[OpenIndiana-discuss] OI_151a4, ZFS, CIFS - Managaging ACLs from Windows

[Gordon Ross]

On Thu, May 31, 2012 at 3:54 AM,  <ths.mailaddr at yahoo.com> wrote:
> Hello Gordon,
>
> thanks! That seems to be the missing bit.
>
> Is there any kind of documentation available on this topic?

Well, the idmap man page describes how local UIDs are mapped to SIDs.
It's a fixed, bi-directional algorithm.

> Everything i have read always mentioned not to use idmap at all and delete all mappings.
> Therefore i did the last complete reinstall to have a virgin idmap. Now idmap shows
> no mapping for the designated user. In fact it show only half a dozen ephemeral SIDs
> but none of the local oi-useres.

These are fixed mappings, so not stored in the idmap DB,
and not shown by "idmap dump" etc.

> Instead i looked up the designated user via 'smbadm lookup <user>' and got the SID
> S-1-5-21-.......-1101 which 'idmap show sid:S-1-5-21-.......-1101' resolved to the correct
> numerical posix uid 101, but not vice versa. I assume, that is the reason, windows cannot
> resolve the user even if i use S-1-5-21-.......-1101 to identify the user as you suggested.

I thought that on Windows you can enter a raw SID in the ACL editor,
but sorry, I don't remember how.

> What, if even, should i add to the idmap? After reading the man page, i tried to add a
> winuser/unixuser mapping which didnt help. Numerical mappings based on uid and sid
> didnt work ("uid:101 is not a valid name").

You don't need to (and probably can't) add mappings for these SIDs
that are based on the local machine SID prefix.

In workgroup mode, ACL management involving users is easiest
to do on the server with chmod.

Alternatively (and this is a better practice) you can create some
local SMB groups, and use the group SIDs in your ACLs.
Unlike users, groups have ID mappings you can control.

-- 
Gordon Ross <gwr at nexenta.com>
Nexenta Systems, Inc.  www.nexenta.com
Enterprise class storage for everyone