zfs discuss - Sep 2009 - ZFS Export, Import = Windows sees wrong groups in ACLs

I had a OpenSolaris server running basically as a fileserver for all my windows
machines.  The CIFS server was running in WORKGROUP mode.  I had several users
defined on the server to match my windows users.  I had these users in a few
groups (the most important being Parents and Kids).

For various reasons I decided to blow away the OS and install fresh.  First I
exported the zpool holding my shared files.  I then rebuilt the server, created
the same users, granted the same group memberships and finally imported my
zpool.

Unfortunately, the GIDs for the Parents and Kids groups must have been swapped
when I rebuilt because I found that the Kids had full control of everything and
Parents had read only access.  What is the right way to correct this?

I tried editing the /etc/group file to swap the GIDs but this didn''t
seem to have the effect I wanted.  Now, when I view the ACLs with an ls -V from
the OSOL side I see that the Parents group has full permissions but from the
Windows side these folders show that HOMESERVER\Kids group has full control.

I know ZFS keeps the Windows style SIDs in the ACLs across export/import but how
am I supposed to get the users/groups I created during the rebuild to match up
with the old SIDs?  Where is Windows getting a different idea of who that group
is that OSOL has?  There is no Active Directory or other LDAP which could have
maintained a definition of those SIDs over the rebuild.

Thanks,
Owen Davies
-- 
This message posted from opensolaris.org

Owen Davies wrote:
> I had a OpenSolaris server running basically as a fileserver for all my
windows machines.  The CIFS server was running in WORKGROUP mode.  I had several
users defined on the server to match my windows users.  I had these users in a
few groups (the most important being Parents and Kids).
> 
> For various reasons I decided to blow away the OS and install fresh.  First
I exported the zpool holding my shared files.  I then rebuilt the server,
created the same users, granted the same group memberships and finally imported
my zpool.
> 
> Unfortunately, the GIDs for the Parents and Kids groups must have been
swapped when I rebuilt because I found that the Kids had full control of
everything and Parents had read only access.  What is the right way to correct
this?
> 
> I tried editing the /etc/group file to swap the GIDs but this
didn''t seem to have the effect I wanted.  Now, when I view the ACLs
with an ls -V from the OSOL side I see that the Parents group has full
permissions but from the Windows side these folders show that HOMESERVER\Kids
group has full control.
> 
> I know ZFS keeps the Windows style SIDs in the ACLs across export/import
but how am I supposed to get the users/groups I created during the rebuild to
match up with the old SIDs?  Where is Windows getting a different idea of who
that group is that OSOL has?  There is no Active Directory or other LDAP which
could have maintained a definition of those SIDs over the rebuild.
> 
> Thanks,
> Owen Davies
How are the parent and kids defined in the /etc/passwd file?

What do the ACLs look like?

Issues with the CIFS server are best served by asking on 
cifs-discuss at opensolaris.org


   -Mark

> How are the parent and kids defined in the /etc/passwd file?
These two are parents (names changed) :

Dad:x:101:10:Dad:/export/home/Dad:/bin/bash
Mom:x:102:1::/home/Mom:/bin/sh

and these are the kids:

Kid_a:x:103:1::/home/Kid_a:/bin/sh
Kid_b:x:104:1::/home/Kid_b:/bin/sh
Kid_c:x:105:1::/home/Kid_c:/bin/sh

You didn''t ask, but here is what the groups look like in the /etc/group
file:

kids::101:
parents::102:
family::103:
> What do the ACLs look like?
The ACL for my music folder, for example, is:

dr-xr-xr-x+246 root     root         246 Aug 26 00:16 music
              everyone@:r-x---a-R-c--s:fd-----:allow
             group:kids:rwxpdDaARWcCos:fd-----:allow

When I went in and edited the /etc/group file so parents were GID 101 and kids
were GID 102, OSOL happlily reported the ACL as:

dr-xr-xr-x+246 root     root         246 Aug 26 00:16 music
              everyone@:r-x---a-R-c--s:fd-----:allow
             group:parents:rwxpdDaARWcCos:fd-----:allow

but Windows continued to report that the kids had permissions.  Having read a
bit more I know ZFS stores the full ACL with SID.  This must then get mapped,
somehow, to UNIX UIDs and GIDs and mapped a second time to CIFS users or groups.
The experiment above shows that the two mappings seem to be independant; the
name Windows determines for a SID does not rely at all on UNIX GIDs or SIDs.
> Issues with the CIFS server are best served by asking on 
> cifs-discuss at opensolaris dot org
So I guess what this leads me to is that you are right, I''m not really
asking about ZFS or the actual ACLs and SIDs but rather how and where the
mapping from ZFS SID to CIFS user/group name happens.  That is obviously a topic
for CIFS-Discuss.

BTW, I gave up and just "chmod -R ..." to set the permissions back how
I wanted them.  It was still a real pain to do it that way because ZFS
won''t allow you to remove the last non-inherited ACL from a file or
folder.  Meanwhile, it will happily let Windows do just that if you are setting
the permissions from there... frustrating.

Thanks for the reply,
Owen Davies
-- 
This message posted from opensolaris.org

On Fri, Sep 11, 2009 at 8:33 PM, Owen Davies <daviesow at gmail.com>
wrote:
> I tried editing the /etc/group file to swap the GIDs but this
didn''t seem to have the effect I wanted. ?Now, when I view the ACLs
with an ls -V from the OSOL side I see that the Parents group has full
permissions but from the Windows side these folders show that HOMESERVER\Kids
group has full control.
I think the CIFS password and group files are in /var/smb/smbpasswd
and /var/smb/smbgroup.db . The latter is a SQLite 2 database that you
can view with /lib/svc/bin/sqlite

-G

-- 
Brandon High : bhigh at freaks.com
If violence doesn''t solve your problem, you''re not using
enough of it.

Thanks.  I took a look and that is exactly what I was looking for.  Of course I
have since just reset all the permissions on all my shares but it seems that the
proper way to swap UIDs for users with permissions on CIFS shares is to:

Edit /etc/passwd
Edit /var/smb/smbpasswd

And to change GIDs for groups used on CIFS shares you need to both:

Edit /etc/group
Edit /var/smb/smbgroup.db

Is there a better way to do this than manually editing each file (or db)?  I
don''t think there is much of this sort of integration yet so that tools
update things in a consistent way on both the UNIX side and the CIFS side.

Thanks,
Owen Davies
-- 
This message posted from opensolaris.org

On Sun, Sep 13, 2009 at 7:45 PM, Owen Davies <daviesow at gmail.com>
wrote:
> Is there a better way to do this than manually editing each file (or db)?
?I don''t think there is much of this sort of integration yet so that
tools update things in a consistent way on both the UNIX side and the CIFS side.
You could use ldap for account information I suppose. I haven''t looked
into it for the Solaris CIFS server, but I know that Samba can use
ldap to store its passwords. Or go all out and use krb5 and a Windows
domain. :-/

I stumbled on the /var/smb files when I changed my uid on Opensolaris
to match the uid on some existing CentOS systems. Maybe a hook to PAM
would work, but you''d have to make the passwd and group file changes
via a PAM interface.

-B

-- 
Brandon High : bhigh at freaks.com
If it wasn''t for pacifists, we could achieve peace.

Owen Davies wrote:
> Thanks.  I took a look and that is exactly what I was looking for.  Of
course I have since just reset all the permissions on all my shares but it seems
that the proper way to swap UIDs for users with permissions on CIFS shares is
to:
>
> Edit /etc/passwd
> Edit /var/smb/smbpasswd
>
> And to change GIDs for groups used on CIFS shares you need to both:
>
> Edit /etc/group
> Edit /var/smb/smbgroup.db
>
> Is there a better way to do this than manually editing each file (or db)? 
I''ve just started reading the CIFS docs recently, so I could be
wrong....

But I think the smb files were populated when you added the mappings 
(back when /etc/passwd and /etc/group were wrong.)
I bet, if you removed the mappings, fixed the UNIX files, and recreated 
the mappings then the SMB files would be ''fixed''.

It may not be easier, but it probably is better in the case that there 
are other housekeeping things the map commands do.

   -Kyle

>  I don''t think there is much of this sort of integration yet so
that tools update things in a consistent way on both the UNIX side and the CIFS
side.
>
> Thanks,
> Owen Davies
>