I'm not sure how anyone ever gets access when your ACL has this ACE:
everyone@:rwxpdDaARWcCos:fd-----:deny
Every long has the group "everyone" as a member, therefore that ACE
will match every logon. The ace also lists every possible permission,
so nothing should get through, no matter what allow ACEs might also
exist.
One thing to be aware of is that ZFS (and Unix in general) checks
Execute access when you try to "traverse" through a directory (path
name resolution). If you're copying ACLs from a Windows server, you
may need to add some ACEs at various levels in your file hierarchy to
grant execute to whatever users and/or groups should be able to
traverse.
(The easiest way would be: chmod A+everyone@:x:fd:allow)
Windows servers normally run with a special privilege that makes the
SMB server threads exempt from traverse permission checking, for
reasons of efficiency.
On Wed, Apr 20, 2016 at 6:28 PM, Olaf Marzocchi <li...@marzocchi.net> wrote:
> I updated as indicated in the guide and to do that I had to uninstall some
> packages:
>
> serf@1.3.8,5.11-0.151014:20151015T214958Z
> apr-util@1.4.1,5.11-0.151014:20150508T204811Z
> apr@1.5.1,5.11-0.151014:20150529T175834Z
> uuid@1.41.14,5.11-0.151014:20150508T153803Z
>
> After reboot I got two main issues.
>
> 1) I cannot reach my OmniOS box with "OmniOS-Xeon.local" as I usually did in
> the past, both for SMB, local webserver/services, ... but I can still access
> the box when I use the plain IP.
>
> OmniOS-Xeon:~ olaf$ cat /etc/nodename
> OmniOS-Xeon
>
>
> 2) I cannot access one specific SMB share ("olaf") that was working
> perfectly before the update. Using the IP of the machine allows me to access
> the other shares, but not this one. It was also the one with the most
> restrictive access ACLs, but they look fine to me.
>
> OmniOS-Xeon:~ olaf$ sharemgr show
> ...
> zfs
> zfs/tank/home/olaf
> /tank/home/olaf
> [and more shares, all working]
>
> OmniOS-Xeon:~ olaf$ ls -lV /tank/home/
> total 34
> drwx------+ 15 olaf olaf 15 Oct 25 11:27 olaf
> user:olaf:rwxpdDaARWcCos:fd-----:allow
> group:2147483648:rwxpdDaARWcCos:fd-----:allow
> everyone@:rwxpdDaARWcCos:fd-----:deny
>
> OmniOS-Xeon:~ olaf$ tail /var/adm/messages
> Apr 20 22:30:04 OmniOS-Xeon smbsrv: [ID 138215 kern.notice] NOTICE:
> smbd[OMNIOS-XEON\olaf]: temporar share not found
> Apr 20 22:30:04 OmniOS-Xeon last message repeated 10 times
> Apr 20 22:30:33 OmniOS-Xeon smbsrv: [ID 138215 kern.notice] NOTICE:
> smbd[OMNIOS-XEON\olaf]: olaf share not found
> Apr 20 22:30:36 OmniOS-Xeon last message repeated 8 times
>
> As you can see, the last letter of the share name in /var/adm/messages gets
> cut for the share "temporary", but not for my own share "olaf". However, my
> own share is neither visible nor accessible, while the other ones are.
>
> Has anything changed about permissions with SMB2?
>
> Thanks
> Olaf
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss@lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss
_______________________________________________
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss
