[OpenIndiana-discuss] OI_151a4, ZFS, CIFS - Managaging ACLs from Windows

ths.mailaddr at yahoo.com ths.mailaddr at yahoo.com
Wed May 30 10:00:40 UTC 2012


Hello Gordon,

thanks for your reply, but this isnt my problem. My users have the necessary rights. I have no
Everyone ACL, but can create/delete files and folders and modify every single right in all existing 

ACLs. Since i have used inheritance, i even get a "new" ACL placed in front of all existing ACLs 

if i try to deny a right that is inherited. If i create a new file/folder and check the owner from
windows (properties->security->extended security->owner), it show the "right" local oi-user.

But - I cannot add a new ACL for a new user because the username didnt get resolved. Even the 

user that windows shows as ower cannot be found. Also users you get listed in the extended user 

selection dialog, cannot be used. If you select one and try to confirm it, you get "Object not found"


The test environment is completely in workgroup mode. There is no AD involved nor an AD DC
available. How is the user selection supposed to work in this scenario?

Regards 

Thomas


________________________________
 From: Gordon Ross <gordon.w.ross at gmail.com>
To: Discussion list for OpenIndiana <openindiana-discuss at openindiana.org> 
Sent: Wednesday, May 30, 2012 5:34 AM
Subject: Re: [OpenIndiana-discuss] OI_151a4, ZFS, CIFS - Managaging ACLs from Windows
 
On Fri, May 25, 2012 at 6:18 AM,  <ths.mailaddr at yahoo.com> wrote:
> Hello Jim, hello Robbie,
>
> thanks for your replies. I was very busy with another project and found no time to
> respond earlier.
>
> From what i have seen in my tests, i'am quite happy with ZFS ACLs and how inheritance seems
>
> to work. As i wrote in my initial post, i'am comming from Netware which had full-fledged ACLs
> for ages and it looks like we could transform our Netware ACLs 1:1 to ZFS ACLs.
>
> From what i found on the net, i had the impression that the way of managing ZFS ACLs in a
> windows environment is to use windows tools, especially MMC and explorer->properties->security
> but this is a nightmare.
>
> Regardless of which local oi-user was used to connect to a share (after rebooting the windows pc),
> windows mmc didnt only work if the local logged-in win-user was member of the oi-administrators
> group.

The most common ACL editing problem I see is that the user thinks they
are connected with an account with administrative privileges, but
actually are not.  This can be due to either group membership
configuration or properties of the account in AD.  This was actually
the motivator for https://www.illumos.org/issues/1525 - the need for
an easy way to look at the credentials built internally by the SMB
service.

I suggest you look at the credential using the feature added with
1525, and verify whether the privileges word is zero (ordinary
account) and whether any administrative groups are listed among the
group memberships.  If not, then that explains why you are not allowed
to edit most ACLs.

Of course, an easy way around the access control problems is to do
this on the server side:
chmod -R A=everyone:full_set:fd:allow /your/shared/directory
(Be warned, that makes the whole thing "wide open" to the world!)
After that, you should be able to edit ACLs from Windows.

-- 
Gordon Ross <gwr at nexenta.com>
Nexenta Systems, Inc.  www.nexenta.com
Enterprise class storage for everyone

_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
-------------- next part --------------
A non-text attachment was scrubbed...
Name: selectusers.jpg
Type: image/jpeg
Size: 44536 bytes
Desc: not available
URL: <http://openindiana.org/pipermail/openindiana-discuss/attachments/20120530/7f447f6d/attachment-0001.jpg>


More information about the OpenIndiana-discuss mailing list