[OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

Jim Klimov jimklimov at cos.ru
Wed Jun 28 11:00:08 UTC 2017 

On June 28, 2017 8:08:40 AM GMT+02:00, Jens Bauernfeind <bauernfeind at ipk-gatersleben.de> wrote:
>Yeah, AD with IDMU
>
>According to this page (very old, but still the truth), you can't live
>without ACLs.
>https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro
>blem/
>
>You have to inherit the ACLs to newly created files.
>At first I switched to the passthrough acl properties:
>zfs set aclmode=passthrough tank
>zfs set aclinherit=passthrough tank
>Then you have to define an initial ACL for your datasets
>
>For this example I just assume you have the pool tank and one dataset
>test
>- first set your sticky bit
>chmod g+s /tank/test
>- then set the ACLs
>chmod
>A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d
>f:allow /tank/test
>so nearly full permission for the owner and the group, and nothing for
>others; all ACLs are inherited to new created files and directories
>[the
>"df"]
>8<---
>ls -Vd /tank/test
>drwxrws---+  5 root     IT        5 Jun 28 07:55 /tank/test
>                 owner@:rwxp-DaARWcCos:fd-----:allow
>                 group@:rwxp-DaARWcCos:fd-----:allow
>              everyone@:--------------:fd-----:allow
>8<---
>(This inheritance doesnt apply to new datesets you create via zfs, btw)
>
>But care: When you ever doing a chmod operation or a chgrp on
>/tank/test (or
>every other dateset,), the owner,group and everyone ACEs get
>overwritten
>(according to
>http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html)
>8<---
>chgrp 0 /tank/test
>ls -Vd /tank/test
>drwxrws---   5 root     root           5 Jun 28 07:55 /tank/test
>                 owner@:rwxp-DaARWcCos:-------:allow
>                 group@:rwxp-Da-R-c--s:-------:allow
>              everyone@:------a-R-c--s:-------:allow
>See the missing "+" and "fd"?
>8<---
>(This doesn't apply to folders or files)
>
>I hope this helps and I'm not telling lies here.
>But that is my experience with that.
>
>Jens
>
>> -----Original Message-----
>> From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
>> Sent: Dienstag, 27. Juni 2017 15:21
>> To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
>> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
>> Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> (owner:group:other) Unix permissions
>> 
>> Mine has ldap only for passwd and group.
>> 
>> So on your system it really works with just having the traditional
>unix
>> permissions set. There are no ACLs in place?
>> 
>> Do you have an Active Directory domain with IDMU?
>> 
>> -----Original Message-----
>> From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
>> Sent: Dienstag, 27. Juni 2017 15:19
>> To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
>> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
>> Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> (owner:group:other) Unix permissions
>> 
>> also r151022
>> 
>> What is your /etc/nsswitch.conf saying?
>> Mine has nearly everywhere "files ldap", except hosts and ipnodes.
>> 
>> > -----Original Message-----
>> > From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
>> > Sent: Dienstag, 27. Juni 2017 14:49
>> > To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
>> > Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
>> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > (owner:group:other) Unix permissions
>> >
>> > What version of omnios are you using? I'm using R151022.
>> >
>> > -----Original Message-----
>> > From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
>> > Sent: Dienstag, 27. Juni 2017 14:47
>> > To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
>> > Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
>> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > (owner:group:other) Unix permissions
>> >
>> > Hm,
>> >
>> > maybe I should share my ldap config.
>> > ldapclient -v manual \
>> > -a credentialLevel=proxy \
>> > -a authenticationMethod=simple \
>> > -a proxyDN="cn=XXX" \
>> > -a proxyPassword=SECRET \
>> > -a defaultSearchBase=dc=ipk=de \
>> > -a domainName=DOMAINNAME \
>> > -a defaultServerList=<IPs of DCs> \
>> > -a attributeMap=group:userpassword=userPassword \
>> > -a attributeMap=group:uniqueMember=member \
>> > -a attributeMap=group:gidnumber=gidNumber \
>> > -a attributeMap=passwd:gecos=cn \
>> > -a attributeMap=passwd:gidnumber=gidNumber \
>> > -a attributeMap=passwd:uidnumber=uidNumber \
>> > -a attributeMap=passwd:uid=sAMAccountName \
>> > -a attributeMap=passwd:homedirectory=unixHomeDirectory \
>> > -a attributeMap=passwd:loginshell=loginShell \
>> > -a attributeMap=shadow:shadowflag=shadowFlag \
>> > -a attributeMap=shadow:userpassword=userPassword \
>> > -a objectClassMap=group:posixGroup=group \
