OpenSolaris cifs/smb server – configuring ACL’s on shares

O.k. from this  point I’m assuming you have created your zfs shares via the zfs command and renamed appropriately like so…..   (if you havent setup cifs yet then check read this)

zfs set sharesmb=on protected/backup

zfs set sharesmb=name=backup protected/backup

Now to check your current shares type…

sharemgr show

zfs

zfs/protected/backup
backup=/protected/backup

zfs/protected/photos
photos=/protected/photos

Now its time to look at NFSv4 ACL’s. This page has a great explanation of ACL’s and how to set things up. http://cuddletech.com/blog/pivot/entry.php?id=939

The ZFS manual here has the compact access and inheritance codes for chmod : http://opensolaris.org/os/community/zfs/docs/zfsadmin.pdf

Here are the current compact codes for access control;

add_file w , add_subdirectory p , delete d , delete_child D , execute x , list_directory r , read_acl c , read_attributes a , read_data r , read_xattr R , write_xattr W , write_data w , write_attributes A , write_acl C , write_owner o

Here are the current compact codes for inheritance control;

file_inherit f , dir_inherit d , inherit_only i , no_propagate n

So… The below command (referencing above compact codes) will give me (the owner) full permissions to files / directories, and read only access to everyone else. I have enabled inheritance so newly created files should also maintain their parents ACL without windows creating its own. Note: i used chown on the root of the my share first  i.e. chown -R daz /protected

then…

chmod -R A=\

owner@:wACpdDo:d:allow,\

owner@:wACpdDo:f:allow,\

everyone@:rxaARWcs:d:allow,\

everyone@:raARWcs:f:allow \

/protected/

Remember to test that this has provided what you want. Connect to your share as guest test the permissions, then connect as the owner and test permissions again. The fun thing about this particular ACL system is that you are not restricted to just one owner and one group. You can add additional lines as required using user: and group: attributes. I’ve done a multi-user ACL post here.

There is alot of flexibility – i’d say even more than the samba server options by a long shot. Its probably a little bit more fiddly getting your commands right, but once up and running you can have alot more control.

There are also “ACL sets” which combine the above attributes into groups….. i.e .you can have just the word “full_set” (full permissions) or “read_set”  (supposedly gives you read, but i couldn’t see any child files after using this) between the first set of colons in the above command… Using ACL sets the above command could be changed to…

chmod -R A=\

owner@:full_set:d:allow,\

owner@:full_set:f:allow,\

everyone@:rxaARWcs:d:allow,\

everyone@:raARWcs:f:allow \

/protected/

This should still give the owner full permissions (previously the owner just inherited the everyone groups permissions it didnt have as well)

These are the possible choices for ACL sets: full_set , read_set , modify_set , write_set

see here for more examples : http://sigtar.com/2009/02/15/opensolaris-cifssmb-server-configuring-acl’s-on-shares-part-2/

—– workgroup authentication —–

Assuming you are NOT using a domain:
Did you enable the password database settings?
user@solaris:~# cat >> /etc/pam.conf

# Seem to need this line for smb / cifs:
other password required pam_smb_passwd.so.1 nowarn

(Control-D to end)

user@solaris:~# passwd
passwd: Changing password for user
New Password:
Re-enter new Password:
passwd: password successfully changed for user

12 thoughts on “OpenSolaris cifs/smb server – configuring ACL’s on shares

  1. Pingback: OpenSolaris cifs/smb server - configuring ACL’s on shares - Part 2 | Daz's bits and bobs

  2. Pingback: OpenSolaris - Migrating from samba to cifs | Daz's bits and bobs

  3. I switched from using NFS to using smb to share my files because smb allows a user to log in (NFS relies on the user id).

    After I got smb set up, I noticed that the files created by the client had no permissions. The solution was to enable these access lists.

  4. Just a note for other people experiencing the same. In OpenSolaris 2009.06 (/dev repo), the default ‘chmod’ program to use, is the GNU one found in /usr/gnu/bin/chmod, which does not support these attributes, which will give you a “invalid mode” error.
    Instead you have to provide the full path to the /usr/bin/chmod program when running chmod.

  5. I created a raidz2 pool under OSOL 2009.06 and had to change the boot drive. I (foolishly) thought I’d upgrade to SNV 126 with the new drive. I installed the drive, installed OSOL 2009.06 and upgraded according to the Opensolaris.org webpage.

    After this was complete, I imported my pool and upgraded from ZFS 13 (I think) to ZFS 18.

