[OpenIndiana-discuss] OI_151a4, ZFS, CIFS - Managaging ACLs from Windows

Jim Klimov jimklimov at cos.ru
Tue May 22 17:05:22 UTC 2012 

2012-05-22 20:22, Robbie Crash написал:
> I was refeerring to the permission denied errors that shouldn't be
> happening. The Unable to delete aspect was just what prompted me to write
> the post.
>
> While I was using the ZFS ACLs I wasn't ever able to make changes via
> Windows, and had mixed problems accessing things that had been modified
> either by Windows, or directly on the OI server, unless I reset the
> permissions with /usr/bin/chmod after the fact. Talk on here and in the OI
> room on Freenode led me, and most of the other people I'm aware of, to shut
> off ZFS ACLs on all Windows shares. After that, managing the permissions
> via Windows was fine.

We, for one, use the ZFS ACLs for Windows shares (i.e. to allow
several archive admins to upload and manipulate files uploaded
or created by anyone, including root locally), but these ACLs
were carefully picked by trial and error, and there's a script
to set them recursively on all FS objects under the share.
However, I don't remember using this script for the past year
or two - the inheritable ACL parts worked okay. This is a rather
simplistic setup, perhaps - but it suited the environment...

Examples of metascripts that set the ACLs:

# cd /export/ftp/distribs && for F in *; do chmod -R 
A=owner@:full_set:d:allow,owner@:full_set:f:allow,group@:rxaARWcs:d:allow,group@:raARWcs:f:allow,user:archadmin:rwxpdDaARWcCos:fd:allow,group:sysadmin:rwxpdDaARWcCos:fd:allow,group:staff:rxaARWcs:d:allow,group:staff:raARWcs:f:allow,everyone@:rxaARWcs:d:allow,everyone@:raARWcs:f:allow 
$F & done

chmod -R 
A=owner@:rwpdDaARWcCos:f:allow,owner@:rwxpdDaARWcCos:d:allow,group@:rwpdDaARWcCos:f:allow,group@:rwxpdDaARWcCos:d:allow,everyone@:rwpdDaARWcCos:f:allow,everyone@:rwxpdDaARWcCos:d:allow 
/export/ftp/incoming

The ZFS datasets for file archives had default aclmode=groupmask
and aclinherit=restricted.

Also, the customer's Windows network has an MS AD domain, and
the OpenSolaris CIFS server was added to that and some mapid
tricks were copypasted from Sun blogs and docs to good effect,
to map Windows usernames and groups to those locally defined
on the file server (i.e. "Domain Users" = "staff"). There was
a plan to merge the two namespaces via LDAP, but that was never
completed AFAIK ;)

HTH,
//Jim Klimov

More information about the OpenIndiana-discuss mailing list