[OpenIndiana-discuss] OI_151a4, ZFS, CIFS - Managaging ACLs from Windows
ths.mailaddr at yahoo.com
ths.mailaddr at yahoo.com
Thu May 31 07:54:27 UTC 2012
Hello Gordon,
thanks! That seems to be the missing bit.
Is there any kind of documentation available on this topic?
Everything i have read always mentioned not to use idmap at all and delete all mappings.
Therefore i did the last complete reinstall to have a virgin idmap. Now idmap shows
no mapping for the designated user. In fact it show only half a dozen ephemeral SIDs
but none of the local oi-useres.
Instead i looked up the designated user via 'smbadm lookup <user>' and got the SID
S-1-5-21-.......-1101 which 'idmap show sid:S-1-5-21-.......-1101' resolved to the correct
numerical posix uid 101, but not vice versa. I assume, that is the reason, windows cannot
resolve the user even if i use S-1-5-21-.......-1101 to identify the user as you suggested.
What, if even, should i add to the idmap? After reading the man page, i tried to add a
winuser/unixuser mapping which didnt help. Numerical mappings based on uid and sid
didnt work ("uid:101 is not a valid name").
We are coming closer - but...
Regards
Thomas
________________________________
From: Gordon Ross <gordon.w.ross at gmail.com>
To: Discussion list for OpenIndiana <openindiana-discuss at openindiana.org>
Sent: Wednesday, May 30, 2012 5:50 PM
Subject: Re: [OpenIndiana-discuss] OI_151a4, ZFS, CIFS - Managaging ACLs from Windows
On Wed, May 30, 2012 at 6:00 AM, <ths.mailaddr at yahoo.com> wrote:
> Hello Gordon,
>
> thanks for your reply, but this isnt my problem. My users have the necessary rights. I have no
> Everyone ACL, but can create/delete files and folders and modify every single right in all existing
>
> ACLs. Since i have used inheritance, i even get a "new" ACL placed in front of all existing ACLs
>
> if i try to deny a right that is inherited. If i create a new file/folder and check the owner from
> windows (properties->security->extended security->owner), it show the "right" local oi-user.
>
> But - I cannot add a new ACL for a new user because the username didnt get resolved. Even the
>
> user that windows shows as ower cannot be found. Also users you get listed in the extended user
>
> selection dialog, cannot be used. If you select one and try to confirm it, you get "Object not found"
Oh, that. Yeah, the representation of users in workgroup mode is currently...
unfortunate. You have to figure out the machine SID for that user using:
idmap show uid:U
where U is the numeric user ID.
Then use that SID in the ACL editor.
Or on the server, use chmod A+... and that UID.
This is an area that could use improvement.
We plan to work on this, but it will be a while.
--
Gordon Ross <gwr at nexenta.com>
Nexenta Systems, Inc. www.nexenta.com
Enterprise class storage for everyone
_______________________________________________
OpenIndiana-discuss mailing list
OpenIndiana-discuss at openindiana.org
http://openindiana.org/mailman/listinfo/openindiana-discuss
More information about the OpenIndiana-discuss
mailing list