[OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

Oliver Weinmann oliver.weinmann at telespazio-vega.de
Wed Jun 28 12:18:53 UTC 2017 

Hi,

Thanks for pointing this out. Basically I would do the chmod on a Linux system where NFS share is mounted as root.

Now that I have this working on my test system I have lots of problems on my production system. I can join it to AD but I get lots of errors like this:

gedaspw02.a.space.corp: additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Client not found in Kerberos database)

smbd.info: logon[A\someuser]: CANT_ACCESS_DOMAIN_INFO
smbd.info: logon[A\someuser]: LOGON_FAILURE

I checked all possible settings and compared them to my test system but can't find any difference. The only difference is that the production system was upgraded twice from 1510xx to 1510xx to 151022.

I even deleted the computer object in AD and rejoined the domain but still the same errors occur.



Oliver Weinmann
Senior Unix VMWare, Storage Engineer
Telespazio VEGA Deutschland GmbH
 Europaplatz 5 - 64293 Darmstadt - Germany
Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
oliver.weinmann at telespazio-vega.de
http://www.telespazio-vega.de
Registered office/Sitz: Darmstadt, Register court/Registergericht: Darmstadt, HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller-----Original Message-----
From: Jim Klimov [mailto:jimklimov at cos.ru]
Sent: Mittwoch, 28. Juni 2017 13:00
To: omnios-discuss at lists.omniti.com; Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>; Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
Subject: Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

