[OpenIndiana-discuss] Default SMB file permission
Michelle
michelle at msknight.com
Fri Mar 31 04:29:59 UTC 2023
Thanks very much for taking the time to go into all this detail.
I'll grab a cuppa and give it a thorough read.
Michelle.
On Fri, 2023-03-31 at 02:38 +0200, Guenther Alka wrote:
> Main open question is if you use SAMBA or the Solaris kernelbased
> SMB
> server.
> I would always prefer the second due easier config and better
> handling
> of Windows SMB permissions
> and zero config ZFS snaps= Windows previous versions.
>
> Due the lack of smb.conf, I asume you use the kernelbased SMB server:
> - Settings are done via ZFS properties aclmode and aclinherit or
> sharectl
> https://illumos.org/man/8/sharectl
>
> or in napp-it
>
>
> The kernelbased SMB server use (only and always) Windows ntfs alike
> permissions
> with inheritance based on Windows SID as security reference. This is
> why
> permissions ex
> in an AD environment remaion intact after a restore from backup
> without
> any mappings.
> https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-368594
>
> Additionally to Unix groups you have Windows alike local SMB groups.
>
> ACL are superiour to classic Unix permissions like 750.
> Never set classic permissions or gid as they delete inheritance
> settings or reduce permissions, always use ACL. Permissions wise
> Solaris
> is like Windows not Unix.
>
> To set ACL
> - set aclinherit to pass-through (Windows alike)
> - prefer Windows. SMB connect as root and set ACL
>
> - for the shared filesystem:
> allow at least read access for the shared folder only
>
> for folders below
> set needed settings with inheritance to files and folders
> ex modify for certain users/ groups
>
> A possible default is also:
> - allow read for everyone@ (shared filesystem, this folder only)
> - allow creation of files and folders for everyone
> Default is then that a creator (=owner) has full permissions, others
> lack permissions
>
> Additionally you can set share ACL. When you (re)create a share, the
> are
> always everyone@=full
> Napp-it can store/ recreate share permissions as private ZFS
> properties
> on a re-share
> https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356373
>
> Gea
>
>
>
> more,
> https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356845
> > I'm bashing my head a little.
> >
> > I have a newly built OI server and I've got a share out through ZFS
> > smb
> > share which is being accessed from a Linux client.
> >
> > Every file written comes in with 700 and I need to change that
> > default
> > to 740.
> >
> > I believed that was a setting in smb.conf rather than umask but I
> > think
> > I'm getting my linux and unix mixed up. But I can't find smb.conf
> > anyway.
> >
> > Oddly the file does show -rwx------+ which potentially indicates an
> > acl
> > applying
> >
> > The guid bit for directory permission inheritance is working. It's
> > just
> > newly created files.
> >
> > I'm going to lie down because my head is hurting.
> >
> >
> > _______________________________________________
> > openindiana-discuss mailing list
> > openindiana-discuss at openindiana.org
> > https://openindiana.org/mailman/listinfo/openindiana-discuss
>
>
More information about the openindiana-discuss
mailing list