I''ve tried to set up a SAMBA file server that acts completely identical with a Microsoft Windows 2000 or 2003 one. First of all, the problem with the ACI ordering is simple: The Microsoft ACI specification imposes that the DENY ACIs are put on top. It can be solved with a simple chmod. Problem no.2 the Samba NFSv4 ACL module doesn''t interpret owner@, group@, everyone at . While the first ones are not surprising, because they have no direct mapping in the Windows well known SIDs list , everyone@ is a very well known Windows SID. These problems can be easily solved by initially setting the ACLs manually using chmod. Problem no.3, there is no umask(1) support for NFSv4 ACI model, thus creating a new file from the UNIX shell or a UNIX program (say FTP) on that ZFS share, will completely mess-up your ACLs from a Windows perspective. Furthermore, I expected that once I set some ACIs, with the inheritance flags on, I would get those ACIs, period. While I do get inheritance of the ACIs, I also get some default ACIs added that kinda represent the traditional UNIX rights (which is very far from what I''m looking for), furthermore, I also expect to be able to ignore the UNIX rights, as mixing the two of them is both confusing and difficult. I think that mixing the two models (the NFSv4 and the Windows one) is improbable and it really does require that you make a choice to favor the Windows model or the NFSv4. Right now I''ve concluded that the SAMBA NFSv4 ACL support is completely useless, as it allows me to view ACLs set using chmod on an existing file, or change them to other _VALID_ Windows ACLs. Unfortunatelly, as soon as I try to create a new file or directory all of the benefits go to /dev/null, as I get a new file with default ACLs that have nothing to do with the inherited flags I''ve set, and that are completely invalid on a Windows system. I am sure that we need to have a new zfs attribute that changes the behaviour of the relation between the UNIX attributes and the NFSv4 ACIs (eventually completely ignoring the UNIX ones), as well as specifying that the inherited ACIs are the only-ones that will be applied to a newly created file or directory. We also need to have the samba config file support new file and directory creation masks that are a little more complex than 3 numbers (or to take the inheritance flags more seriously into consideration). We also need to add support to the nfs4acl module for interpreting owner@, group@ and everyone at . The ACIs that I needed and that miserably failed me are rather simple (except for a few folders in which I had more complex ones): Domain Admins:rwxdDpaARWc--s:fd---:allow Domain Users:rwxdDpaARWc--s:fd---:allow Administrator:rwxdDpaARWcCos:fd---:allow As you can probably see, I didn''t even need deny ACLs. Obviously, I''ve initially set the ACLs with: chmod -r A=group:Domain\ Admins:rwxdDpaARWc--s:fd---:allow, group:Domain\ Users:rwxdDpaARWc--s:fd---:allow, user:Administrator:rwxdDpaARWcCos:fd---:allow (or something like that), and it worked until I started creating files and folders. I started this thread in the hope that we can make sure that in the future Samba will be able to perfectly emulate a Windows File Server in coordination with ZFS, especially considering Sun''s offering in the storage area. I can also come up with technical details about the differences in behavior between a Windows Server and a Samba server on the problematic operations. Cheers, Razvan This message posted from opensolaris.org
ZFS has a smb server on the way, but there has been no real public information about it released. Here is a sample of its existence: http://www.opensolaris.org/os/community/arc/caselog/2007/560/;jsessionid=F4061C9308088852992B7DE83CD9C1A3 This message posted from opensolaris.org
Sounds like the right solution to my problem in it solves a few problems, but I am rather curious about how it would integrate with a potential Samba server running on the same system (in case someone needs a domain controller as well as a fileserver). 1 - Samba can store the DOS attributes of a file in an xattr. Can sharesmb do that? If so, is it compatible with Samba? 2 - Regarding that, are Resource_Forks/xattr/Alternate_data_streams supported? 3 - How do I set share ACLs (allowed users, and their rights)? 4 - How do I set the share name? 5 - Will it support the smb2 protocol? 5b - ill it work over IPv6? 6 - Is Shadow Copy supported (using zfs snapshots) ? 7 - How will it map nss users to domain users? Will it be able to connect to Winbind? 8 - Kerberos authentication support? 9 - Will it support the NT priviledges? I could select a normal user on my network, and with a simple net rpc rights grant SeBackupPrivilege, SeRestorePrivilege, ACLs can be overridden by that user in a Windows environment. A user of the sharesmb service might expect that. In my personal case, I need 1, 2, 3, 4, 6, 7, 8 and 9. And I am sure that more will come-up, as these are the ones that came to my mind right now. Anyway, congratulations on the sharesmb thing. If it has a flexible/configurable implementation (for the ones with complex rules in an environment), but with sane defaults (for normal, users), it will be a hit. Cheers, Razvan This message posted from opensolaris.org
Razvan Corneliu VILT wrote:> Sounds like the right solution to my problem in it solves a few problems, but I am rather curious about how it would integrate with a potential Samba server running on the same system (in case someone needs a domain controller as well as a fileserver). > > 1 - Samba can store the DOS attributes of a file in an xattr. Can sharesmb do that? If so, is it compatible with Samba? > 2 - Regarding that, are Resource_Forks/xattr/Alternate_data_streams supported? > 3 - How do I set share ACLs (allowed users, and their rights)? > 4 - How do I set the share name? > 5 - Will it support the smb2 protocol? > 5b - ill it work over IPv6? > 6 - Is Shadow Copy supported (using zfs snapshots) ? > 7 - How will it map nss users to domain users? Will it be able to connect to Winbind? > 8 - Kerberos authentication support? > 9 - Will it support the NT priviledges? I could select a normal user on my network, and with a simple net rpc rights grant SeBackupPrivilege, SeRestorePrivilege, ACLs can be overridden by that user in a Windows environment. A user of the sharesmb service might expect that. > > In my personal case, I need 1, 2, 3, 4, 6, 7, 8 and 9. And I am sure that more will come-up, as these are the ones that came to my mind right now. > > Anyway, congratulations on the sharesmb thing. If it has a flexible/configurable implementation (for the ones with complex rules in an environment), but with sane defaults (for normal, users), it will be a hit. > > Cheers, > Razvan >You might find this presentation of interest. It was presented at the CIFS workshop recently. http://us1.samba.org/samba/ftp/slides/cifs-workshop-2007/cifs_workshop_2007_09_27.pdf It would be best to ask questions about the features of the CIFS server on storage-discuss at opensolaris.org -Mark
Does anyone know whether the following (copied from Wikipedia) is true or not?? "Solaris has a project called CIFS client for Solaris, based on the Mac OS X smbfs." Rayson On Nov 4, 2007 9:34 AM, Mark Shellenbaum <Mark.Shellenbaum at sun.com> wrote:> Razvan Corneliu VILT wrote: > > Sounds like the right solution to my problem in it solves a few problems, but I am rather curious about how it would integrate with a potential Samba server running on the same system (in case someone needs a domain controller as well as a fileserver). > > > > 1 - Samba can store the DOS attributes of a file in an xattr. Can sharesmb do that? If so, is it compatible with Samba? > > 2 - Regarding that, are Resource_Forks/xattr/Alternate_data_streams supported? > > 3 - How do I set share ACLs (allowed users, and their rights)? > > 4 - How do I set the share name? > > 5 - Will it support the smb2 protocol? > > 5b - ill it work over IPv6? > > 6 - Is Shadow Copy supported (using zfs snapshots) ? > > 7 - How will it map nss users to domain users? Will it be able to connect to Winbind? > > 8 - Kerberos authentication support? > > 9 - Will it support the NT priviledges? I could select a normal user on my network, and with a simple net rpc rights grant SeBackupPrivilege, SeRestorePrivilege, ACLs can be overridden by that user in a Windows environment. A user of the sharesmb service might expect that. > > > > In my personal case, I need 1, 2, 3, 4, 6, 7, 8 and 9. And I am sure that more will come-up, as these are the ones that came to my mind right now. > > > > Anyway, congratulations on the sharesmb thing. If it has a flexible/configurable implementation (for the ones with complex rules in an environment), but with sane defaults (for normal, users), it will be a hit. > > > > Cheers, > > Razvan > > > > > You might find this presentation of interest. It was presented at the > CIFS workshop recently. > > http://us1.samba.org/samba/ftp/slides/cifs-workshop-2007/cifs_workshop_2007_09_27.pdf > > It would be best to ask questions about the features of the CIFS server > on storage-discuss at opensolaris.org > > -Mark > > > _______________________________________________ > zfs-discuss mailing list > zfs-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/zfs-discuss >
Rayson Ho wrote:> Does anyone know whether the following (copied from Wikipedia) is true or not?? > > "Solaris has a project called CIFS client for Solaris, based on the > Mac OS X smbfs." > > Rayson >Yes, that is true. http://www.opensolaris.org/os/project/smbfs/ -Mark
On Nov 4, 2007, at 00:42, MC wrote:> ZFS has a smb server on the way, but there has been no real public > information about it released. Here is a sample of its existence: > http://www.opensolaris.org/os/community/arc/caselog/ > 2007/560/;jsessionid=F4061C9308088852992B7DE83CD9C1A3There''s been a put back: http://blogs.sun.com/amw/entry/cifs_in_solaris
On 11/3/07, Razvan Corneliu VILT <razvan.vilt at linux360.ro> wrote:> Sounds like the right solution to my problem in it solves a few problems, but I am rather curious about how it would integrate with a potential Samba server running on the same system (in case someone needs a domain controller as well as a fileserver). > > 1 - Samba can store the DOS attributes of a file in an xattr. Can sharesmb do that? If so, is it compatible with Samba?... The best description I have seen so far is at http://blogs.sun.com/amw/entry/cifs_in_solaris . Based upon what I see there, OpenSolaris is getting capability that will once again surpass the capabilities of the competition. Not to belittle the advances in dtrace, zfs, smf, etc., the integration of cifs seems to be a game changer in determining which open source OS is the best for file serving. Indeed, this would not be the case without the combination of zfs, nfsv4, avs, etc. Once NDMP and COMSTAR are in place, it looks as though the "core" parts will be complete. Hopefully this will all come together through administrative tools that make cross-platform (*nix, Windows) and cross-protocol (CiFS, NFS, iSCSI, FC) file and block serving with remote replication seem intuitive. Kinda makes you understand why Netapp no longer feels that they can compete on features + ease of use. -- Mike Gerdts http://mgerdts.blogspot.com/