[OpenIndiana-discuss] Default SMB file permission

Guenther Alka gea at napp-it.org
Fri Mar 31 00:38:47 UTC 2023 

Main open question is if you use SAMBA or the Solaris kernelbased SMB 
server.
I would always prefer the second due easier config and better handling 
of Windows SMB permissions
and zero config ZFS snaps= Windows previous versions.

Due the lack of smb.conf, I asume you use the kernelbased SMB server:
- Settings are done via ZFS properties aclmode and aclinherit or sharectl
https://illumos.org/man/8/sharectl

or in napp-it


The kernelbased SMB server use (only and always) Windows ntfs alike 
permissions
with inheritance based on Windows SID as security reference. This is why 
permissions ex
in an AD environment remaion intact after a restore from backup without 
any mappings.
https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-368594

Additionally to Unix groups you have Windows alike local SMB groups.

ACL are superiour to classic Unix permissions like 750.
Never set classic permissions or gid as they delete inheritance
settings or reduce permissions, always use ACL. Permissions wise Solaris 
is like Windows not Unix.

To set ACL
- set aclinherit to pass-through (Windows alike)
- prefer Windows. SMB connect as root and set ACL

- for the shared filesystem:
  allow at least read access for the shared folder only

for folders below
set needed settings with inheritance to files and folders
ex modify for certain users/ groups

A possible default is also:
- allow read for everyone@ (shared filesystem, this folder only)
- allow creation of files and folders for everyone
Default is then that a creator (=owner) has full permissions, others 
lack permissions

Additionally you can set share ACL. When you (re)create a share, the are 
always everyone@=full
Napp-it can store/ recreate share permissions as private ZFS properties 
on a re-share
https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356373

Gea



more, 
https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356845
> I'm bashing my head a little.
>
> I have a newly built OI server and I've got a share out through ZFS smb
> share which is being accessed from a Linux client.
>
> Every file written comes in with 700 and I need to change that default
> to 740.
>
> I believed that was a setting in smb.conf rather than umask but I think
> I'm getting my linux and unix mixed up. But I can't find smb.conf
> anyway.
>
> Oddly the file does show -rwx------+ which potentially indicates an acl
> applying
>
> The guid bit for directory permission inheritance is working. It's just
> newly created files.
>
> I'm going to lie down because my head is hurting.
>
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss


-- 
Guenther Ernst Alka
Dipl. Ing (FH)

Rektor-Klaus Str.71
73525 Schw. Gmünd
tel 07171 931393

More information about the openindiana-discuss mailing list