Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

2017-06-27 Thread Jens Bauernfeind 
Hi,

I fixed this problem after executing this:
idmap add winname:"*@" unixuser:"*"
idmap add wingroup:"*@ " unixgroup:"*"
svcadm restart idmap
All new created files has now the uid and gid from the IDMU

Jens

> -Original Message-
> From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com]
> On Behalf Of Oliver Weinmann
> Sent: Dienstag, 27. Juni 2017 08:25
> To: omnios-discuss 
> Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Hi,
> 
> 
> 
> we are currently migrating all our data from a NetAPP system to an OmniOS
> sytem.
> 
> 
> 
> The OmniOS system is joined to AD and LDAP client is configured to pull
LDAP
> info from AD / IDMU. This works fine.
> 
> 
> 
> However we can’t manage to have access on folders where we have Unix
> permissions from windows (CIFS).
> 
> 
> 
> e.g.
> 
> 
> 
> the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> 
> 
> 
> root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2
> 
> 1 Up BCSIM De_Dt Da Lg
> 
> 
> 
> The folder Unix has the following permissions set:
> 
> 
> 
> root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> 
> total 47
> 
> d-+  4 root 2147483653   4 Apr 25 05:37 .
> 
> d-+  4 root 2147483659   4 Apr 25 05:35 ..
> 
> drwxrws---   9 bcsimUp BCSIM De_Dt Da Lg  11 Mar  9 10:40 Unix
> 
> d-+  6 root 2147483653   6 Apr 25 05:37 Windows
> 
> 
> 
> so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can access
> the folder just fine via NFS.
> 
> 
> 
> If the user utest2 tries to access this folder from windows via CIFS he
gets
> access denied.
> 
> 
> 
> If I change the permissions so that other have r-x he can access the
folder
> but then I have no control on who can access the folder.
> 
> 
> 
> On our NetApp system this was working fine. I assume it has to do with the
> IDMAP daemon using ephemeral mappings instead of pulling the uidnumber
> and gidnumber from AD?
> 
> 
> 
> I don’t want to use extended ACLs on this folder.
> 
> 
> 
> Any ideas?
> 
> 
> 
> 
> 
> Oliver Weinmann
> Senior Unix VMWare, Storage Engineer
> 
> Telespazio VEGA Deutschland GmbH
> Europaplatz 5 - 64293 Darmstadt - Germany
> Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
> oliver.weinm...@telespazio-vega.de  vega.de>
> http://www.telespazio-vega.de
> 
> Registered office/Sitz: Darmstadt, Register court/Registergericht:
Darmstadt,
> HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller



smime.p7s
Description: S/MIME cryptographic signature
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

2017-06-27 Thread Jens Bauernfeind 
Hm,

maybe I should share my ldap config.
ldapclient -v manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN="cn=XXX" \
-a proxyPassword=SECRET \
-a defaultSearchBase=dc=ipk=de \
-a domainName=DOMAINNAME \
-a defaultServerList= \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:uniqueMember=member \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor="passwd:" \
-a serviceSearchDescriptor=group:  \
-a followReferrals=true

Maybe also a restart of the smb service?

Jens

> -Original Message-
> From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 14:40
> To: Jens Bauernfeind 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Hi,
> 
> 
> 
> Now I get can’t access domain info in the smb log and users are prompted
to
> enter a password when accessing the shares. :(
> 
> 
> 
> From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 09:37
> To: Oliver Weinmann 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> 
> 
> Hi,
> 
> 
> 
> I fixed this problem after executing this:
> 
> idmap add winname:"*@" unixuser:"*"
> 
> idmap add wingroup:"*@ " unixgroup:"*"
> 
> svcadm restart idmap
> 
> All new created files has now the uid and gid from the IDMU
> 
> 
> 
> Jens
> 
> 
> 
> From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com]
> On Behalf Of Oliver Weinmann
> Sent: Dienstag, 27. Juni 2017 08:25
> To: omnios-discuss mailto:omnios-
> disc...@lists.omniti.com> >
> Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> 
> 
> Hi,
> 
> 
> 
> we are currently migrating all our data from a NetAPP system to an OmniOS
> sytem.
> 
> 
> 
> The OmniOS system is joined to AD and LDAP client is configured to pull
LDAP
> info from AD / IDMU. This works fine.
> 
> 
> 
> However we can’t manage to have access on folders where we have Unix
> permissions from windows (CIFS).
> 
> 
> 
> e.g.
> 
> 
> 
> the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> 
> 
> 
> root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2
> 
> 1 Up BCSIM De_Dt Da Lg
> 
> 
> 
> The folder Unix has the following permissions set:
> 
> 
> 
> root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> 
> total 47
> 
> d-+  4 root 2147483653   4 Apr 25 05:37 .
> 
> d-+  4 root 2147483659   4 Apr 25 05:35 ..
> 
> drwxrws---   9 bcsimUp BCSIM De_Dt Da Lg  11 Mar  9 10:40 Unix
> 
> d-+  6 root 2147483653   6 Apr 25 05:37 Windows
> 
> 
> 
> so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can access
> the folder just fine via NFS.
> 
> 
> 
> If the user utest2 tries to access this folder from windows via CIFS he
gets
> access denied.
> 
> 
> 
> If I change the permissions so that other have r-x he can access the
folder
> but then I have no control on who can access the folder.
> 
> 
> 
> On our NetApp system this was working fine. I assume it has to do with the
> IDMAP daemon using ephemeral mappings instead of pulling the uidnumber
> and gidnumber from AD?
> 
> 
> 
> I don’t want to use extended ACLs on this folder.
> 
> 
> 
> Any ideas?
> 
> 
> 
> 
> 
> Oliver Weinmann
> Senior Unix VMWare, Storage Engineer
> 
> Telespazio VEGA Deutschland GmbH
> Europaplatz 5 - 64293 Darmstadt - Germany
> Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
> oliver.weinm...@telespazio-vega.de  vega.de>
> http://www.telespazio-vega.de
> 
> Registered office/Sitz: Darmstadt, Register court/Registergericht:
Darmstadt,
> HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller



smime.p7s
Description: S/MIME cryptographic signature
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

2017-06-27 Thread Oliver Weinmann 
What version of omnios are you using? I'm using R151022. 

-Original Message-
From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] 
Sent: Dienstag, 27. Juni 2017 14:47
To: Oliver Weinmann 
Cc: omnios-discuss 
Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
(owner:group:other) Unix permissions

Hm,

maybe I should share my ldap config.
ldapclient -v manual \
-a credentialLevel=proxy \
-a authenticationMethod=simple \
-a proxyDN="cn=XXX" \
-a proxyPassword=SECRET \
-a defaultSearchBase=dc=ipk=de \
-a domainName=DOMAINNAME \
-a defaultServerList= \
-a attributeMap=group:userpassword=userPassword \
-a attributeMap=group:uniqueMember=member \
-a attributeMap=group:gidnumber=gidNumber \
-a attributeMap=passwd:gecos=cn \
-a attributeMap=passwd:gidnumber=gidNumber \
-a attributeMap=passwd:uidnumber=uidNumber \
-a attributeMap=passwd:uid=sAMAccountName \
-a attributeMap=passwd:homedirectory=unixHomeDirectory \
-a attributeMap=passwd:loginshell=loginShell \
-a attributeMap=shadow:shadowflag=shadowFlag \
-a attributeMap=shadow:userpassword=userPassword \
-a objectClassMap=group:posixGroup=group \
-a objectClassMap=passwd:posixAccount=user \
-a objectClassMap=shadow:shadowAccount=user \
-a serviceSearchDescriptor="passwd:" \
-a serviceSearchDescriptor=group:  \
-a followReferrals=true

Maybe also a restart of the smb service?

