[OmniOS-discuss] SMB issues after r151014 -> r151018

Gordon Ross gordon.w.ross at gmail.com
Fri Apr 22 01:53:18 UTC 2016 

I'm not sure how anyone ever gets access when your ACL has this ACE:
        everyone@:rwxpdDaARWcCos:fd-----:deny

Every long has the group "everyone" as a member, therefore that ACE
will match every logon.  The ace also lists every possible permission,
so nothing should get through, no matter what allow ACEs might also
exist.

One thing to be aware of is that ZFS (and Unix in general) checks
Execute access when you try to "traverse" through a directory (path
name resolution).  If you're copying ACLs from a Windows server, you
may need to add some ACEs at various levels in your file hierarchy to
grant execute to whatever users and/or groups should be able to
traverse.
(The easiest way would be: chmod A+everyone@:x:fd:allow)

Windows servers normally run with a special privilege that makes the
SMB server threads exempt from traverse permission checking, for
reasons of efficiency.

On Wed, Apr 20, 2016 at 6:28 PM, Olaf Marzocchi <lists at marzocchi.net> wrote:
> I updated as indicated in the guide and to do that I had to uninstall some
> packages:
>
> serf at 1.3.8,5.11-0.151014:20151015T214958Z
> apr-util at 1.4.1,5.11-0.151014:20150508T204811Z
> apr at 1.5.1,5.11-0.151014:20150529T175834Z
> uuid at 1.41.14,5.11-0.151014:20150508T153803Z
>
> After reboot I got two main issues.
>
> 1) I cannot reach my OmniOS box with "OmniOS-Xeon.local" as I usually did in
> the past, both for SMB, local webserver/services, ... but I can still access
> the box when I use the plain IP.
>
> OmniOS-Xeon:~ olaf$ cat /etc/nodename
> OmniOS-Xeon
>
>
> 2) I cannot access one specific SMB share ("olaf") that was working
> perfectly before the update. Using the IP of the machine allows me to access
> the other shares, but not this one. It was also the one with the most
> restrictive access ACLs, but they look fine to me.
>
> OmniOS-Xeon:~ olaf$ sharemgr show
> ...
> zfs
>     zfs/tank/home/olaf
>           /tank/home/olaf
> [and more shares, all working]
>
> OmniOS-Xeon:~ olaf$ ls -lV /tank/home/
> total 34
> drwx------+ 15 olaf     olaf          15 Oct 25 11:27 olaf
>               user:olaf:rwxpdDaARWcCos:fd-----:allow
>        group:2147483648:rwxpdDaARWcCos:fd-----:allow
>               everyone@:rwxpdDaARWcCos:fd-----:deny
>
> OmniOS-Xeon:~ olaf$ tail /var/adm/messages
> Apr 20 22:30:04 OmniOS-Xeon smbsrv: [ID 138215 kern.notice] NOTICE:
> smbd[OMNIOS-XEON\olaf]: temporar share not found
> Apr 20 22:30:04 OmniOS-Xeon last message repeated 10 times
> Apr 20 22:30:33 OmniOS-Xeon smbsrv: [ID 138215 kern.notice] NOTICE:
> smbd[OMNIOS-XEON\olaf]: olaf share not found
> Apr 20 22:30:36 OmniOS-Xeon last message repeated 8 times
>
> As you can see, the last letter of the share name in /var/adm/messages gets
> cut for the share "temporary", but not for my own share "olaf". However, my
> own share is neither visible nor accessible, while the other ones are.
>
> Has anything changed about permissions with SMB2?
>
> Thanks
> Olaf
> _______________________________________________
> OmniOS-discuss mailing list
> OmniOS-discuss at lists.omniti.com
> http://lists.omniti.com/mailman/listinfo/omnios-discuss

More information about the OmniOS-discuss mailing list