This is just another one of those things that didn’t make any sense and only partially does now. At least NOW I know there is more at play here than the simple solutions in Samba using create mask and create directory mask. In Linux, that’s how I would get around the issues of Windows directory permissions running on a Linux SMB share.

Now, I am learning to do things the OpenSolaris way. I am loving OpenSolaris and ZFS! However, coming from a Linux and Windows “way of life”, there are some differences that just aren’t clear. What kills me is, I try the RTFM thing, and somehow completely miss that one little thing that makes it all work. Off topic, but an example, coming from Linux, I would just type “su” and get root access. In OpenSolaris, that won’t work. Neither will “pfexec su”, nor “sudo su”. Then one day, after dealing with it for a week or so, I stumble upon a post where someone in an unrelated sample script typed “pfexec su – root”. There ya go! Argh!

Anyway, back on the ZFS/CIFS/ACL thing. It was driving me nuts that I couldn’t figure it out. I wanted a folder with this setup:
/pool/sharefs – owner:greg – group:domusers
greg and domusers should have full control and all folders under “sharefs” should inherit that.

So under linux/samba, that’s where I would do like “create mask = 770″ or simlar, and “force create group = domusers”. Something like that, can’t remember exactly. made it simple actually. It always wrote files with the right perms and ownership and other people in that group could read/write just fine.

Problem is, you can’t get very specific about who get’s what, where, and you can’t use more than one group. Well, sure enough, there’s a thing called “ACL” that handles that stuff now. It’s been around for a while now, but I never even heard of it until I started using OpenSolaris. I like how it seems to be more compatible with the way Windows handles ACL’s. What I don’t like is, it’s confusing. I get the NTFS/Share perms in Windows, been doing that a long time now. The CIFS/ZFS ACL thing kind of makes sense, and it will “click” at some point the more I use it.

After spending hours on this, I reached a point where I had to figure it out. Here’s what I did.

On the ZFS file system, create it normally for SMB access. Then I changed some properties for aclinherit and aclmode. Change those to “passthrough”:
zfs set -o aclinherit=passthrough -o aclmode=passthrough pool/sharefs

Then chmod/chown. OH! That’s another thing. You need to use /bin/chmod and /bin/ls! Not just type: chmod … That wont work. In OpenSolaris the default path points to /usr/gnu/bin/chmod, which doesn’t have the “A” or “V” options to set/view ACL’s. That was another thing that DROVE ME CRAZY!!! I read the man pages and manuals and docs online and I didn’t catch anything that said, “Hey, there are different versions of chmod and ls here!” I can’t believe the time wasting here! Back to the point, do this to put your own default perms on:

/bin/chmod 2774 /pool/sharefs
(I actually am not positive that is needed, but I think it set group as inheritable)

/bin/chmod -R A- /pool/sharefs
(that will wipe out the current perms)

/bin/chmod -R A=owner@:full_set:fd:allow /pool/sharefs
(resets perms with only that acl)

/bin/chmod -R A+group@:full_set:fd:allow /pool/sharefs
(that appends the group perms, full control)

/bin/chmod -R A+everyone@:read_set:fd:allow /pool/sharefs
(above appends everyone read access)

In all the above that will preset INHERITABLE permissions for the subdirectories.  Notice above there is one with “A=” on it?  That will reset the perms and set only that perm.  So I guess you may not even need the previous line for “A-” to reset.  (I am just learning here ya know!)

It looks as if that makes a little sense now.  You can view the current ACL’s like so:  ”/bin/ls -V /pool/sharefs”

In my case, I might want to add another user or group:

/bin/chmod -R A+user:stacy:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:othergroup:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:yetanothergroup:read_set:fd:allow /pool/sharefs

So with this setup I can now open the share on the server and create a file or folder with inherited permissions.  It does, however, save my username as a new owner, so keep that in mind.  But if the group stays in there with “domusers” as full read/write access, I am happy.

Well, now I get it just a little and it makes more sense compared to Windows ACL’s.  I didn’t go over any share specifics and authentication issues, this was just ACL’s!  I still have to RTFM my way around that for a while.  Next project, join OpenSolaris to a Windows domain.  (Which, BTW, does not work in NT Domain style connections, you have to use Active Directory.)

Not too often would you need this, but I just ran into a situation where it was handy to get AD off an existing, but inactive, domain controller.  I couldn’t get dcpromo to uninstall the services and demote the darn thing, because this server thought it was still active in the domain.  I had physically removed this server and manually cleared it from the active domain.  Why would you do this, well, that’s a long story, but I wanted to, let’s just say that.

Here’s how you demote a DC with dcpromo, forcefully.

“dcpromo /forceremoval”

I did this on a 2008 Server, worked great!  All these years and I hadn’t needed to do this, and didn’t even know it could be done.  Always something new to learn, huh!

I’ve moved a few virtual machines off of both ESXi and VMWare Server recently. (was testing VMWare, which I do like.) I moved them into VirtualBox while I test OpenSolaris, which I am REALLY liking… but off topic. Anyway, once I got the vmdk hard drive files copied, I created a new machine config in VirtualBox and added the vmdk to VirtualBox. (which is very cool I must say, you can use vmdk’s or vhd’s in VirtualBox.) Once the OS booted, in both XP Pro and Win2008, the performance was terrible and had no network. I realized that the VMWare Tools were probably still installed. Should have removed them first, but whatever. When to control panel and tied to uninstall, but I got some error that “No VmWare products were detected”, great! That’s nice, you can’t even uninstall after they are moved off the VMWare host services.

I added the VMWare Tools ISO to that VM and opened a command prompt. Then I found the “setup.exe” or “setup64.exe” files on the cd. Run those in the cmd window with a /c switch. (example:  ”setup64.exe /c” )  This will remove the Tools.  I installed the VirtualBox additions and then reboot.  On my Windows 2008 server it crashed on first reboot, then then I tried again and it loaded up just fine.  Network works and everything! Yay!

EDIT 7/23/09 :

I noticed on one Win2k system that the VMWare uninstall didn’t fully remove the networking drivers.  When I rebooted, the system tried to install the AMD PCNet adapter again, only it said it was “VMWare  …”   What I did to fix that…  I shutdown the Guest OS, went to settings and under Networking I selected the Intel adapter instead of the AMD.  This worked, but also required that I download the driver from Intel and install it manually on the Guest OS.  Everything worked fine though, and I had Gigabit networking!

I’d still like to know how to get rid of ALL the VMWare stuff though.  Probaby just need to find some INF’s for something in Windows.

When you run mstsc.exe, the Remote Desktop Connection client to connect to a virtual machine VRDP or other RDP connections, it’s not exactly clear how to enter the CTL+ALT+DEL keystroke to login. Do this:

CTL+ALT+END

:)

This is a pain. For some reason, unkown even to Microsoft aparently, I reboot my system only to login to a temporary profile in Windows Vista or Windows 7.   As of this writing, I am using the release candidate of Windows 7, but since I’ve seen this on Vista and even on Windows XP, I kind of suspect this has nothing to do with this being a beta product.  XP doesn’t give the same error.  I can’t remember what it says, but it basicaly does the same thing, it logs you in under the “Default” profile in windows, which is temporary and you lose everything once you logout.

You might see this error:

Your user profile was not loaded correctly! You have been logged on with a temporary profile.
Changes you make to this profile will be lost when you log off. Please see the event log for details or contact your administrator.

Why this happens is a mystery.  I found one article on the MS knowledge base about your account that is a member of Guests or Domain Guests, but that’s not the case for my issue.  I found this article, which led me to a quick fix.  (I doubt a fix permanently though)

http://support.microsoft.com/kb/947242

The solution in that article did not fix it for me.  Also, I’ve heard you can simply logout and back on, but that doesn’t fix it for me either.  What I did was delete the subkey in the ProfileList registy key mentioned in the article above.  If you go in there, you’ll see two keys with the same SID.  One will end in “.bak”, which should be your correct key.  Look within that key for the value of ProfileImagePath.  It should show the path to your windows profile.  Mine, for example, is : “C:\Users\greg”. Now look into the newly created profile key (SID without the “.bak”), this should show ImageProfilePath of “C:\Users\Temp”.   Obviously wrong.

The fix in the article tells you to delete the key with the “SID.bak”, but that just left in the temp profile and didn’t work for me.  I went back in to the registry, deleted the one with the C:\Users\Temp in the path, and then renamed my original one (Which I had exported! Named with the “.bak” and has your correct profile path.) by simply removing the “.bak” at the end.  Log off and back on, problem solved.

I hope this helps!  Backup your registry first!!