ACLs and CIFS under OpenSolaris

One of the issues with running a file server in the home is the fact that you have multiple computers and accounts (the wife, the kids etc) accessing the same directory trees. The default user/group works pretty well as you have effectively a single group for family access. Different groups are used for more computer based access needs such as server to server communication. However I found that the kernel CIFS doesn’t create files with proper access very well using the standard UNIX permissions.

ACLs are the solution in this case.

# zfs create -o casesensitivity=mixed -o sharesmb=name=storage -o quota=275G usbpool/storage
# cd /usbpool/storage
# chgrp home .
# chmod A=group@:rwxpdDaARWcCos:fd:allow .

Now when you create a new folder or files under this CIFS folder it creates them with the group permissions. I leave everyone in the same group and can add the secondary group as necessary for different shares needing permissions.

When users create files they are created with:

----rwx---+ 1 me home 7930 Feb 7 2008 test.txt

And when they create directories they are:

d---rwx---+ 2 me home 3 Feb 9 22:10 OpenSolaris

Doable and functional. I still wish there was better documentation that I could find around the ACL permissions and how they work. I’m doing testing and I know I’m missing things.

OpenSolaris 2008.11 & ESX (Security Part 2)

If you are using OpenSolaris and NFS for your datastores and using ESX you need to share out your zfs filesystems with anon=0 since ESX wants to write to the NFS datastore as root.

zfs set sharenfs=anon=0 usbpool/virtuals

I wouldn’t mind having stuff like this if I could figure out how to properly get logging of the issues/connections in OpenSolaris. Anybody know how to increasing logging for the NFS services in OpenSolaris?

OpenSolaris 2008.11 & NFS (security?)

A quick note here after the past 4 hours of fighting with NFS on OpenSolaris 2008.11. If you are attempting to do an mount and get a Permission Denied from either Linux or ESX the solution is rather easy.

Make sure that the IP address that you are connecting with has a reverse DNS entry with a hostname.

That’s it. 4 hours and that’s the gotcha. If you don’t have a reverse DNS you’ll never get the mount to work.