ZFS CIFS and ACL Inheritance 7


This is just another one of those things that didn’t make any sense and only partially does now. At least NOW I know there is more at play here than the simple solutions in Samba using create mask and create directory mask. In Linux, that’s how I would get around the issues of Windows directory permissions running on a Linux SMB share.

Now, I am learning to do things the OpenSolaris way. I am loving OpenSolaris and ZFS! However, coming from a Linux and Windows “way of life”, there are some differences that just aren’t clear. What kills me is, I try the RTFM thing, and somehow completely miss that one little thing that makes it all work. Off topic, but an example, coming from Linux, I would just type “su” and get root access. In OpenSolaris, that won’t work. Neither will “pfexec su”, nor “sudo su”. Then one day, after dealing with it for a week or so, I stumble upon a post where someone in an unrelated sample script typed “pfexec su – root”. There ya go! Argh!

Anyway, back on the ZFS/CIFS/ACL thing. It was driving me nuts that I couldn’t figure it out. I wanted a folder with this setup:
/pool/sharefs – owner:greg – group:domusers
greg and domusers should have full control and all folders under “sharefs” should inherit that.

So under linux/samba, that’s where I would do like “create mask = 770” or simlar, and “force create group = domusers”. Something like that, can’t remember exactly. made it simple actually. It always wrote files with the right perms and ownership and other people in that group could read/write just fine.

Problem is, you can’t get very specific about who get’s what, where, and you can’t use more than one group. Well, sure enough, there’s a thing called “ACL” that handles that stuff now. It’s been around for a while now, but I never even heard of it until I started using OpenSolaris. I like how it seems to be more compatible with the way Windows handles ACL’s. What I don’t like is, it’s confusing. I get the NTFS/Share perms in Windows, been doing that a long time now. The CIFS/ZFS ACL thing kind of makes sense, and it will “click” at some point the more I use it.

After spending hours on this, I reached a point where I had to figure it out. Here’s what I did.

On the ZFS file system, create it normally for SMB access. Then I changed some properties for aclinherit and aclmode. Change those to “passthrough”:
zfs set -o aclinherit=passthrough -o aclmode=passthrough pool/sharefs

Then chmod/chown. OH! That’s another thing. You need to use /bin/chmod and /bin/ls! Not just type: chmod … That wont work. In OpenSolaris the default path points to /usr/gnu/bin/chmod, which doesn’t have the “A” or “V” options to set/view ACL’s. That was another thing that DROVE ME CRAZY!!! I read the man pages and manuals and docs online and I didn’t catch anything that said, “Hey, there are different versions of chmod and ls here!” I can’t believe the time wasting here! Back to the point, do this to put your own default perms on:

/bin/chmod 2774 /pool/sharefs
(I actually am not positive that is needed, but I think it set group as inheritable)

/bin/chmod -R A- /pool/sharefs
(that will wipe out the current perms)

/bin/chmod -R A=owner@:full_set:fd:allow /pool/sharefs
(resets perms with only that acl)

/bin/chmod -R A+group@:full_set:fd:allow /pool/sharefs
(that appends the group perms, full control)

/bin/chmod -R A+everyone@:read_set:fd:allow /pool/sharefs
(above appends everyone read access)

In all the above that will preset INHERITABLE permissions for the subdirectories.  Notice above there is one with “A=” on it?  That will reset the perms and set only that perm.  So I guess you may not even need the previous line for “A-” to reset.  (I am just learning here ya know!)

It looks as if that makes a little sense now.  You can view the current ACL’s like so:  “/bin/ls -V /pool/sharefs”

In my case, I might want to add another user or group:

/bin/chmod -R A+user:stacy:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:othergroup:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:yetanothergroup:read_set:fd:allow /pool/sharefs

So with this setup I can now open the share on the server and create a file or folder with inherited permissions.  It does, however, save my username as a new owner, so keep that in mind.  But if the group stays in there with “domusers” as full read/write access, I am happy.

Well, now I get it just a little and it makes more sense compared to Windows ACL’s.  I didn’t go over any share specifics and authentication issues, this was just ACL’s!  I still have to RTFM my way around that for a while.  Next project, join OpenSolaris to a Windows domain.  (Which, BTW, does not work in NT Domain style connections, you have to use Active Directory.)

  • Greg

    Brilliant!

    You should write the ZFS documentation.

    Thanks!

  • “yeah right!”, I say. LOL! But thanks for the great comment. I appreciate it.

    I do hate it when in the docs they leave out that “one thing” that make it all sensible. It’s just the way they write it I guess. But it’s also just me, because who’s got time to read hundreds of pages thoroughly to get a good understanding of it all? That’s not how I learn, I just throw it on the network and figure out as I go. Probably like most of us doing this work.

  • Hehe. Well your post sure helped me figure out the basics and get what I needed done quickly. Thanks again for taking the time out to write it up.

    I find the BigAdmin and Solaris docs on sun.com the most difficult to read, things seem to be changing a lot with the OpenSolaris documentation though, so let’s hope they keep it simple and easy to understand.

  • Dale

    I am an old time Solaris admin and OpenSolaris throws me for curves as well. Real Solaris doesn’t default to the GNU tools so you don’t have to do the work arounds you mentioned. I am glad I ran across this article so I know about the potential problems. If you run into problems you can always do a “which” to determine what version of a command you are running.

  • Hayes Whitt

    Hi, I used some of this info to refine my chmod/ACL scripts. Check out my Solaris 11 guide under “Permissions and ACL”. YOu do not need to set the 2775 type permissions if you use the owner@, group@, everybody@. When used with A= it sets everything at once.
    http://www.hayeswhitt.com

  • Generic Viagra

    Hello, I used some of the information to improve my chmod / ACL scripts. Solaris 11 Check out my guide on “Permissions and ACLs”. It is not necessary to define the type of permissions when using the owner @ 2775, the group @ @ all. When used with A = put together.

     Viagra
    Generic Viagra
    Kamagra

  • adhitya cn

    halu…

    it doesnt works on linux centos.

    /bin/chmod -R A+everyone@:read_set:fd:allow

    any help please…