>> > -a objectClassMap=passwd:posixAccount=user \
>> > -a objectClassMap=shadow:shadowAccount=user \
>> > -a serviceSearchDescriptor="passwd:<OUs of users I want to lookup>"
>\
>> > -a serviceSearchDescriptor=group: <OUs of groups I want to lookup>
>\
>> > -a followReferrals=true
>> >
>> > Maybe also a restart of the smb service?
>> >
>> > Jens
>> >
>> > > -----Original Message-----
>> > > From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
>> > > Sent: Dienstag, 27. Juni 2017 14:40
>> > > To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
>> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > > (owner:group:other) Unix permissions
>> > >
>> > > Hi,
>> > >
>> > >
>> > >
>> > > Now I get can’t access domain info in the smb log and users are
>prompted
>> > to
>> > > enter a password when accessing the shares. :(
>> > >
>> > >
>> > >
>> > > From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
>> > > Sent: Dienstag, 27. Juni 2017 09:37
>> > > To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
>> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > > (owner:group:other) Unix permissions
>> > >
>> > >
>> > >
>> > > Hi,
>> > >
>> > >
>> > >
>> > > I fixed this problem after executing this:
>> > >
>> > > idmap add winname:"*@<DOMAINNAME>" unixuser:"*"
>> > >
>> > > idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*"
>> > >
>> > > svcadm restart idmap
>> > >
>> > > All new created files has now the uid and gid from the IDMU
>> > >
>> > >
>> > >
>> > > Jens
>> > >
>> > >
>> > >
>> > > From: OmniOS-discuss [mailto:omnios-discuss-
>> bounces at lists.omniti.com]
>> > > On Behalf Of Oliver Weinmann
>> > > Sent: Dienstag, 27. Juni 2017 08:25
>> > > To: omnios-discuss <omnios-discuss at lists.omniti.com
><mailto:omnios-
>> > > discuss at lists.omniti.com> >
>> > > Subject: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > > (owner:group:other) Unix permissions
>> > >
>> > >
>> > >
>> > > Hi,
>> > >
>> > >
>> > >
>> > > we are currently migrating all our data from a NetAPP system to
>an
>> OmniOS
>> > > sytem.
>> > >
>> > >
>> > >
>> > > The OmniOS system is joined to AD and LDAP client is configured
>to
>pull
>> > LDAP
>> > > info from AD / IDMU. This works fine.
>> > >
>> > >
>> > >
>> > > However we can’t manage to have access on folders where we have
>Unix
>> > > permissions from windows (CIFS).
>> > >
>> > >
>> > >
>> > > e.g.
>> > >
>> > >
>> > >
>> > > the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
>> > >
>> > >
>> > >
>> > > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups
>> utest2
>> > >
>> > > 10000 Up BCSIM De_Dt Da Lg
>> > >
>> > >
>> > >
>> > > The folder Unix has the following permissions set:
>> > >
>> > >
>> > >
>> > > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
>> > >
>> > > total 47
>> > >
>> > > d---------+  4 root     2147483653       4 Apr 25 05:37 .
>> > >
>> > > d---------+  4 root     2147483659       4 Apr 25 05:35 ..
>> > >
>> > > drwxrws---   9 bcsim    Up BCSIM De_Dt Da Lg      11 Mar  9 10:40
>Unix
>> > >
>> > > d---------+  6 root     2147483653       6 Apr 25 05:37 Windows
>> > >
>> > >
>> > >
>> > > so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can
>> > access
>> > > the folder just fine via NFS.
>> > >
>> > >
>> > >
>> > > If the user utest2 tries to access this folder from windows via
>CIFS
>he
>> > gets
>> > > access denied.
>> > >
>> > >
>> > >
>> > > If I change the permissions so that other have r-x he can access
>the
>> > folder
>> > > but then I have no control on who can access the folder.
>> > >
>> > >
>> > >
>> > > On our NetApp system this was working fine. I assume it has to do
>with
>> the
>> > > IDMAP daemon using ephemeral mappings instead of pulling the
>> > uidnumber
>> > > and gidnumber from AD?
>> > >
>> > >
>> > >
>> > > I don’t want to use extended ACLs on this folder.
>> > >
>> > >
>> > >
>> > > Any ideas?
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Oliver Weinmann
>> > > Senior Unix VMWare, Storage Engineer
>> > >
>> > > Telespazio VEGA Deutschland GmbH
>> > > Europaplatz 5 - 64293 Darmstadt - Germany
>> > > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
>> > > oliver.weinmann at telespazio-vega.de
>> > <mailto:oliver.weinmann at telespazio-
>> > > vega.de>
>> > > http://www.telespazio-vega.de
>> > >
>> > > Registered office/Sitz: Darmstadt, Register
>court/Registergericht:
>> > Darmstadt,
>> > > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller

Just one addition quickly comes to mind: when dealing with ACLs and similar advanced features, and if your setup includes GNU userland programs, be sure to use illumos /bin/chmod (perhaps explicitly).

Jim
--
Typos courtesy of K-9 Mail on my Redmi Android

More information about the OmniOS-discuss mailing list