Jens

> -Original Message-
> From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 14:40
> To: Jens Bauernfeind 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Hi,
> 
> 
> 
> Now I get can’t access domain info in the smb log and users are prompted
to
> enter a password when accessing the shares. :(
> 
> 
> 
> From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 09:37
> To: Oliver Weinmann 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> 
> 
> Hi,
> 
> 
> 
> I fixed this problem after executing this:
> 
> idmap add winname:"*@" unixuser:"*"
> 
> idmap add wingroup:"*@ " unixgroup:"*"
> 
> svcadm restart idmap
> 
> All new created files has now the uid and gid from the IDMU
> 
> 
> 
> Jens
> 
> 
> 
> From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com]
> On Behalf Of Oliver Weinmann
> Sent: Dienstag, 27. Juni 2017 08:25
> To: omnios-discuss mailto:omnios-
> disc...@lists.omniti.com> >
> Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> 
> 
> Hi,
> 
> 
> 
> we are currently migrating all our data from a NetAPP system to an OmniOS
> sytem.
> 
> 
> 
> The OmniOS system is joined to AD and LDAP client is configured to pull
LDAP
> info from AD / IDMU. This works fine.
> 
> 
> 
> However we can’t manage to have access on folders where we have Unix
> permissions from windows (CIFS).
> 
> 
> 
> e.g.
> 
> 
> 
> the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> 
> 
> 
> root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2
> 
> 1 Up BCSIM De_Dt Da Lg
> 
> 
> 
> The folder Unix has the following permissions set:
> 
> 
> 
> root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> 
> total 47
> 
> d-+  4 root 2147483653   4 Apr 25 05:37 .
> 
> d-+  4 root 2147483659   4 Apr 25 05:35 ..
> 
> drwxrws---   9 bcsimUp BCSIM De_Dt Da Lg  11 Mar  9 10:40 Unix
> 
> d-+  6 root 2147483653   6 Apr 25 05:37 Windows
> 
> 
> 
> so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can access
> the folder just fine via NFS.
> 
> 
> 
> If the user utest2 tries to access this folder from windows via CIFS he
gets
> access denied.
> 
> 
> 
> If I change the permissions so that other have r-x he can access the
folder
> but then I have no control on who can access the folder.
> 
> 
> 
> On our NetApp system this was working fine. I assume it has to do with the
> IDMAP daemon using ephemeral mappings instead of pulling the uidnumber
> and gidnumber from AD?
> 
> 
> 
> I don’t want to use extended ACLs on this folder.
> 
> 
> 
> Any ideas?
> 
> 
> 
> 
> 
> Oliver Weinmann
> Senior Unix VMWare, Storage Engineer
> 
> Telespazio VEGA Deutschland GmbH
> Europaplatz 5 - 64293 Darmstadt - Germany
> Ph: + 49 (0)6151 8257 744 | Fax: +49 (0)6151 8257 799
> oliver.weinm...@telespazio-vega.de  vega.de>
> http://www.telespazio-vega.de
> 
> Registered office/Sitz: Darmstadt, Register court/Registergericht:
Darmstadt,
> HRB 89231; Managing Director/Geschäftsführer: Sigmar Keller



smime.p7s
Description: S/MIME cryptographic signature
___
OmniOS-discuss mailing list
OmniOS-discuss@lists.omniti.com
http://lists.omniti.com/mailman/listinfo/omnios-discuss

Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

2017-06-27 Thread Jens Bauernfeind 
also r151022

What is your /etc/nsswitch.conf saying?
Mine has nearly everywhere "files ldap", except hosts and ipnodes.

