Re: [zfs-discuss] ZFS ACLs/Samba integration

Fri, 14 Mar 2008 07:34:26 -0700 

Jens Elkner wrote:
> On Thu, Mar 13, 2008 at 11:33:57AM +0000, Darren J Moffat wrote:
>> Paul B. Henson wrote:
>>> I'm currently prototyping a Solaris file server that will dish out user
>>> home directories and group project directories via NFSv4 and Samba.
>> Why not the in kernel CIFS server ?
> 
> E.g., how would one mimic:
> 
> [office]
>     comment = office
>     path = /export/vol1/office
>     valid users = @office
>     force group = office
>     create mode = 660
>     directory mode = 770
>       ...
> 
> We already lost this functionality with the introduction of the NFSv4
> ACL crap on ZFS and earned a lot of "hate you" feedbacks. Anyway, most
> users and staff switched/switching over to windows (we do not support
> Linux yet and Solaris is wrt. desktop at least 5 years behind the scene),
> so the last 5% of *x users need to live with it.
> However, if we would switch to Solaris CIFS (which AFAIK can not
> accomplish, what is required) we would have no friends anymore ...
> 
> Regards,
> jel.

You mean something like this.

# zpool create sandbox c0t3d0
# zfs set sharesmb=on sandbox

I then set this ACL on the directory

# ls -dV /sandbox
drwxrwxrwx+  2 root     root           3 Mar 14 08:27 /sandbox
             group@:rw-pdDaARWcCos:f------:allow
             owner@:rw-pdDaARWcCos:f------:allow
             owner@:--------------:-------:deny
             owner@:rwxp---A-W-Co-:-------:allow
             group@:--------------:-------:deny
             group@:rwxp----------:-------:allow
          everyone@:-------A-W-Co-:-------:deny
          everyone@:rwxp--a-R-c--s:-------:allow


Then I created a file from a windows client

I have this idmap rule setup

# idmap list
add     winuser:[EMAIL PROTECTED] unixuser:marks

# ls -V New*
-rw-rw----+  1 marks    2147483650       0 Mar 14 08:28 New Wordpad 
Document.doc
             group@:rw-pdDaARWcCos:------I:allow
             owner@:rw-pdDaARWcCos:------I:allow


# idmap dump
usid:S-1-5-21-940912991-1138591764-871648236-1138       == 
uid:2147483649
gsid:S-1-5-21-940912991-1138591764-871648236-513        == 
gid:2147483650
gsid:S-1-5-11   ==      gid:2147483651
gsid:S-1-5-2    ==      gid:2147483652
usid:S-1-5-21-940912991-1138591764-871648236-1119       ==      uid:76928
gsid:S-1-5-21-2169176303-1867137939-2363023632-3371165004-2147483658 
==      gid:10


this behavior is only possible from a Windows client.  When creating 
files from unix the POSIX rules apply and the requestors mode must be 
honored, which results in the owner@, group@, and everyone@ entries 
always being set on the files ACL.


   -Mark

_______________________________________________
zfs-discuss mailing list
zfs-discuss@opensolaris.org
http://mail.opensolaris.org/mailman/listinfo/zfs-discuss

Reply via email to