[OmniOS-discuss] ACL inheritance and ABE broke when using nested filesystems

[Garrett Fields]

I'm setting up an OmniOS storage server with SMB shares for AD
authenticated group shares.  I got Active Directory integration, and Access
Based Enumeration to working, then focused on quotas.  I understand, I can
have user/fs, group/fs, and a generic fs quotas.

Originally, I was going to use a single fs with directories for the
different groups, but then I found that the group/fs quota is based on the
primary group in AD, which is "Domain User" for all my users, and I don't
have the rights to modify this.  Besides, there may be situations where a
single user may have multiple group memberships with differing quotas.  So,
I then created nested fs's under the "group" fs and set generic quotas on
those.  In the end, this more accuratley accomplishes what I wanted to do
but.....

Two bad things happened.  ACL inheritance broke and ABE broke.

ACL of the nested fs reverted to the default ACL (@owner, @group,
@everyone) instead of inheriting from "group".  I was able to work around
this by manually setting my admin account permissions on the server (could
have also used root), then via windows adding the additional users/groups.
But when I did this, it "rediscovered the inherited permissions from
"group", so had two entries.  I just deleted the non-inherited entries.  It
seems like I'd have to do this for every group nested fs.  Is there an
easier way to do this?

I also noticed that the nested fs, which shouldn't be visible because of
ABE, are now visible.  The security settings is properly blocking access,
but I don't want them seen if the user doesn't have access.  I have not
been able to fix this.  Any ideas here?


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omniosce.org/ml-archive/attachments/20140127/7fa8abe3/attachment.html>