OpenSolaris cifs/smb server – configuring ACL’s on shares

O.k. from this  point I’m assuming you have created your zfs shares via the zfs command and renamed appropriately like so…..   (if you havent setup cifs yet then check read this)

zfs set sharesmb=on protected/backup

zfs set sharesmb=name=backup protected/backup

Now to check your current shares type…

sharemgr show

zfs

zfs/protected/backup
backup=/protected/backup

zfs/protected/photos
photos=/protected/photos

Now its time to look at NFSv4 ACL’s. This page has a great explanation of ACL’s and how to set things up. http://cuddletech.com/blog/pivot/entry.php?id=939

The ZFS manual here has the compact access and inheritance codes for chmod : http://opensolaris.org/os/community/zfs/docs/zfsadmin.pdf

Here are the current compact codes for access control;

add_file w , add_subdirectory p , delete d , delete_child D , execute x , list_directory r , read_acl c , read_attributes a , read_data r , read_xattr R , write_xattr W , write_data w , write_attributes A , write_acl C , write_owner o

Here are the current compact codes for inheritance control;

file_inherit f , dir_inherit d , inherit_only i , no_propagate n

So… The below command (referencing above compact codes) will give me (the owner) full permissions to files / directories, and read only access to everyone else. I have enabled inheritance so newly created files should also maintain their parents ACL without windows creating its own. Note: i used chown on the root of the my share first  i.e. chown -R daz /protected

then…

chmod -R A=\

owner@:wACpdDo:d:allow,\

owner@:wACpdDo:f:allow,\

everyone@:rxaARWcs:d:allow,\

everyone@:raARWcs:f:allow \

/protected/

Remember to test that this has provided what you want. Connect to your share as guest test the permissions, then connect as the owner and test permissions again. The fun thing about this particular ACL system is that you are not restricted to just one owner and one group. You can add additional lines as required using user: and group: attributes. I’ve done a multi-user ACL post here.

There is alot of flexibility – i’d say even more than the samba server options by a long shot. Its probably a little bit more fiddly getting your commands right, but once up and running you can have alot more control.

There are also “ACL sets” which combine the above attributes into groups….. i.e .you can have just the word “full_set” (full permissions) or “read_set”  (supposedly gives you read, but i couldn’t see any child files after using this) between the first set of colons in the above command… Using ACL sets the above command could be changed to…

chmod -R A=\

owner@:full_set:d:allow,\

owner@:full_set:f:allow,\

everyone@:rxaARWcs:d:allow,\

everyone@:raARWcs:f:allow \

/protected/

This should still give the owner full permissions (previously the owner just inherited the everyone groups permissions it didnt have as well)

These are the possible choices for ACL sets: full_set , read_set , modify_set , write_set

see here for more examples : http://sigtar.com/2009/02/15/opensolaris-cifssmb-server-configuring-acl’s-on-shares-part-2/

—– workgroup authentication —–

Assuming you are NOT using a domain:
Did you enable the password database settings?
user@solaris:~# cat >> /etc/pam.conf

# Seem to need this line for smb / cifs:
other password required pam_smb_passwd.so.1 nowarn

(Control-D to end)

user@solaris:~# passwd
passwd: Changing password for user
New Password:
Re-enter new Password:
passwd: password successfully changed for user

129 Replies to “OpenSolaris cifs/smb server – configuring ACL’s on shares”

  1. Excellent post. I was checking continuously this blog and I am impressed! Very helpful info specifically the last part :) I care for such information a lot. I was seeking this particular information for a long time. Thank you and good luck.

  2. Thank you for every other informative site. The place else may just I get that kind of info written in such an ideal approach? I have a venture that I am just now working on, and I’ve been on the look out for such information.

  3. What i don’t realize is in truth how you’re no longer really a lot more neatly-favored than you might be right now. You’re very intelligent. You already know thus considerably when it comes to this subject, produced me individually believe it from numerous numerous angles. Its like women and men don’t seem to be involved until it is one thing to do with Woman gaga! Your own stuffs excellent. At all times deal with it up!

  4. I like this website very much, Its a rattling nice place to read and incur information. “Young men think old men are fools but old men know young men are fools.” by George Chapman.

  5. hello!,I really like your writing so a lot! proportion we keep up a correspondence more about your post on AOL? I require a specialist in this space to resolve my problem. Maybe that’s you! Looking forward to look you.

  6. Wow! This could be one particular of the most useful blogs We have ever arrive across on this subject. Basically Wonderful. I’m also a specialist in this topic so I can understand your hard work.

  7. I not to mention my guys ended up reading the great advice located on your web page while immediately got a horrible feeling I never thanked the site owner for those tips. These ladies became so stimulated to learn all of them and have now unquestionably been tapping into those things. Appreciation for getting so considerate as well as for settling on such nice useful guides most people are really wanting to be aware of. Our own honest regret for not expressing appreciation to sooner.

  8. I precisely wanted to thank you very much once more. I am not sure the things I could possibly have achieved without those pointers revealed by you directly on my field. It had been a very alarming concern for me personally, however , taking note of the very skilled approach you handled it forced me to weep with joy. I am thankful for this support and in addition hope that you are aware of a great job that you’re putting in educating the others with the aid of your websites. Probably you have never come across all of us.

  9. I precisely wanted to thank you so much once more. I’m not certain what I could possibly have made to happen without the tactics documented by you over such a subject matter. Certainly was an absolute scary issue for me personally, nevertheless spending time with this skilled style you processed the issue forced me to cry with gladness. Extremely grateful for the advice and in addition sincerely hope you find out what a great job you’re doing teaching people today all through a site. More than likely you’ve never encountered any of us.

  10. You are my inhalation, I own few web logs and sometimes run out from post :). “Fiat justitia et pereat mundus.Let justice be done, though the world perish.” by Ferdinand I.

  11. I’m not sure where you are getting your info, but great topic. I needs to spend some time learning much more or understanding more. Thanks for wonderful information I was looking for this information for my mission.

  12. I have not checked in here for some time as I thought it was getting boring, but the last few posts are great quality so I guess I will add you back to my everyday bloglist. You deserve it my friend :)

  13. What i do not realize is in truth how you’re not really much more smartly-favored than you might be right now. You are so intelligent. You realize therefore significantly relating to this subject, produced me in my opinion imagine it from so many numerous angles. Its like men and women are not involved unless it¡¦s one thing to do with Woman gaga! Your individual stuffs excellent. All the time care for it up!

  14. Helpful information. Fortunate me I discovered your web site unintentionally, and I am surprised why this twist of fate didn’t happened earlier! I bookmarked it.

  15. Excellent goods from you, man. I’ve understand your stuff previous to and you’re just too wonderful. I really like what you’ve acquired here, certainly like what you’re stating and the way in which you say it. You make it entertaining and you still care for to keep it smart. I can not wait to read far more from you. This is actually a tremendous site.

Leave a Reply

Your email address will not be published.