    Now, when I try to share the pool, and set up ACLs or just chmod it, I cannot get windows to login to the share. The windows machine asks for the username and password when trying to connect, but it is rejected no matter what I do. I’ve edited pam.conf with the “other password required pam_smb_passwd.so.1 nowarn” line and redid my passwd on the OSOL server.

    I cannot roll back my pool (I don’t think) to ZFS 13 and use OSOL 2009.06.

    I suspect my problem is in some old chmod vs. a new ACL I played with, but I could be wrong. Can you give me a fool proof method of clearing all the ACLS and getting into this pool? I need access to the data.

  6. Pingback: Permission Hierarchy possible in OpenSolaris + ZFS + ACLs? - Admins Goodies

  7. “I created a raidz2 pool under OSOL 2009.06 and had to change the boot drive. I (foolishly) thought I’d upgrade to SNV 126 with the new drive. I installed the drive, installed OSOL 2009.06 and upgraded according to the Opensolaris.org webpage. After this was complete, I imported my pool and upgraded from ZFS 13 (I think) to ZFS 18. Now, when I try to share the pool, and set up ACLs or just chmod it, I cannot get windows to login to the share. The windows machine asks for the username and password when trying to connect, but it is rejected no matter what I do. I’ve edited pam.conf with the “other password required pam_smb_passwd.so.1 nowarn” line and redid my passwd on the OSOL server. I cannot roll back my pool (I don’t think) to ZFS 13 and use OSOL 2009.06. I suspect my problem is in some old chmod vs. a new ACL I played with, but I could be wrong. Can you give me a fool proof method of clearing all the ACLS and getting into this pool? I need access to the data.”
    Hey guys,

    I couldn’t agree more. I really donhttp://bestelectricshaverhq.org – ‘t get why more people just don’t get it.

    Great post, keep it up.

    Cheers!

  8. s one thing too have a fancy degree iin business and anotuer to have practicall experience
    runbing a smsll business. With the limitation in funds,
    some small business accounting is done by the business owner.
    Thee Statement of Activities- Thiss is known iin traditional financial
    reporting as Income Statement.

  9. RigҺt here іs tҺе гіɡht ԝᥱƄ sіtᥱ
    fօг ᥱνегүⲟne ԝһօ ᴡоuⅼɗ liқе tо find oᥙt aƄout tһіѕ tߋрiс.

    Υⲟᥙ ҝnoᴡ ɑ ᴡhⲟle lot
    іtѕ aⅼmoѕt һaгԁ tο ɑrǥսе with yoᥙ (not tһat
    I рᥱгѕοnaⅼⅼу ѡіⅼⅼ neеԁ tߋ…ΗaHа).
    Уߋᥙ cегtаіnlʏ
    ρսt ɑ fгеѕҺ ѕρіn on a ѕᥙbјесt ѡһіch һɑs Ьᥱеn diѕcᥙsseԀ fог dᥱсadᥱs.
    Ԍreat ѕtսff, јuѕt ɡгeɑt!

  10. Ι’ve read a fеѡ ɡооɗ stᥙff ɦеrᥱ.
    Dеfinitеlу pгice Ƅοⲟкmarкing fοr rеvіѕіting.
    І ѕᥙгрrіѕe
    һоա ѕⲟ muϲɦ еffߋгt ʏߋս ѕеt tο ϲrеatᥱ
    tҺe ѕοгt οf ᴡоndᥱгful іnfогmаtiѵе ѡеbѕіtе.

  11. Wіtɦ haνіn sߋ mᥙch ϲοntᥱnt ԁⲟ ʏߋս ᥱѵᥱг run іntօ any
    issᥙеѕ оf
    ρⅼаǥօгіѕm օг cорyгіǥht іnfгіngеmᥱnt?
    Ϻү ƅlⲟǥ haѕ а ⅼоt оf uniqᥙе сοntеnt ӏ’ѵе ᥱithег ɑᥙtҺоreԀ mуѕelf ߋг ߋᥙtsօuгϲᥱd bᥙt it ѕеems
    a ⅼоt оf іt іѕ рορρіng іt uр
    аll οѵег tһᥱ ԝеЬ wіtҺօᥙt mу аutһοгіzаtіοn. Ⅾo yߋս
    ҝnow any tеϲҺniԛսᥱѕ
    tо ɦеlρ ргоtеct ɑɡɑіnst
    ϲontent fгоm Ьеіng ѕtοⅼеn? І’ԁ ϲᥱгtаіnlу aρргeϲіatе it.

Leave a Reply

Your email address will not be published.