On 2016-11-14 12:59 PM, Josh Coombs wrote:
So, to follow up with my own notes: The issue appears to be an order
of operations issue on my end.
When I setup CIFS shares I do the following:
- Create the ZFS set
- - casesensitivity is mixed
- - nbmand on
- - sharesmb=name=share-name
- Set initial ACL so AD Admins have total control
- - /usr/bin/chmod
A=group:2147483664:read_data/write_data/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/write_attributes/delete/read_acl/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
/pool/zfs-share/.zfs/shares/share-name
- - /usr/bin/chmod
A=group:2147483664:read_data/write_data/append_data/read_xattr/write_xattr/execute/delete_child/read_attributes/write_attributes/delete/read_acl/write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
/pool/zfs-share
- Adjust security from there via Windows client
When I adjust the ACLs via Windows,
/pool/zfs-share/.zfs/shares/share-name does not get touched. In this
case it was still left as administrat...@local.ad.domain, while the
ACL for /pool/zfs-share matched what I expected. This meant my
problem user, who was a member of the target group but not in
Administrators couldn't connect. Once I updated
.zfs/shares/share-name to an ACL that included the problem user, issue
solved.
I need to dig more to determine the significance of
.zfs/shares/share-name to determine if I can safely default to an ACL
that covers all authenticated domain uses or if I should keep it narrow.
Josh C
On Mon, Nov 14, 2016 at 12:34 PM, Josh Coombs <jcoo...@staff.gwi.net
<mailto:jcoo...@staff.gwi.net>> wrote:
Hello, I've got an Omni box up and running, joined to my local AD
domain. It's been working well, I have two shares ACL'd by
Windows groups and so far so good.
Until today, I have an 'IT' share restricted to the IT-Dev group,
which has four members. Two of those members can access the share
just fine, the other two are denied by ACL. I've flushed idmap's
DB and still no joy. I can see good SIDs for the users and group
in question, but I can't seem to get the box to accept that these
two users are part of the group. Any thoughts on how to further
debug this?
Hi Josh.
I rarely look to set restrictive permissions on a share level to control
data access. I want to only have a single place to worry about
permissions to make management easier. This is especially true if you
have nested shares, where your permissions would be different depending
on which share you used to access the data.
Of course, there are times when you want to use share level
permissions. For example, you want to have a share that is read-only,
regardless of the underlying file system permissions.
Have a great day!!
Geoff
-------------------------------------------
illumos-discuss
Archives: https://www.listbox.com/member/archive/182180/=now
RSS Feed: https://www.listbox.com/member/archive/rss/182180/21175430-2e6923be
Modify Your Subscription:
https://www.listbox.com/member/?member_id=21175430&id_secret=21175430-6a77cda4
Powered by Listbox: http://www.listbox.com
