+" and "fd"?
8<---
(This doesn't apply to folders or files)

I hope this helps and I'm not telling lies here.
But that is my experience with that.

Jens

> -----Original Message-----
> From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 15:21
> To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Mine has ldap only for passwd and group.
> 
> So on your system it really works with just having the traditional unix
> permissions set. There are no ACLs in place?
> 
> Do you have an Active Directory domain with IDMU?
> 
> -----Original Message-----
> From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 15:19
> To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> also r151022
> 
> What is your /etc/nsswitch.conf saying?
> Mine has nearly everywhere "files ldap", except hosts and ipnodes.
> 
> > -----Original Message-----
> > From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
> > Sent: Dienstag, 27. Juni 2017 14:49
> > To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
> > Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> > What version of omnios are you using? I'm using R151022.
> >
> > -----Original Message-----
> > From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
> > Sent: Dienstag, 27. Juni 2017 14:47
> > To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
> > Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> > Hm,
> >
> > maybe I should share my ldap config.
> > ldapclient -v manual \
> > -a credentialLevel=proxy \
> > -a authenticationMethod=simple \
> > -a proxyDN="cn=XXX" \
> > -a proxyPassword=SECRET \
> > -a defaultSearchBase=dc=ipk=de \
> > -a domainName=DOMAINNAME \
> > -a defaultServerList=<IPs of DCs> \
> > -a attributeMap=group:userpassword=userPassword \
> > -a attributeMap=group:uniqueMember=member \
> > -a attributeMap=group:gidnumber=gidNumber \
> > -a attributeMap=passwd:gecos=cn \
> > -a attributeMap=passwd:gidnumber=gidNumber \
> > -a attributeMap=passwd:uidnumber=uidNumber \
> > -a attributeMap=passwd:uid=sAMAccountName \
> > -a attributeMap=passwd:homedirectory=unixHomeDirectory \
> > -a attributeMap=passwd:loginshell=loginShell \
> > -a attributeMap=shadow:shadowflag=shadowFlag \
> > -a attributeMap=shadow:userpassword=userPassword \
> > -a objectClassMap=group:posixGroup=group \
> > -a objectClassMap=passwd:posixAccount=user \
> > -a objectClassMap=shadow:shadowAccount=user \
> > -a serviceSearchDescriptor="passwd:<OUs of users I want to lookup>" \
> > -a serviceSearchDescriptor=group: <OUs of groups I want to lookup> \
> > -a followReferrals=true
> >
> > Maybe also a restart of the smb service?
> >
> > Jens
> >
> > > -----Original Message-----
> > > From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
> > > Sent: Dienstag, 27. Juni 2017 14:40
> > > To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > > (owner:group:other) Unix permissions
> > >
> > > Hi,
> > >
> > >
> > >
> > > Now I get can’t access domain info in the smb log and users are
prompted
> > to
> > > enter a password when accessing the shares. :(
> > >
> > >
> > >
> > > From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
> > > Sent: Dienstag, 27. Juni 2017 09:37
> > > To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > > (owner:group:other) Unix permissions
> > >
> > >
> > >
> > > Hi,
> > >
> > >
> > >
> > > I fixed this problem after executing this:
> > >
> > > idmap add winname:"*@<DOMAINNAME>" unixuser:"*"
> > >
> > > idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*"
> > >
> > > svcadm restart idmap
> > >
> > > All new created files has now the uid and gid from the IDMU
> > >
> > >
> > >
> > > Jens
> > >
> > >
> > >
> > > From: OmniOS-discuss [mailto:omnios-discuss-
> bounces at lists.omniti.com]
> > > On Behalf Of Oliver Weinmann
> > > Sent: Dienstag, 27. Juni 2017 08:25
> > > To: omnios-discuss <omnios-discuss at lists.omniti.com <mailto:omnios-
> > > discuss at lists.omniti.com> >
> > > Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> > > (owner:group:other) Unix permissions
> > >
> > >
> > >
> > > Hi,
> > >
> > >
> > >
> > > we are currently migrating all our data from a NetAPP system to an
> OmniOS
> > > sytem.
> > >
> > >
> > >
> > > The OmniOS system is joined to AD and LDAP client is configured to
pull
> > LDAP
> > > info from AD / IDMU. This works fine.
> > >
> > >
> > >
> > > However we can’t manage to have access on folders where we have Unix
> > > permissions from windows (CIFS).
> > >
> > >
> > >
> > > e.g.
> > >
> > >
> > >
> > > the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> > >
> > >
> > >
> > > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups
> utest2
> > >
> > > 10000 Up BCSIM De_Dt Da Lg
> > >
> > >
> > >
> > > The folder Unix has the following permissions set:
> > >
> > >
> > >
> > > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> > >
> > > total 47
> > >
> > > d---------+  4 root     2147483653       4 Apr 25 05:37 .
> > >
> > > d---------+  4 root     2147483659       4 Apr 25 05:35 ..
> > >
> > > drwxrws---   9 bcsim    Up BCSIM De_Dt Da Lg      11 Mar  9 10:40 Unix
> > >
> > > d---------+  6 root     2147483653       6 Apr 25 05:37 Windows
> > >
> > >
> > >
> > > so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can
> > access
> > > the folder just fine via NFS.
> > >
> > >
> > >
> > > If the user utest2 tries to access this folder from windows via CIFS
he
> > gets
> > > access denied.
> > >
> > >
> > >
> > > If I change the permissions so that other have r-x he can access the
> > folder
> > > but then I have no control on who can access the folder.
> > >
> > >
> > >
> > > On our NetApp system this was working fine. I assume it has to do with
> the
> > > IDMAP daemon using ephemeral mappings instead of pulling the
> > uidnumber
> > > and gidnumber from AD?
> > >
> > >
> > >
> > > I don’t want to use extended ACLs on this folder.
> > >
> > >
> > >
> > > Any ideas?
> > >
> > >
> > >
> > >
> > >
> > > Oliver Weinmann
> > > Senior Unix VMWare, Storage Engineer
> > >
> > > Telespazio VEGA Deutschland GmbH
> > > Europaplatz 5 - 64293 Darmstadt - Germany
> > > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
> > > oliver.weinmann at telespazio-vega.de
> > <mailto:oliver.weinmann at telespazio-
> > > vega.de>
> > > http://www.telespazio-vega.de
> > >
> > > Registered office/Sitz: Darmstadt, Register court/Registergericht:
> > Darmstadt,
> > > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4970 bytes
Desc: not available
URL: <https://omniosce.org/ml-archive/attachments/20170628/4a63579d/attachment-0001.bin>

More information about the OmniOS-discuss mailing list