> -Original Message-
> From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 14:49
> To: Jens Bauernfeind 
> Cc: omnios-discuss 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> What version of omnios are you using? I'm using R151022.
> 
> -Original Message-
> From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 14:47
> To: Oliver Weinmann 
> Cc: omnios-discuss 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Hm,
> 
> maybe I should share my ldap config.
> ldapclient -v manual \
> -a credentialLevel=proxy \
> -a authenticationMethod=simple \
> -a proxyDN="cn=XXX" \
> -a proxyPassword=SECRET \
> -a defaultSearchBase=dc=ipk=de \
> -a domainName=DOMAINNAME \
> -a defaultServerList= \
> -a attributeMap=group:userpassword=userPassword \
> -a attributeMap=group:uniqueMember=member \
> -a attributeMap=group:gidnumber=gidNumber \
> -a attributeMap=passwd:gecos=cn \
> -a attributeMap=passwd:gidnumber=gidNumber \
> -a attributeMap=passwd:uidnumber=uidNumber \
> -a attributeMap=passwd:uid=sAMAccountName \
> -a attributeMap=passwd:homedirectory=unixHomeDirectory \
> -a attributeMap=passwd:loginshell=loginShell \
> -a attributeMap=shadow:shadowflag=shadowFlag \
> -a attributeMap=shadow:userpassword=userPassword \
> -a objectClassMap=group:posixGroup=group \
> -a objectClassMap=passwd:posixAccount=user \
> -a objectClassMap=shadow:shadowAccount=user \
> -a serviceSearchDescriptor="passwd:" \
> -a serviceSearchDescriptor=group:  \
> -a followReferrals=true
> 
> Maybe also a restart of the smb service?
> 
> Jens
> 
> > -Original Message-
> > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> > Sent: Dienstag, 27. Juni 2017 14:40
> > To: Jens Bauernfeind 
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> > Hi,
> >
> >
> >
> > Now I get can’t access domain info in the smb log and users are prompted
> to
> > enter a password when accessing the shares. :(
> >
> >
> >
> > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de]
> > Sent: Dienstag, 27. Juni 2017 09:37
> > To: Oliver Weinmann 
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> >
> >
> > Hi,
> >
> >
> >
> > I fixed this problem after executing this:
> >
> > idmap add winname:"*@" unixuser:"*"
> >
> > idmap add wingroup:"*@ " unixgroup:"*"
> >
> > svcadm restart idmap
> >
> > All new created files has now the uid and gid from the IDMU
> >
> >
> >
> > Jens
> >
> >
> >
> > From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com]
> > On Behalf Of Oliver Weinmann
> > Sent: Dienstag, 27. Juni 2017 08:25
> > To: omnios-discuss mailto:omnios-
> > disc...@lists.omniti.com> >
> > Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> >
> >
> > Hi,
> >
> >
> >
> > we are currently migrating all our data from a NetAPP system to an
OmniOS
> > sytem.
> >
> >
> >
> > The OmniOS system is joined to AD and LDAP client is configured to pull
> LDAP
> > info from AD / IDMU. This works fine.
> >
> >
> >
> > However we can’t manage to have access on folders where we have Unix
> > permissions from windows (CIFS).
> >
> >
> >
> > e.g.
> >
> >
> >
> > the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> >
> >
> >
> > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2
> >
> > 1 Up BCSIM De_Dt Da Lg
> >
> >
> >
> > The folder Unix has the following permissions set:
> >
> >
> >
> > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> >
> > total 47
> >
> > d-+  4 root 2147483653   4 Apr 25 05:37 .
> >
> > d-+  4 root 2147483659   4 Apr 25 05:35 ..
> >
> > drwxrws---   9 bcsimUp BCSIM De_Dt Da Lg  11 Mar  9 10:40 Unix
> >
> > d-+  6 root 2147483653   6 Apr 25 05:37 Windows
> >
> >
> >
> > so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can
> access
> > the folder just fine via NFS.
> >
> >
> >
> > If the user utest2 tries to access this folder from windows via CIFS he
> gets
> > access denied.
> >
> >
> >
> > If I change the permissions so that other have r-x he can access the
> folder
> > but then I have no control on who can access the folder.
> >
> >
> >
> > On our NetApp system this was working fine. I assume it has to do with
the
> > IDMAP daemon using ephemeral mappings instead of pulling the
> uidnumber
> > and gidnumber from AD?
> >
> >
> >
> > I don’t want to use extended ACLs on this folder.
> >
> >
> >
> > Any ideas?
> >
> >
> >
> >
> >
> > Oliver Weinmann
> > Senior Unix VMWare,

Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

2017-06-27 Thread Oliver Weinmann 
Mine has ldap only for passwd and group.

So on your system it really works with just having the traditional unix
permissions set. There are no ACLs in place?

Do you have an Active Directory domain with IDMU?

-Original Message-
From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de] 
Sent: Dienstag, 27. Juni 2017 15:19
To: Oliver Weinmann 
Cc: omnios-discuss 
Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
(owner:group:other) Unix permissions

also r151022

What is your /etc/nsswitch.conf saying?
Mine has nearly everywhere "files ldap", except hosts and ipnodes.

