Jerry, The problem is that none of the ACEs in the parent directory are inheritable. As I mentioned before, when you create a file or folder from Windows, you'll get Windows inheritance rules not Solaris/POSIX rules. In Windows, if a directory's ACL doesn't have any inheritable ACEs when a file/folder is created in it, that new object's ACL will have two ACEs (as you can see for nsswitch.conf file): one for the owner of the object and one for a Windows account called SYSTEM.
If you want the directory's ACL to have true full-control for every which is also inheritable then you should do this: chmod A=everyone@:rwxpdDaARWcCos:fd:allow <directory> the :fd: part means the ACE would be inheritable by both new files and folders. Afshin Jerry Backlin wrote: > Afshin, > > Sorry I been on vacation a few days.... > > Below I hope you have the info you need. I'm very interested to see what > I been missing. > > TIA, > Jerry > > #ls -l > ----------+ 1 backlin staff 1109 Jan 31 11:09 nsswitch.conf > drwxrwxrwx+ 2 backlin staff 3 Jan 1 11:09 Solaris 10 > ----------+ 1 backlin staff 3937402880 Jan 29 18:06 solarisdvd.iso > drwxrwxrwx+ 4 backlin staff 5 Dec 15 18:37 StarOffice > # ls -vd > drwxrwxrwx+ 11 backlin staff 15 Feb 13 08:04 . > 0:user:backlin::deny > 1:user:backlin:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:allow > 2:group:2147483648::deny > 3:group:2147483648:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:allow > 4:owner@::deny > 5:owner@:list_directory/read_data/add_file/write_data/add_subdirectory > /append_data/write_xattr/execute/write_attributes/write_acl > /write_owner:allow > 6:group@::deny > 7:group@:list_directory/read_data/add_file/write_data/add_subdirectory > /append_data/execute:allow > 8:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny > 9:everyone@:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/execute/read_attributes > /read_acl/synchronize:allow > # > > # ls -v > ----------+ 1 backlin staff 1109 Jan 31 11:09 nsswitch.conf > 0:user:backlin:read_data/write_data/append_data/read_xattr/write_xattr > /execute/delete_child/read_attributes/write_attributes/delete > /read_acl/write_acl/write_owner/synchronize:allow > 1:group:2147483648:read_data/write_data/append_data/read_xattr > /write_xattr/execute/delete_child/read_attributes/write_attributes > /delete/read_acl/write_acl/write_owner/synchronize:allow > drwxrwxrwx+ 2 backlin staff 3 Jan 1 11:09 Solaris 10 > 0:user:backlin::deny > 1:user:backlin:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:allow > 2:group:2147483648::deny > 3:group:2147483648:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:allow > 4:owner@::deny > 5:owner@:list_directory/read_data/add_file/write_data/add_subdirectory > /append_data/write_xattr/execute/write_attributes/write_acl > /write_owner:allow > 6:group@::deny > 7:group@:list_directory/read_data/add_file/write_data/add_subdirectory > /append_data/execute:allow > 8:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny > 9:everyone@:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/execute/read_attributes > /read_acl/synchronize:allow > ----------+ 1 backlin staff 3937402880 Jan 29 18:06 solarisdvd.iso > 0:user:backlin:read_data/write_data/append_data/read_xattr/write_xattr > /execute/delete_child/read_attributes/write_attributes/delete > /read_acl/write_acl/write_owner/synchronize:allow > 1:group:2147483648:read_data/write_data/append_data/read_xattr > /write_xattr/execute/delete_child/read_attributes/write_attributes > /delete/read_acl/write_acl/write_owner/synchronize:allow > drwxrwxrwx+ 4 backlin staff 5 Dec 15 18:37 StarOffice > 0:user:backlin::deny > 1:user:backlin:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:allow > 2:group:2147483648::deny > 3:group:2147483648:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/write_xattr/execute > /delete_child/read_attributes/write_attributes/delete/read_acl > /write_acl/write_owner/synchronize:allow > 4:owner@::deny > 5:owner@:list_directory/read_data/add_file/write_data/add_subdirectory > /append_data/write_xattr/execute/write_attributes/write_acl > /write_owner:allow > 6:group@::deny > 7:group@:list_directory/read_data/add_file/write_data/add_subdirectory > /append_data/execute:allow > 8:everyone@:write_xattr/write_attributes/write_acl/write_owner:deny > 9:everyone@:list_directory/read_data/add_file/write_data > /add_subdirectory/append_data/read_xattr/execute/read_attributes > /read_acl/synchronize:allow > # > > Afshin Salek wrote: >> Hi Jerry, >> >> If I have the actual ACL on the parent directory and the file >> created from Windows, I can better answer your questions. You >> can view the directory's ACL with "ls -vd" and file's ACL with >> "ls -v" >> >> As a general note, Windows inheritance rules are different from >> ZFS and/or POSIX rules. When you create a file from Windows you >> get the Windows rules not the latter (and it's not optional :) ) >> >> Thanks, >> Afshin >> >> Janice Chang wrote: >>> Hi Jerry. Thank you for the information. I'm cc'ing >>> [EMAIL PROTECTED], where most of the CIFS folk hang out. >>> >>> Janice >>> >>> Jerry Backlin wrote: >>>> Janice, >>>> >>>> Below you have 2 files where the first one is written from a windows >>>> system. It seems to pick up the right owner but the file protection >>>> is set up to disallow users on the solaris system to access the >>>> file. This means that if I want >>>> to access the file when logged in on Solaris I need to change the >>>> protection. The parent directory have the protection set up to allow >>>> everybody full access and I work in workgroup mode. >>>> >>>> ----------+ 1 backlin staff 1109 Jan 31 11:09 nsswitch.conf >>>> drwxrwxrwx+ 2 backlin staff 3 Jan 1 11:09 Solaris 10 >>>> >>>> I assume there must be a way to set up zfs to allow files to be >>>> accessed by the same user on the solaris system and also manage who >>>> has access to a file created from a networked windows system. >>>> >>>> In addition I can't create folders from a windows system, I get >>>> access denied. Is there something I have missed when setting up the >>>> system? >>>> >>>> TIA, >>>> Jerry >>>> >>>> >>>> >>>> >>>> Janice Chang wrote: >>>>> Hi Jerry. Thank you for your inquiry. >>>>> >>>>> Would appreciate some examples showing the permissions set from >>>>> Windows and what is seen vs. what is expected on the Solaris server. >>>>> >>>>> Thanks! >>>>> Janice >>>>> >>>>> Jerry Backlin wrote: >>>>>> I'm using sharesmb (b82) in my home office server with XP & W2K >>>>>> clients. Upgrades have caused some hickups and the smbpasswd file >>>>>> had been reset for me but that is addressed now. >>>>>> I can not get my hands around how file protection should be set >>>>>> up. currently a file written into the zfs share does not inherit >>>>>> the protection parent filesystem, from solaris you have no access. >>>>>> I assume this has not been addressed yet >>>>>> >>>>>> Jerry >>>>>> >>>>>> >>>>>> This message posted from opensolaris.org >>>>>> _______________________________________________ >>>>>> opensolaris-discuss mailing list >>>>>> opensolaris-discuss@opensolaris.org >>>>>> >>>> _______________________________________________ >>>> opensolaris-discuss mailing list >>>> opensolaris-discuss@opensolaris.org >>>> >>> _______________________________________________ >>> storage-discuss mailing list >>> [EMAIL PROTECTED] >>> http://mail.opensolaris.org/mailman/listinfo/storage-discuss >> >> _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
