On Fri, May 25, 2012 at 6:18 AM, <[email protected]> wrote: > Hello Jim, hello Robbie, > > thanks for your replies. I was very busy with another project and found no > time to > respond earlier. > > From what i have seen in my tests, i'am quite happy with ZFS ACLs and how > inheritance seems > > to work. As i wrote in my initial post, i'am comming from Netware which had > full-fledged ACLs > for ages and it looks like we could transform our Netware ACLs 1:1 to ZFS > ACLs. > > From what i found on the net, i had the impression that the way of managing > ZFS ACLs in a > windows environment is to use windows tools, especially MMC and > explorer->properties->security > but this is a nightmare. > > Regardless of which local oi-user was used to connect to a share (after > rebooting the windows pc), > windows mmc didnt only work if the local logged-in win-user was member of the > oi-administrators > group.
The most common ACL editing problem I see is that the user thinks they are connected with an account with administrative privileges, but actually are not. This can be due to either group membership configuration or properties of the account in AD. This was actually the motivator for https://www.illumos.org/issues/1525 - the need for an easy way to look at the credentials built internally by the SMB service. I suggest you look at the credential using the feature added with 1525, and verify whether the privileges word is zero (ordinary account) and whether any administrative groups are listed among the group memberships. If not, then that explains why you are not allowed to edit most ACLs. Of course, an easy way around the access control problems is to do this on the server side: chmod -R A=everyone:full_set:fd:allow /your/shared/directory (Be warned, that makes the whole thing "wide open" to the world!) After that, you should be able to edit ACLs from Windows. -- Gordon Ross <[email protected]> Nexenta Systems, Inc. www.nexenta.com Enterprise class storage for everyone _______________________________________________ OpenIndiana-discuss mailing list [email protected] http://openindiana.org/mailman/listinfo/openindiana-discuss
