I'm not sure how anyone ever gets access when your ACL has this ACE: everyone@:rwxpdDaARWcCos:fd-----:deny
Every long has the group "everyone" as a member, therefore that ACE will match every logon. The ace also lists every possible permission, so nothing should get through, no matter what allow ACEs might also exist. One thing to be aware of is that ZFS (and Unix in general) checks Execute access when you try to "traverse" through a directory (path name resolution). If you're copying ACLs from a Windows server, you may need to add some ACEs at various levels in your file hierarchy to grant execute to whatever users and/or groups should be able to traverse. (The easiest way would be: chmod A+everyone@:x:fd:allow) Windows servers normally run with a special privilege that makes the SMB server threads exempt from traverse permission checking, for reasons of efficiency. On Wed, Apr 20, 2016 at 6:28 PM, Olaf Marzocchi <li...@marzocchi.net> wrote: > I updated as indicated in the guide and to do that I had to uninstall some > packages: > > serf@1.3.8,5.11-0.151014:20151015T214958Z > apr-util@1.4.1,5.11-0.151014:20150508T204811Z > apr@1.5.1,5.11-0.151014:20150529T175834Z > uuid@1.41.14,5.11-0.151014:20150508T153803Z > > After reboot I got two main issues. > > 1) I cannot reach my OmniOS box with "OmniOS-Xeon.local" as I usually did in > the past, both for SMB, local webserver/services, ... but I can still access > the box when I use the plain IP. > > OmniOS-Xeon:~ olaf$ cat /etc/nodename > OmniOS-Xeon > > > 2) I cannot access one specific SMB share ("olaf") that was working > perfectly before the update. Using the IP of the machine allows me to access > the other shares, but not this one. It was also the one with the most > restrictive access ACLs, but they look fine to me. > > OmniOS-Xeon:~ olaf$ sharemgr show > ... > zfs > zfs/tank/home/olaf > /tank/home/olaf > [and more shares, all working] > > OmniOS-Xeon:~ olaf$ ls -lV /tank/home/ > total 34 > drwx------+ 15 olaf olaf 15 Oct 25 11:27 olaf > user:olaf:rwxpdDaARWcCos:fd-----:allow > group:2147483648:rwxpdDaARWcCos:fd-----:allow > everyone@:rwxpdDaARWcCos:fd-----:deny > > OmniOS-Xeon:~ olaf$ tail /var/adm/messages > Apr 20 22:30:04 OmniOS-Xeon smbsrv: [ID 138215 kern.notice] NOTICE: > smbd[OMNIOS-XEON\olaf]: temporar share not found > Apr 20 22:30:04 OmniOS-Xeon last message repeated 10 times > Apr 20 22:30:33 OmniOS-Xeon smbsrv: [ID 138215 kern.notice] NOTICE: > smbd[OMNIOS-XEON\olaf]: olaf share not found > Apr 20 22:30:36 OmniOS-Xeon last message repeated 8 times > > As you can see, the last letter of the share name in /var/adm/messages gets > cut for the share "temporary", but not for my own share "olaf". However, my > own share is neither visible nor accessible, while the other ones are. > > Has anything changed about permissions with SMB2? > > Thanks > Olaf > _______________________________________________ > OmniOS-discuss mailing list > OmniOS-discuss@lists.omniti.com > http://lists.omniti.com/mailman/listinfo/omnios-discuss _______________________________________________ OmniOS-discuss mailing list OmniOS-discuss@lists.omniti.com http://lists.omniti.com/mailman/listinfo/omnios-discuss