[OpenIndiana-discuss] OI_151a4, ZFS, CIFS - Managaging ACLs from Windows
Gordon Ross
gordon.w.ross at gmail.com
Wed May 30 03:34:32 UTC 2012
On Fri, May 25, 2012 at 6:18 AM, <ths.mailaddr at yahoo.com> wrote:
> Hello Jim, hello Robbie,
>
> thanks for your replies. I was very busy with another project and found no time to
> respond earlier.
>
> From what i have seen in my tests, i'am quite happy with ZFS ACLs and how inheritance seems
>
> to work. As i wrote in my initial post, i'am comming from Netware which had full-fledged ACLs
> for ages and it looks like we could transform our Netware ACLs 1:1 to ZFS ACLs.
>
> From what i found on the net, i had the impression that the way of managing ZFS ACLs in a
> windows environment is to use windows tools, especially MMC and explorer->properties->security
> but this is a nightmare.
>
> Regardless of which local oi-user was used to connect to a share (after rebooting the windows pc),
> windows mmc didnt only work if the local logged-in win-user was member of the oi-administrators
> group.
The most common ACL editing problem I see is that the user thinks they
are connected with an account with administrative privileges, but
actually are not. This can be due to either group membership
configuration or properties of the account in AD. This was actually
the motivator for https://www.illumos.org/issues/1525 - the need for
an easy way to look at the credentials built internally by the SMB
service.
I suggest you look at the credential using the feature added with
1525, and verify whether the privileges word is zero (ordinary
account) and whether any administrative groups are listed among the
group memberships. If not, then that explains why you are not allowed
to edit most ACLs.
Of course, an easy way around the access control problems is to do
this on the server side:
chmod -R A=everyone:full_set:fd:allow /your/shared/directory
(Be warned, that makes the whole thing "wide open" to the world!)
After that, you should be able to edit ACLs from Windows.
--
Gordon Ross <gwr at nexenta.com>
Nexenta Systems, Inc. www.nexenta.com
Enterprise class storage for everyone
More information about the OpenIndiana-discuss
mailing list