[OpenIndiana-discuss] Default SMB file permission

Michelle michelle at msknight.com
Fri Mar 31 04:29:59 UTC 2023 

Thanks very much for taking the time to go into all this detail.

I'll grab a cuppa and give it a thorough read.

Michelle.

On Fri, 2023-03-31 at 02:38 +0200, Guenther Alka wrote:
> Main open question is if you use SAMBA or the Solaris kernelbased
> SMB 
> server.
> I would always prefer the second due easier config and better
> handling 
> of Windows SMB permissions
> and zero config ZFS snaps= Windows previous versions.
> 
> Due the lack of smb.conf, I asume you use the kernelbased SMB server:
> - Settings are done via ZFS properties aclmode and aclinherit or
> sharectl
> https://illumos.org/man/8/sharectl
> 
> or in napp-it
> 
> 
> The kernelbased SMB server use (only and always) Windows ntfs alike 
> permissions
> with inheritance based on Windows SID as security reference. This is
> why 
> permissions ex
> in an AD environment remaion intact after a restore from backup
> without 
> any mappings.
> https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-368594
> 
> Additionally to Unix groups you have Windows alike local SMB groups.
> 
> ACL are superiour to classic Unix permissions like 750.
> Never set classic permissions or gid as they delete inheritance
> settings or reduce permissions, always use ACL. Permissions wise
> Solaris 
> is like Windows not Unix.
> 
> To set ACL
> - set aclinherit to pass-through (Windows alike)
> - prefer Windows. SMB connect as root and set ACL
> 
> - for the shared filesystem:
>   allow at least read access for the shared folder only
> 
> for folders below
> set needed settings with inheritance to files and folders
> ex modify for certain users/ groups
> 
> A possible default is also:
> - allow read for everyone@ (shared filesystem, this folder only)
> - allow creation of files and folders for everyone
> Default is then that a creator (=owner) has full permissions, others 
> lack permissions
> 
> Additionally you can set share ACL. When you (re)create a share, the
> are 
> always everyone@=full
> Napp-it can store/ recreate share permissions as private ZFS
> properties 
> on a re-share
> https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356373
> 
> Gea
> 
> 
> 
> more, 
> https://forums.servethehome.com/index.php?threads/napp-it-zfs-server-on-omnios-solaris-news-tips-and-tricks.38240/#post-356845
> > I'm bashing my head a little.
> > 
> > I have a newly built OI server and I've got a share out through ZFS
> > smb
> > share which is being accessed from a Linux client.
> > 
> > Every file written comes in with 700 and I need to change that
> > default
> > to 740.
> > 
> > I believed that was a setting in smb.conf rather than umask but I
> > think
> > I'm getting my linux and unix mixed up. But I can't find smb.conf
> > anyway.
> > 
> > Oddly the file does show -rwx------+ which potentially indicates an
> > acl
> > applying
> > 
> > The guid bit for directory permission inheritance is working. It's
> > just
> > newly created files.
> > 
> > I'm going to lie down because my head is hurting.
> > 
> > 
> > _______________________________________________
> > openindiana-discuss mailing list
> > openindiana-discuss at openindiana.org
> > https://openindiana.org/mailman/listinfo/openindiana-discuss
> 
>

More information about the openindiana-discuss mailing list