Using zfs ACLs to protect CIFS shares on OpenSolaris
So you have created your cifs share and joined the AD domain. Now you want your domain users to have write access to the share.
This is what worked for me:
I’ve created smbusers group on Solaris:
# groupadd smbusers
Set up idmap to map your domain users to smbusers unix group, and map an administrator user to root user (so administrator is able to have full control). I’ve also added the line to map existing windows users to unix users, otherwise the system will use ephemeral UIDs.
idmap add winuser:*@vmsysadmin.com unixuser:*
idmap add winuser:administrator@vmsysadmin.com unixuser:root
idmap add “wingroup:Domain Users@vmsysadmin.com” unixgroup:smbusers
Now nuke the permissions on the cifs share, we will create our own:
# chmod A- /spool/cifs1
# ls -vd /spool/cifs1
drwxr-xr-x 2 root root 2 Jan 18 11:37 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
Note that root (and domain administrator) has full access, but your smbusers do not have permissions to write or read the directories created by domain admin. If you want everyone to read the directories and files created by administrator, change the #5 ACL entry to propagate the permissions to the lower levels:
# chmod A5=everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:file_inherit/dir_inherit:allow /spool/cifs1
Now your users are able to read eveything in /spool/cifs. If you want your users to create and delete each other’s files, simply change group ownership and allow group to write:
# chgrp smbusers /spool/cifs1
# chmod g+w /spool/cifs1
I’d like to have a more precise permissions control though – users can only delete own files, but can read everything, and administrator can delete everything.
So we will not allow a simple group write, but instead will use ACLs for finer control.
Clear existing extended permissions
# chmod A- /spool/cifs1
# ls -vd /spool/cifs1
drwxr-xr-x 3 root root 4 Jan 18 13:40 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/write_attributes/write_acl
/write_owner:allow
2:group@:add_file/write_data/add_subdirectory/append_data:deny
3:group@:list_directory/read_data/execute:allow
4:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
5:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:allow
Allow owner to create/delete objects and propagate the inheritance of owner’s ACLs
# chmod A1=owner@:list_directory/read_data/add_file/write_data/add_subdirectory/append_data/write_xattr/execute/delete_child/write_attributes/delete/write_acl/write_owner:file_inherit/dir_inherit:allow /spool/cifs1
Allow smbusers group (mapped to Domain Users) to write to the top cifs share.
# chmod A2+group:smbusers:add_file/write_data/add_subdirectory/append_data:allow /spool/cifs1
Deny smbusers permissions to delete other users’ data
# chmod A2+group:smbusers:delete_child/delete:file_inherit/dir_inherit:deny /spool/cifs1
Allow everyone to read everything.
# chmod A7=everyone@:list_directory/read_data/read_xattr/execute/read_attributes/read_acl/synchronize:file_inherit/dir_inherit:allow /spool/cifs1
Your directory should look like this:
# ls -vd /spool/cifs1
drwxr-xr-x+ 2 root root 2 Jan 18 14:13 /spool/cifs1
0:owner@::deny
1:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/write_xattr/execute/delete_child/write_attributes
/delete/write_acl/write_owner:file_inherit/dir_inherit:allow
2:group:smbusers:delete_child/delete:file_inherit/dir_inherit:deny
3:group:smbusers:add_file/write_data/add_subdirectory/append_data:allow
4:group@:add_file/write_data/add_subdirectory/append_data:deny
5:group@:list_directory/read_data/execute:allow
6:everyone@:add_file/write_data/add_subdirectory/append_data/write_xattr
/write_attributes/write_acl/write_owner:deny
7:everyone@:list_directory/read_data/read_xattr/execute/read_attributes
/read_acl/synchronize:file_inherit/dir_inherit:allow
That’s it! Now your users can write, but cannot delete each other’s data. Domain Administrator login has full access to the share and can delete any user’s data.
CIFS in OpenSolaris – Domain mode, idmap, and ACLs
I’ve created a share on OpenSolaris snv_104:
# zfs create -o casesensitivity=mixed -o nbmand=on -o sharesmb=name=cifs1 spool/cifs1
I’ve followed instructions on setting up CIFS on OpenSolaris in Domain mode from http://blogs.sun.com/timthomas/entry/configuring_the_opensolaris_cifs_server to join the the domain.
Also a good blog entry on the subject: http://jmlittle.blogspot.com/2008/03/step-by-step-cifs-server-setup-with.html
I also wanted to have my domain users maped to the unix accounts on the Solaris side. What I ended up with:
1) created a unix group “smbusers”
2) created unix accounts for domain users I want to grant access to cifs share and added them to the group smbusers
3) configured idmap
# idmap add ‘winuser:*’ ‘unixuser:*’
# idmap add ‘wingroup:Domain Users’ ‘unixgroup:smbusers’
you must restart smb and idmap for the settings to take effect:
# svcadm restart smb/server; svcadm restart idmap
Now when the domain user creates a file on the share, the file is created with correct unix user/group attributes, mapped by idmap.
If you need to figure out what group your domain users are in, you can use “idmap dump -n” and grep for the numbers from “ls -l”. Once the mapping is set and services restarted, you should see the correct user ids is directory listing:
# mkdir /spool/cifs1/test
# chgrp smbusers test
# chmod g+w test
# ls -ld test/New\ Folder/
d———+ 2 user01 smbusers 2 Jan 17 21:53 test/New Folder/
Now I want to set up the right zfs ACLs to prevent other domain users in smbusers group from deleting your files. This however appears to be more difficult that I thought. No matter what ACLs I would set on the directory created by one user, the other smb user was able to remove it. If someone made it happen, please let me know.
Update: after a few hours in zfs ACL land, I’ve figured it out. See my next post: https://vmsysadmin.wordpress.com/2009/01/18/using-zfs-acls-to-protect-cifs-shares-on-opensolaris/
VMSysAdmin 