> -Original Message-
> From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 14:49
> To: Jens Bauernfeind 
> Cc: omnios-discuss 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> What version of omnios are you using? I'm using R151022.
> 
> -Original Message-
> From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 14:47
> To: Oliver Weinmann 
> Cc: omnios-discuss 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Hm,
> 
> maybe I should share my ldap config.
> ldapclient -v manual \
> -a credentialLevel=proxy \
> -a authenticationMethod=simple \
> -a proxyDN="cn=XXX" \
> -a proxyPassword=SECRET \
> -a defaultSearchBase=dc=ipk=de \
> -a domainName=DOMAINNAME \
> -a defaultServerList= \
> -a attributeMap=group:userpassword=userPassword \
> -a attributeMap=group:uniqueMember=member \
> -a attributeMap=group:gidnumber=gidNumber \
> -a attributeMap=passwd:gecos=cn \
> -a attributeMap=passwd:gidnumber=gidNumber \
> -a attributeMap=passwd:uidnumber=uidNumber \
> -a attributeMap=passwd:uid=sAMAccountName \
> -a attributeMap=passwd:homedirectory=unixHomeDirectory \
> -a attributeMap=passwd:loginshell=loginShell \
> -a attributeMap=shadow:shadowflag=shadowFlag \
> -a attributeMap=shadow:userpassword=userPassword \
> -a objectClassMap=group:posixGroup=group \
> -a objectClassMap=passwd:posixAccount=user \
> -a objectClassMap=shadow:shadowAccount=user \
> -a serviceSearchDescriptor="passwd:" \
> -a serviceSearchDescriptor=group:  \
> -a followReferrals=true
> 
> Maybe also a restart of the smb service?
> 
> Jens
> 
> > -Original Message-
> > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> > Sent: Dienstag, 27. Juni 2017 14:40
> > To: Jens Bauernfeind 
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> > Hi,
> >
> >
> >
> > Now I get can’t access domain info in the smb log and users are prompted
> to
> > enter a password when accessing the shares. :(
> >
> >
> >
> > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de]
> > Sent: Dienstag, 27. Juni 2017 09:37
> > To: Oliver Weinmann 
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> >
> >
> > Hi,
> >
> >
> >
> > I fixed this problem after executing this:
> >
> > idmap add winname:"*@" unixuser:"*"
> >
> > idmap add wingroup:"*@ " unixgroup:"*"
> >
> > svcadm restart idmap
> >
> > All new created files has now the uid and gid from the IDMU
> >
> >
> >
> > Jens
> >
> >
> >
> > From: OmniOS-discuss [mailto:omnios-discuss-boun...@lists.omniti.com]
> > On Behalf Of Oliver Weinmann
> > Sent: Dienstag, 27. Juni 2017 08:25
> > To: omnios-discuss mailto:omnios-
> > disc...@lists.omniti.com> >
> > Subject: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> >
> >
> > Hi,
> >
> >
> >
> > we are currently migrating all our data from a NetAPP system to an
OmniOS
> > sytem.
> >
> >
> >
> > The OmniOS system is joined to AD and LDAP client is configured to pull
> LDAP
> > info from AD / IDMU. This works fine.
> >
> >
> >
> > However we can’t manage to have access on folders where we have Unix
> > permissions from windows (CIFS).
> >
> >
> >
> > e.g.
> >
> >
> >
> > the user utest2 is member of the goup “Up BCSIM De_Dt Da Lg”:
> >
> >
> >
> > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# groups utest2
> >
> > 1 Up BCSIM De_Dt Da Lg
> >
> >
> >
> > The folder Unix has the following permissions set:
> >
> >
> >
> > root@omnios01:/hgst4u60/ReferenceAC/BCSIM/Software# ls -al
> >
> > total 47
> >
> > d-+  4 root 2147483653   4 Apr 25 05:37 .
> >
> > d-+  4 root 2147483659   4 Apr 25 05:35 ..
> >
> > drwxrws---   9 bcsimUp BCSIM De_Dt Da Lg  11 Mar  9 10:40 Unix
> >
> > d-+  6 root 2147483653   6 Apr 25 05:37 Windows
> >
> >
> >
> > so User bcsim and all members of group “Up BCSIM De_Dt Da Lg” can
> access
> > the folder just fine via NFS.
> >
> >
> >
> > If the user utest2 tries to access this folder from windows via CIFS he
> gets
> > access denied.
> >
> >
> >
> > If

Re: [OmniOS-discuss] CIFS access to a folder with traditional (owner:group:other) Unix permissions

2017-06-27 Thread Jens Bauernfeind 
Yeah, AD with IDMU

According to this page (very old, but still the truth), you can't live
without ACLs.
https://mattwilson.org/blog/solaris/solaris-cifs-server-and-zfs-acls-the-pro
blem/

You have to inherit the ACLs to newly created files.
At first I switched to the passthrough acl properties:
zfs set aclmode=passthrough tank
zfs set aclinherit=passthrough tank
Then you have to define an initial ACL for your datasets

