Using zfs ACLs to protect CIFS shares on OpenSolaris
So you have created your cifs share and joined the AD domain. Now you want your domain users to have write access to the share.
This is what worked for me:
I’ve created smbusers group on Solaris:
# groupadd smbusers
Set up idmap to map your domain users to smbusers unix group, and map an administrator user to root user (so administrator is able to have full control). I’ve also added the line to map existing windows users to unix users, otherwise the system will use ephemeral UIDs.
idmap add winuser:*@vmsysadmin.com unixuser:*
idmap add winuser:administrator@vmsysadmin.com unixuser:root
idmap add “wingroup:Domain Users@vmsysadmin.com” unixgroup:smbusers
Now nuke the permissions on the cifs share, we will create our own:
# chmod A- /spool/cifs1
# ls -vd /spool/cifs1
drwxr-xr-x 2 root root 2 Jan 18 11:37 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
Note that root (and domain administrator) has full access, but your smbusers do not have permissions to write or read the directories created by domain admin. If you want everyone to read the directories and files created by administrator, change the #5 ACL entry to propagate the permissions to the lower levels:
# chmod A5=everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:file_inherit/dir_inherit:allow /spool/cifs1
Now your users are able to read eveything in /spool/cifs. If you want your users to create and delete each other’s files, simply change group ownership and allow group to write:
# chgrp smbusers /spool/cifs1
# chmod g+w /spool/cifs1
I’d like to have a more precise permissions control though – users can only delete own files, but can read everything, and administrator can delete everything.
So we will not allow a simple group write, but instead will use ACLs for finer control.
Clear existing extended permissions
# chmod A- /spool/cifs1
# ls -vd /spool/cifs1
drwxr-xr-x 3 root root 4 Jan 18 13:40 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
Allow owner to create/delete objects and propagate the inheritance of owner’s ACLs
# chmod A1=owner@:list_directory/read_data/add_file/write_data/add_subdirectory/append_data/write_xattr/execute/delete_child/write_attributes/delete/write_acl/write_owner:file_inherit/dir_inherit:allow /spool/cifs1
Allow smbusers group (mapped to Domain Users) to write to the top cifs share.
# chmod A2+group:smbusers:add_file/write_data/add_subdirectory/append_data:allow /spool/cifs1
Deny smbusers permissions to delete other users’ data
# chmod A2+group:smbusers:delete_child/delete:file_inherit/dir_inherit:deny /spool/cifs1
Allow everyone to read everything.
# chmod A7=everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:file_inherit/dir_inherit:allow /spool/cifs1
Your directory should look like this:
# ls -vd /spool/cifs1
drwxr-xr-x+ 2 root root 2 Jan 18 14:13 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/delete_child/write_attributes
/delete/write_acl/write_owner:file_inherit/dir_inherit:allow
2:group:smbusers:delete_child/delete:file_inherit/dir_inherit:deny
3:group:smbusers:add_file/write_data/add_subdirectory/append_data:allow
4:group@:add_file/write_data/add_subdirectory/append_data:deny
5:group@:list_directory/read_data/execute:allow
6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:file_inherit/dir_inherit:allow
That’s it! Now your users can write, but cannot delete each other’s data. Domain Administrator login has full access to the share and can delete any user’s data.
VMSysAdmin 
Thank you for the post. This works just as advertised and outstanding.
I was trying to create additional access on directory so user in group (smbusers) could add/write files, but then no one could delete, not owner, not group, nor everyone. That is, set up directory as an archive, once file is added only read is allowed (except for su). Either this is not possible with ACL access privileges or I have them all twisted up. Any ideas?
Gary
March 17, 2009 at 9:54 pm
Hi Gary,
to set up a directory as an archive, simply omit “delete_child” and “delete” attributes from the owner ACL.
Your owner ACL setup will be as follows:
chmod A1=owner@:list_directory/read_data/add_file/write_data/add_subdirectory/append_data/write_xattr/execute/write_attributes/write_acl/write_owner:file_inherit/dir_inherit:allow /spool/cifs1
Now the smbusers group members will be able to create, but not delete files and folders. Note that administrator account will still be able to delete everything, because it is mapped to the root user.
I’ve tested this setup and it should work.
Andrei
March 18, 2009 at 3:47 am
Thanks again.
Delete is completely denied with above addition.
What I can’t seem to get to work is to stop group and owner from editing or updating any file in the directory. No one can delete, but all members can update. I have tried to deny append_data and write_data, but then cannot add files. I would like owners to be able to add files to directory, read, but not change in any way… Not sure this is possible with ZFS ACL?
Gary
March 18, 2009 at 4:20 pm