When you need another brain

CIFS in OpenSolaris – Domain mode, idmap, and ACLs

leave a comment »

I’ve created a share on OpenSolaris snv_104:

# zfs create -o casesensitivity=mixed -o nbmand=on -o sharesmb=name=cifs1 spool/cifs1

I’ve followed instructions on setting up CIFS on OpenSolaris in Domain mode from http://blogs.sun.com/timthomas/entry/configuring_the_opensolaris_cifs_server to join the the domain.

Also a good blog entry on the subject: http://jmlittle.blogspot.com/2008/03/step-by-step-cifs-server-setup-with.html

I also wanted to have my domain users maped to the unix accounts on the Solaris side. What I ended up with:
1) created a unix group “smbusers”
2) created unix accounts for domain users I want to grant access to cifs share and added them to the group smbusers
3) configured idmap

# idmap add ‘winuser:*’ ‘unixuser:*’
# idmap add ‘wingroup:Domain Users’ ‘unixgroup:smbusers’

you must restart smb and idmap for the settings to take effect:

# svcadm restart smb/server; svcadm restart idmap

Now when the domain user creates a file on the share, the file is created with correct unix user/group attributes, mapped by idmap.

If you need to figure out what group your domain users are in, you can use “idmap dump -n” and grep for the numbers from “ls -l”. Once the mapping is set and services restarted, you should see the correct user ids is directory listing:

# mkdir /spool/cifs1/test
# chgrp smbusers test
# chmod g+w test
# ls -ld test/New\ Folder/
d———+  2 user01   smbusers        2 Jan 17 21:53 test/New Folder/

Now I want to set up the right zfs ACLs to prevent other domain users in smbusers group from deleting your files. This however appears to be more difficult that I thought. No matter what ACLs I would set on the directory created by one user, the other smb user was able to remove it. If someone made it happen, please let me know.

Update: after a few hours in zfs ACL land, I’ve figured it out. See my next post: https://vmsysadmin.wordpress.com/2009/01/18/using-zfs-acls-to-protect-cifs-shares-on-opensolaris/


Written by vmsysadmin

January 18, 2009 at 4:44 am

Posted in OpenSolaris

Tagged with , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: