I created snapshot for my whole zpool (zfs version 3): zfs snapshot -r tank@`date +%F_%T` then trid to send it to the remote host: zfs send tank at 2008-07-25_09:31:03 | ssh user at 10.0.1.14 -i identitykey ''zfs receive tank/tankbackup'' but got the error "zfs: command not found" since user is not superuser, even though it is in the root group. I found some blogs & documentation referring to a delegation command ''zfs allow''. This does not seem to be on my version of zfs though, and I am assuming that it is not a pre-requisite for zfs send/receive. Any clues on what I am missing, or a howto anywhere? justin -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20080725/351f91bc/attachment.html> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3361 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20080725/351f91bc/attachment.bin>
Justin Vassallo wrote:> I created snapshot for my whole zpool (zfs version 3): > > > > zfs snapshot -r tank@`date +%F_%T` > > > > then trid to send it to the remote host: > > zfs send tank at 2008-07-25_09:31:03 | ssh user at 10.0.1.14 > <mailto:user at 10.0.1.14> -i identitykey ?zfs receive tank/tankbackup? > > > > but got the error ?zfs: command not found? since /user/ is not > superuser, even though it is in the root group.on my machine (sparc, nv. b92): $ which zfs /sbin/zfs so ... you need to (at least) change your "receive" command to ''/sbin/zfs receive ...'' HTH Michael -- Michael Schuster http://blogs.sun.com/recursion Recursion, n.: see ''Recursion''
Thanks Michale, that got me through to second round :) I eventually added /sbin to my /etc/profile to avoid the mistake in future. So the issue is now with the USER rights on the zfs. How can I grant USER rights on this zfs? Is upgrading to a zfs which supports ''zfs allow'' my only option? ---justin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3361 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20080725/9535f7c5/attachment.bin>
Justin Vassallo wrote:> Thanks Michale, > > that got me through to second round :) I eventually added /sbin to my > /etc/profile to avoid the mistake in future. > > So the issue is now with the USER rights on the zfs. How can I grant USER > rights on this zfs? Is upgrading to a zfs which supports ''zfs allow'' my only > option?I would suspect as much, though I''ll defer to the ZFS experts to give you a definite answer. Is ''zpool upgrade'' / ''zfs upgrade'' difficult for you? Michael -- Michael Schuster http://blogs.sun.com/recursion Recursion, n.: see ''Recursion''
Justin Vassallo wrote:> Thanks Michale, > > that got me through to second round :) I eventually added /sbin to my > /etc/profile to avoid the mistake in future. > > So the issue is now with the USER rights on the zfs. How can I grant USER > rights on this zfs? Is upgrading to a zfs which supports ''zfs allow'' my only > option? > > ---justin >If your wanting to allow a non-privileged user the ability to do a send/receive then you will need to give the user the necessary permissions. For example: # zfs allow joe receive,send,create,mount tank/fs This will allow user joe to send, receive, create datasets and mount them on the dataset tank/fs and all of its descendants. See the zfs admin guide for example of the zfs delegated admin model. Your pool must be version 8 or greater for delegated administration support. -Mark
Indeed I want a permanent solution so I''ll upgrade my zpool as suggested, since that seems to be the only option I searched sunsolve for the relevant patches /package downloads and googled zfs upgrade but only got references to documentation. Any clues where I can get the upgrade from? I''m running Solaris 10 8/07 s10x_u4wos_12b X86 justin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3361 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20080725/645b8aad/attachment.bin>
Justin Vassallo wrote:> Indeed I want a permanent solution so I''ll upgrade my zpool as suggested, > since that seems to be the only option > > I searched sunsolve for the relevant patches /package downloads and googled > zfs upgrade but only got references to documentation. Any clues where I can > get the upgrade from? > > I''m running Solaris 10 8/07 s10x_u4wos_12b X86 > > justin >zfs delegation isn''t currently available in Solaris 10. It will be in S10u6 though. -Mark
For the record, I am told that I will need to wait for S10 u6 for zfs delegation; can''t upgrade before that. Meanwhile, I had to permit root login (obviously disabled passwd auth; PasswordAuthentication no; PAMAuthenticationViaKBDInt no). Also, the -R option does not work on this zfs version, so I had to use separate zfs send commands separately for each fs. Thanks to the very helpful guys at Sun! -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3361 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20080725/c9cc382b/attachment.bin>
Justin Vassallo wrote:> For the record, I am told that I will need to wait for S10 u6 for zfs > delegation; can''t upgrade before that. > > Meanwhile, I had to permit root login (obviously disabled passwd auth; > PasswordAuthentication no; PAMAuthenticationViaKBDInt no).I''d suggest instead using RBAC. See usermod and prof_attr. This should work: root # usermod -P ''ZFS File System Management'',''ZFS Storage Management'' zfsrepluser zfsrepluser $ /bin/pfexec /usr/sbin/zfs send ... | ssh ... zfsrepluser at desthost ''/bin/pfexec /usr/sbin/zfs recv ...'' I''m not sure is FS mgmt is sufficient, or if storage mgmt is also needed... -- Carson
[OT, I know.] On Fri, Jul 25, 2008 at 07:14:09PM +0200, Justin Vassallo wrote:> Meanwhile, I had to permit root login (obviously disabled passwd auth; > PasswordAuthentication no; PAMAuthenticationViaKBDInt no).Why obviously? I think instead you may just want to: PermitRootLogin without-password or PermitRootLogin forced-commands-only (See sshd_config(4), which says "without-password means that root cannot be authenticated using the "password" or "keyboard-interactive" methods" and "forced-commands-only means that authentication is allowed only for publickey".) Also, PAMAuthenticationViaKBDInt has no meaning to sshd. If you want to disable ''keyboard-interactive'' then use: KbdInteractiveAuthentication no and if you want to disable ''password'' then: PasswordAuthentication no Nico --
>>>>> "jv" == Justin Vassallo <justin.vassallo at entropay.com> writes:jv> Any clues where I can get the upgrade from? type ''zpool upgrade -v'' and follow the url there, which for me on SXCE b71 is: http://www.opensolaris.org/os/community/zfs/version/8/ so you will need sol10 u6, which is hard to translate into what''s been/willbe released, but I found this page with google: http://blogs.sun.com/karenlaw/ so, zfs delegated admin is not available to you on stable Solaris. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20080725/bfdcf51d/attachment.bin>
Nico, I require pubkey auth on *all* my ssh sessions, thus achieving two-factor auth with minimal overheads. I''d thought this was widely implemented. PAMAuthenticationViaKBDInt actually works in practice for me, disallowing kyb interactive for all accounts. I''ve no clue how and why it worked, but I did that based on a Q&A I googled to. Will be switching to KbdInteractiveAuthentication as per your recommendation, since that seems to be the correct method. justin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3361 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/zfs-discuss/attachments/20080726/096ca700/attachment.bin>