On June 28, 2017 8:08:40 AM GMT+02:00, Jens Bauernfeind <bauernfeind at ipk-gatersleben.de> wrote:
>Yeah, AD with IDMU
>
>According to this page (very old, but still the truth), you can't live
>without ACLs.
>https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-th
>e-pro
>blem/
>
>You have to inherit the ACLs to newly created files.
>At first I switched to the passthrough acl properties:
>zfs set aclmode=passthrough tank
>zfs set aclinherit=passthrough tank
>Then you have to define an initial ACL for your datasets
>
>For this example I just assume you have the pool tank and one dataset
>test
>- first set your sticky bit
>chmod g+s /tank/test
>- then set the ACLs
>chmod
>A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyon
>e@::d
>f:allow /tank/test
>so nearly full permission for the owner and the group, and nothing for
>others; all ACLs are inherited to new created files and directories
>[the "df"]
>8<---
>ls -Vd /tank/test
>drwxrws---+  5 root     IT        5 Jun 28 07:55 /tank/test
>                 owner@:rwxp-DaARWcCos:fd-----:allow
>                 group@:rwxp-DaARWcCos:fd-----:allow
>              everyone@:--------------:fd-----:allow
>8<---
>(This inheritance doesnt apply to new datesets you create via zfs, btw)
>
>But care: When you ever doing a chmod operation or a chgrp on
>/tank/test (or every other dateset,), the owner,group and everyone ACEs
>get overwritten (according to
>http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html)
>8<---
>chgrp 0 /tank/test
>ls -Vd /tank/test
>drwxrws---   5 root     root           5 Jun 28 07:55 /tank/test
>                 owner@:rwxp-DaARWcCos:-------:allow
>                 group@:rwxp-Da-R-c--s:-------:allow
>              everyone@:------a-R-c--s:-------:allow
>See the missing "+" and "fd"?
>8<---
>(This doesn't apply to folders or files)
>
>I hope this helps and I'm not telling lies here.
>But that is my experience with that.
>
>Jens
>
>> -----Original Message-----
>> From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
>> Sent: Dienstag, 27. Juni 2017 15:21
>> To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
>> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
>> Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> (owner:group:other) Unix permissions
>>
>> Mine has ldap only for passwd and group.
>>
>> So on your system it really works with just having the traditional
>unix
>> permissions set. There are no ACLs in place?
>>
>> Do you have an Active Directory domain with IDMU?
>>
>> -----Original Message-----
>> From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
>> Sent: Dienstag, 27. Juni 2017 15:19
>> To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
>> Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
>> Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> (owner:group:other) Unix permissions
>>
>> also r151022
>>
>> What is your /etc/nsswitch.conf saying?
>> Mine has nearly everywhere "files ldap", except hosts and ipnodes.
>>
>> > -----Original Message-----
>> > From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
>> > Sent: Dienstag, 27. Juni 2017 14:49
>> > To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
>> > Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
>> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > (owner:group:other) Unix permissions
>> >
>> > What version of omnios are you using? I'm using R151022.
>> >
>> > -----Original Message-----
>> > From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
>> > Sent: Dienstag, 27. Juni 2017 14:47
>> > To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
>> > Cc: omnios-discuss <omnios-discuss at lists.omniti.com>
>> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > (owner:group:other) Unix permissions
>> >
>> > Hm,
>> >
>> > maybe I should share my ldap config.
>> > ldapclient -v manual \
>> > -a credentialLevel=proxy \
>> > -a authenticationMethod=simple \
>> > -a proxyDN="cn=XXX" \
>> > -a proxyPassword=SECRET \
>> > -a defaultSearchBase=dc=ipk=de \
>> > -a domainName=DOMAINNAME \
>> > -a defaultServerList=<IPs of DCs> \ -a
>> > attributeMap=group:userpassword=userPassword \ -a
>> > attributeMap=group:uniqueMember=member \ -a
>> > attributeMap=group:gidnumber=gidNumber \ -a
>> > attributeMap=passwd:gecos=cn \ -a
>> > attributeMap=passwd:gidnumber=gidNumber \ -a
>> > attributeMap=passwd:uidnumber=uidNumber \ -a
>> > attributeMap=passwd:uid=sAMAccountName \ -a
>> > attributeMap=passwd:homedirectory=unixHomeDirectory \ -a
>> > attributeMap=passwd:loginshell=loginShell \ -a
>> > attributeMap=shadow:shadowflag=shadowFlag \ -a
>> > attributeMap=shadow:userpassword=userPassword \ -a
>> > objectClassMap=group:posixGroup=group \ -a
>> > objectClassMap=passwd:posixAccount=user \ -a
>> > objectClassMap=shadow:shadowAccount=user \ -a
>> > serviceSearchDescriptor="passwd:<OUs of users I want to lookup>"
>\
>> > -a serviceSearchDescriptor=group: <OUs of groups I want to lookup>
>\
>> > -a followReferrals=true
>> >
>> > Maybe also a restart of the smb service?
>> >
>> > Jens
>> >
>> > > -----Original Message-----
>> > > From: Oliver Weinmann [mailto:oliver.weinmann at telespazio-vega.de]
>> > > Sent: Dienstag, 27. Juni 2017 14:40
>> > > To: Jens Bauernfeind <bauernfeind at ipk-gatersleben.de>
>> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > > (owner:group:other) Unix permissions
>> > >
>> > > Hi,
>> > >
>> > >
>> > >
>> > > Now I get can’t access domain info in the smb log and users are
>prompted
>> > to
>> > > enter a password when accessing the shares. :(
>> > >
>> > >
>> > >
>> > > From: Jens Bauernfeind [mailto:bauernfeind at ipk-gatersleben.de]
>> > > Sent: Dienstag, 27. Juni 2017 09:37
>> > > To: Oliver Weinmann <oliver.weinmann at telespazio-vega.de>
>> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > > (owner:group:other) Unix permissions
>> > >
>> > >
>> > >
>> > > Hi,
>> > >
>> > >
>> > >
>> > > I fixed this problem after executing this:
>> > >
>> > > idmap add winname:"*@<DOMAINNAME>" unixuser:"*"
>> > >
>> > > idmap add wingroup:"*@ <DOMAINNAME>" unixgroup:"*"
>> > >
>> > > svcadm restart idmap
>> > >
>> > > All new created files has now the uid and gid from the IDMU
>> > >
>> > >
>> > >
>> > > Jens
>> > >
>> > >
>> > >
>> > > From: OmniOS-discuss [mailto:omnios-discuss-
>> bounces at lists.omniti.com]
>> > > On Behalf Of Oliver Weinmann
>> > > Sent: Dienstag, 27. Juni 2017 08:25
>> > > To: omnios-discuss <omnios-discuss at lists.omniti.com
><mailto:omnios-
>> > > discuss at lists.omniti.com> >
>> > > Subject: [OmniOS-discuss] CIFS access to a folder with
>traditional
>> > > (owner:group:other) Unix permissions
>> > >
>> > >
>> > >
>> > > Hi,
>> > >
>> > >
>> > >
>> > > we are currently migrating all our data from a NetAPP system to
>an
>> OmniOS
>> > > sytem.
>> > >
>> > >
>> > >
>> > > The OmniOS system is joined to AD and LDAP client is configured
>to
>pull
>> > LDAP
>> > > info from AD / IDMU. This works fine.
>> > >
>> > >
>> > >
>> > > However we can’t manage to have access on folders where we have
>Unix
>> > > permissions from windows (CIFS).
>> > >
>> > >
>> > >
>> > > e.g.
>> > >
>> > >
>> > >
>> > > the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
>> > >
>> > >
>> > >
>> > > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups
>> utest2
>> > >
>> > > 10000 Up BCSIM De_Dt Da Lg
>> > >
>> > >
>> > >
>> > > The folder Unix has the following permissions set:
>> > >
>> > >
>> > >
>> > > root at omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
>> > >
>> > > total 47
>> > >
>> > > d---------+  4 root     2147483653       4 Apr 25 05:37 .
>> > >
>> > > d---------+  4 root     2147483659       4 Apr 25 05:35 ..
>> > >
>> > > drwxrws---   9 bcsim    Up BCSIM De_Dt Da Lg      11 Mar  9 10:40
>Unix
>> > >
>> > > d---------+  6 root     2147483653       6 Apr 25 05:37 Windows
>> > >
>> > >
>> > >
>> > > so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can
>> > access
>> > > the folder just fine via NFS.
>> > >
>> > >
>> > >
>> > > If the user utest2 tries to access this folder from windows via
>CIFS
>he
>> > gets
>> > > access denied.
>> > >
>> > >
>> > >
>> > > If I change the permissions so that other have r-x he can access
>the
>> > folder
>> > > but then I have no control on who can access the folder.
>> > >
>> > >
>> > >
>> > > On our NetApp system this was working fine. I assume it has to do
>with
>> the
>> > > IDMAP daemon using ephemeral mappings instead of pulling the
>> > uidnumber
>> > > and gidnumber from AD?
>> > >
>> > >
>> > >
>> > > I don’t want to use extended ACLs on this folder.
>> > >
>> > >
>> > >
>> > > Any ideas?
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > Oliver Weinmann
>> > > Senior Unix VMWare, Storage Engineer
>> > >
>> > > Telespazio VEGA Deutschland GmbH
>> > > Europaplatz 5 - 64293 Darmstadt - Germany
>> > > Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
>> > > oliver.weinmann at telespazio-vega.de
>> > <mailto:oliver.weinmann at telespazio-
>> > > vega.de>
>> > > http://www.telespazio-vega.de
>> > >
>> > > Registered office/Sitz: Darmstadt, Register
>court/Registergericht:
>> > Darmstadt,
>> > > HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller

Just one addition quickly comes to mind: when dealing with ACLs and similar advanced features, and if your setup includes GNU userland programs, be sure to use illumos /bin/chmod (perhaps explicitly).

Jim
--
Typos courtesy of K-9 Mail on my Redmi Android

More information about the OmniOS-discuss mailing list