thr3ads.net - zfs discuss - [zfs-discuss] ZFS ACL hell..Cannot figure it out. [Dec 2009]

If this information is useful, please help other people find it:
Share via:

Alxen

2009-Dec-03 06:45 UTC

[zfs-discuss] ZFS ACL hell..Cannot figure it out.

Ok.I need to set the following permissions:

domain admin - full control
domain users add files,folders,but not able to delete,modify or rename.

Doesn''t matter what I try domain users still able to modify files.
What am I doing wrong ?

This is my setup:

chmod A=group:MYDOMAIN+domain\ admins:full_set:fd:allow,group:MYDOMAIN+domain\
users:list_directory/read_data/add_file/add_subdirectory/read_xattr/execute/read_attributes/read_acl:fd:allow,group:MYDOMAIN+domain\
users:append_data/write_data/delete/delete_child/write_xattr/write_attributes/write_acl/write_owner/synchronize:fd:deny
test

-bash-4.0# ls -vd test/
d---------+  6 root     root           8 Dec  2 23:15 test/
     0:group:11014:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/write_xattr/execute
         /delete_child/read_attributes/write_attributes/delete/read_acl
         /write_acl/write_owner/synchronize:file_inherit/dir_inherit:allow
     2:group:CADDALTA+domain use:list_directory/read_data/add_file/write_data
         /add_subdirectory/append_data/read_xattr/execute/read_attributes
         /read_acl:file_inherit/dir_inherit:allow
     3:group:CADDALTA+domain use:add_file/write_data/add_subdirectory
         /append_data/write_xattr/delete_child/write_attributes/delete
         /write_acl/write_owner/synchronize:file_inherit/dir_inherit:deny

smb.conf:

[global]
log level = 2
syslog only = no
max log size = 50
log file = /var/samba/log/%m.log

realm = caddalta.local
workgroup = CADDALTA
security = ADS
encrypt passwords = true
unix extensions = no
password server = caddcentral.caddalta.local
server string =prstorage
wins server = caddcentral.caddalta.local
domain master = no
socket options = TCP_NODELAY SO_KEEPALIVE
client schannel = no
client use spnego = yes

kernel oplocks = yes
oplocks = yes

winbind separator = +
idmap uid = 11000-19000
idmap gid = 11000-19000
winbind enum users = yes
winbind enum groups = yes
winbind nested groups = yes
allow trusted domains = yes

printcap name = /dev/null
load printers = no

[test]
   path = /tank/test
#  acl check permissions = True
  hide dot files = yes
  browseable = yes
  vfs objects = zfsacl
  nfs4: mode = special
  zfsacl: acesort = dontcare
#  create mask = 0770
#  directory mask = 0770
  public = yes
  writable = yes

Please help.
-- 
This message posted from opensolaris.org

zfs discuss - Dec 2009 - ZFS ACL hell..Cannot figure it out.

[zfs-discuss] ZFS ACL hell..Cannot figure it out.