headers
CJ Keist | 1 Oct 2010 21:57
Favicon

Re: File permissions getting destroyed with M$ software on ZFS

  Well,
     I think I got it fixed, but not sure if it is the correct way.  
This is what my share ens looks like now:

[ens]
     comment = ENS Groups
     path = /XKA2/admin/ENS
     valid users = +admin
     force group = admin
     read only = No
     create mask = 0770
     force create mode = 0770
     security mask = 0770
     directory mask = 02770
     inherit permissions = Yes
     inherit acls = Yes
     nt acl support = No
     map archive = No
     map readonly = permissions
     store dos attributes = Yes
     vfs objects = zfsacl
     nfs4:acedup = merge
     nfs4:mode = special

I changed "nt acl support" to No.

On 10/1/10 8:15 AM, CJ Keist wrote:
>  All,
>     Running Samba 3.5.4 on Solaris 10 with ZFS file system.  I have 
> issues where we have shared group folders.  In these folders a userA
(Continue reading)

Permalink | Reply |
headers
RegioGis | 4 Oct 2010 12:06
Picon
Favicon

Re: File permissions getting destroyed with M$ software on ZFS


Hi,

I see you use samba with zfs. But how on earth do you prevent the 'deny'
aces from being the first in the ACL, and thus denying all access to the
resource ?

I'm able to add permissions via the MS UI  ( I added an AD group
'regio-users' )
When I then create a file or folder via Samba, I get this on the Solaris box
:

root # ll -V db1.mdb
-rw-rw----+  1 ackerra  gis        98304 Oct  4 11:49 db1.mdb
    group:regio-users:--x-----------:------:deny
    group:regio-users:r-x---a-R----s:------:allow
            owner <at> :--x-----------:------:deny
            owner <at> :rw-p---A-W-Co-:------:allow
            group <at> :--x-----------:------:deny
            group <at> :rw-p----------:------:allow
         everyone <at> :rwxp---A-W-Co-:------:deny
         everyone <at> :------a-R-c--s:------:allow

Thus denying all access to 'regio-users' ....
How do you solve this ?    ( I defined the share exactly as you specified )

Rgrds,

--

-- 
View this message in context: http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2954071.html
(Continue reading)

Permalink | Reply |
headers
RegioGis | 4 Oct 2010 14:25
Picon
Favicon

Re: File permissions getting destroyed with M$ software on ZFS


Please ignore previous message. I messed up some testing results ....
I'm trying to clear out things straight first.

-- 
View this message in context: http://samba.2283325.n4.nabble.com/File-permissions-getting-destroyed-with-M-software-on-ZFS-tp2915766p2954213.html
Sent from the Samba - General mailing list archive at Nabble.com.
--

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Permalink | Reply |
headers
Gaiseric Vandal | 4 Oct 2010 15:02
Picon

Re: File permissions getting destroyed with M$ software on ZFS

I had a lot of problems with this as well.    I found it hard to find 
much documentation on the zfs module in samba from either samba or sun.

(PS-  A big thumbs down to Sun and the OpenSolaris crowd for apparently 
abandoning samba.)

I am running Samba 3.0.x from Sun on two servers and samba 3.4.x 
compiled from source on the third.  I eventually opened a support case 
with Sun which did help (somewhat.)

Did you check the permissions of the parent directory?  There may be an 
inheritance issue.   Usually the following worked for me:

chmod -R A- thedirectory
chmod -R A=owner <at> :rwxpdDaARWcCos:allow ?thedirectory
chmod -R A+group <at> :rwxpdDaARWcCos:allow ?thedirectory

My share defintions looks like the following (the nfs4 and zfsacl 
options were recommended by sun tech support.)

        vfs objects = zfsacl
         inherit permissions = Yes
         inherit acls = Yes
         nfs4:acedup = merge
         nfs4:chown = yes
         nfs4: mode = special
         mapread only = no
         ea support = yes
         store dos attributes = yes
         create mask = 0770
(Continue reading)

Permalink | Reply |
headers
RegioGis | 5 Oct 2010 14:07
Picon
Favicon

Re: File permissions getting destroyed with M$ software on ZFS


Hi,

Thanks for your input. 
B.t.w., I use security = ADS
I tried hundreds of combinations of configurations and options, but it just
won't work.
It works rather ok if you limit it to the Unix permissions ( plain user and
group permissions ) , but as soon as you try to put an ace referring to an
AD group, it totally looses track.

example 1:

root# ls -l /pool2/gisdata
drwxrwx---+  4 ackerra  gis            4 Oct  5 10:58 d1
drwxrwx---   3 ackerra  gis            3 Oct  5 12:01 d2
drwxrwxr-x   2 regio-gis10 gis            2 Oct  5 11:55 d3

root # ls -lvd /pool2/gisdata/d1
drwxrwx---+  4 ackerra  gis            4 Oct  5 10:58 d1
     0:group:regio-users:list_directory/read_data/read_xattr/execute
         /read_attributes/read_acl:allow
     1:owner <at> :list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/write_xattr/execute/write_attributes/write_acl
         /write_owner/synchronize:file_inherit/dir_inherit:allow
     2:group <at> :list_directory/read_data/add_file/write_data/add_subdirectory
         /append_data/execute/synchronize:file_inherit/dir_inherit:allow
     3:group:regio-users:list_directory/read_data/read_xattr/execute
         /read_attributes/read_acl/synchronize:file_inherit/dir_inherit
         :allow
(Continue reading)

Permalink | Reply |

Gmane