For this example I just assume you have the pool tank and one dataset test
- first set your sticky bit
chmod g+s /tank/test
- then set the ACLs
chmod
A=owner@:rwxp-DaARWcCos:df:allow,group@:rwxp-DaARWcCos:df:allow,everyone@::d
f:allow /tank/test
so nearly full permission for the owner and the group, and nothing for
others; all ACLs are inherited to new created files and directories [the
"df"]
8<---
ls -Vd /tank/test
drwxrws---+  5 root IT5 Jun 28 07:55 /tank/test
 owner@:rwxp-DaARWcCos:fd-:allow
 group@:rwxp-DaARWcCos:fd-:allow
  everyone@:--:fd-:allow
8<---
(This inheritance doesnt apply to new datesets you create via zfs, btw)

But care: When you ever doing a chmod operation or a chgrp on /tank/test (or
every other dateset,), the owner,group and everyone ACEs get overwritten
(according to http://docs.oracle.com/cd/E36784_01/html/E36835/gbaaz.html)
8<---
chgrp 0 /tank/test
ls -Vd /tank/test
drwxrws---   5 root root   5 Jun 28 07:55 /tank/test
 owner@:rwxp-DaARWcCos:---:allow
 group@:rwxp-Da-R-c--s:---:allow
  everyone@:--a-R-c--s:---:allow
See the missing "+" and "fd"?
8<---
(This doesn't apply to folders or files)

I hope this helps and I'm not telling lies here.
But that is my experience with that.

Jens

> -Original Message-
> From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> Sent: Dienstag, 27. Juni 2017 15:21
> To: Jens Bauernfeind 
> Cc: omnios-discuss 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> Mine has ldap only for passwd and group.
> 
> So on your system it really works with just having the traditional unix
> permissions set. There are no ACLs in place?
> 
> Do you have an Active Directory domain with IDMU?
> 
> -Original Message-
> From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de]
> Sent: Dienstag, 27. Juni 2017 15:19
> To: Oliver Weinmann 
> Cc: omnios-discuss 
> Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> (owner:group:other) Unix permissions
> 
> also r151022
> 
> What is your /etc/nsswitch.conf saying?
> Mine has nearly everywhere "files ldap", except hosts and ipnodes.
> 
> > -Original Message-
> > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> > Sent: Dienstag, 27. Juni 2017 14:49
> > To: Jens Bauernfeind 
> > Cc: omnios-discuss 
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> > What version of omnios are you using? I'm using R151022.
> >
> > -Original Message-
> > From: Jens Bauernfeind [mailto:bauernfe...@ipk-gatersleben.de]
> > Sent: Dienstag, 27. Juni 2017 14:47
> > To: Oliver Weinmann 
> > Cc: omnios-discuss 
> > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > (owner:group:other) Unix permissions
> >
> > Hm,
> >
> > maybe I should share my ldap config.
> > ldapclient -v manual \
> > -a credentialLevel=proxy \
> > -a authenticationMethod=simple \
> > -a proxyDN="cn=XXX" \
> > -a proxyPassword=SECRET \
> > -a defaultSearchBase=dc=ipk=de \
> > -a domainName=DOMAINNAME \
> > -a defaultServerList= \
> > -a attributeMap=group:userpassword=userPassword \
> > -a attributeMap=group:uniqueMember=member \
> > -a attributeMap=group:gidnumber=gidNumber \
> > -a attributeMap=passwd:gecos=cn \
> > -a attributeMap=passwd:gidnumber=gidNumber \
> > -a attributeMap=passwd:uidnumber=uidNumber \
> > -a attributeMap=passwd:uid=sAMAccountName \
> > -a attributeMap=passwd:homedirectory=unixHomeDirectory \
> > -a attributeMap=passwd:loginshell=loginShell \
> > -a attributeMap=shadow:shadowflag=shadowFlag \
> > -a attributeMap=shadow:userpassword=userPassword \
> > -a objectClassMap=group:posixGroup=group \
> > -a objectClassMap=passwd:posixAccount=user \
> > -a objectClassMap=shadow:shadowAccount=user \
> > -a serviceSearchDescriptor="passwd:" \
> > -a serviceSearchDescriptor=group:  \
> > -a followReferrals=true
> >
> > Maybe also a restart of the smb service?
> >
> > Jens
> >
> > > -Original Message-
> > > From: Oliver Weinmann [mailto:oliver.weinm...@telespazio-vega.de]
> > > Sent: Dienstag, 27. Juni 2017 14:40
> > > To: Jens Bauernfeind 
> > > Subject: RE: [OmniOS-discuss] CIFS access to a folder with traditional
> > > (owner:group:other) Unix permissions
> > >
> > > Hi,
> > >
> > >
> > >
> > > Now I get can’t access domain info in the smb log and us