{"id":79,"date":"2012-11-12T05:44:22","date_gmt":"2012-11-12T13:44:22","guid":{"rendered":"http:\/\/blog.ls-al.com\/?p=79"},"modified":"2012-11-12T05:48:57","modified_gmt":"2012-11-12T13:48:57","slug":"cifs-acls-on-zfs-problem","status":"publish","type":"post","link":"https:\/\/blog.ls-al.com\/cifs-acls-on-zfs-problem\/","title":{"rendered":"CIFS ACLs on ZFS Problem"},"content":{"rendered":"

Recently had an issue with a CIFS share on a Solaris 11 box.\u00a0 Still not sure how this happened but it turned out there was a weird Idmap mapping.\u00a0 Active Directory Group and members were correct and group had correct members.\u00a0 Yet still the users in this group could not write to the folder.<\/p>\n

\u00a0How to check identities in idmap:<\/strong><\/p>\n

# idmap show -cv rrosso@domain.com\r\nwinuser:rrosso@domain.com -> uid:2147483651<\/span>\r\nSource: Cache\r\nMethod: Ephemeral\r\n\r\n# idmap show -cv DFS_Corp-CA-Dept-IT_rw@domain.com\r\nwingroup:DFS_Corp-CA-Dept-IT_rw@domain.com -> gid:2147483667<\/span>\r\nSource: Cache\r\nMethod: Ephemeral<\/pre>\n
Lets just see how the mapping rules look:<\/strong><\/p>\n
# idmap list\r\nadd     winuser:*@domain.com  unixuser:*\r\nadd     wingroup:*@domain.com unixgroup:*\r\nadd     winuser:administrator@domain.com      unixuser:root\r\nadd     \"wingroup:Domain Users@domain.com\"    unixgroup:smbusers<\/pre>\n
The Active Directory Read-Write group that is not allowing the members to write to the folder:<\/strong><\/p>\n
# idmap show -cv DFS_Eng-CA-Dirs-Engineering-Bugzilla_rw@domain.com\r\nwingroup:DFS_Eng-CA-Dirs-Engineering-Bugzilla_rw@domain.com -> gid:2147484149<\/span>\r\nSource: Cache\r\nMethod: Ephemeral<\/pre>\n
Looking at the folder called Bugzilla:<\/strong>
\nCurrent (broken) acl must be this one user:2147483813<\/strong><\/span> if I look at the gid above.\u00a0 Not to mention the mapping is not for a group but for a user.<\/p>\n
root@zfs001:\/tank\/dfs\/engdirs\/engineering\/engineering# \/bin\/ls -v | more\r\nd---------+ 16 2147483650 smbusers\u00a0\u00a0\u00a0\u00a0\u00a0 17 Oct 12 14:14 Bugzilla\r\n0:user:2147483813<\/span><\/strong>:list_directory\/read_data\/add_file\/write_data\r\n\/add_subdirectory\/append_data\/read_xattr\/write_xattr\/execute\r\n\/read_attributes\/write_attributes\/delete\/read_acl\/synchronize\r\n:file_inherit\/dir_inherit:allow\r\n1:group:2147483763<\/span><\/strong>:list_directory\/read_data\/add_file\/write_data\r\n\/add_subdirectory\/append_data\/read_xattr\/write_xattr\/execute\r\n\/delete_child\/read_attributes\/write_attributes\/delete\/read_acl\r\n\/synchronize:file_inherit\/dir_inherit:allow\r\n2:group:2147483660<\/span><\/strong>:list_directory\/read_data\/read_xattr\/execute\r\n\/read_attributes\/read_acl\/synchronize:file_inherit\/dir_inherit\r\n:allow<\/pre>\n
Looking at above something looks odd.\u00a0 Looking at the windows side we expect three groups to have permission here but spot the \"user<\/strong>\" listed in the first ACL.
\n<\/strong><\/p>\n
Lets find the three id's.\u00a0 Left the grep wide open to find all uid and gid matching the number. But really we are just after the gid's:<\/strong><\/p>\n
# idmap dump -n | grep 2147483813\r\nwingroup:Guests@BUILTIN ==\u00a0\u00a0\u00a0\u00a0\u00a0 gid:2147483813<\/span><\/strong>\r\nwingroup:DFS_Eng-CA-Dirs-Engineering-Bugzilla_rw@domain.com\u00a0\u00a0 ==\u00a0\u00a0\u00a0\u00a0\u00a0 uid:2147483813<\/span><\/strong>\r\n\r\n# idmap dump -n | grep 2147483763\r\nwinuser:Homey@domain.com\u00a0\u00a0\u00a0\u00a0 ==\u00a0\u00a0\u00a0\u00a0\u00a0 uid:2147483763\r\nwingroup:DFS_Eng-CA-Dirs-Engineering_rw@domain.com\u00a0\u00a0\u00a0 ==\u00a0\u00a0\u00a0\u00a0\u00a0 gid:2147483763<\/span><\/strong>\r\n\r\n# idmap dump -n | grep 2147483660\r\nwinuser:Stewey@domain.com\u00a0\u00a0\u00a0\u00a0 ==\u00a0\u00a0\u00a0\u00a0\u00a0 uid:2147483660\r\nwingroup:DFS_Eng-CA-Dirs-Engineering_ro@domain.com\u00a0\u00a0\u00a0 ==\u00a0\u00a0\u00a0\u00a0\u00a0 gid:2147483660<\/span><\/strong>\r\n\r\n# idmap dump -n | grep 2147484149\r\nwingroup:DFS_Eng-CA-Dirs-Engineering-Bugzilla_rw@domain.com\u00a0\u00a0 ==\u00a0\u00a0\u00a0\u00a0\u00a0 gid:2147484149<\/span><\/strong><\/pre>\n
 <\/p>\n
After we removed and\u00a0 recreated the group in AD.\u00a0 Might take a little bit to show up:<\/strong><\/p>\n
# idmap show -cv DFS_Eng-CA-Dirs-Engineering-Bugzilla_rw@domain.com\r\nwingroup:DFS_Eng-CA-Dirs-Engineering-Bugzilla_rw@domain.com -> gid:2147484149\r\nSource: Cache\r\nMethod: Ephemeral\r\n\r\n# idmap dump -n | grep 2147483813\r\nwingroup:Guests@BUILTIN ==\u00a0\u00a0\u00a0\u00a0\u00a0 gid:2147483813\r\nusid:S-1-5-21-1977730361-3076317898-4166923938-22371\u00a0\u00a0\u00a0 ==\u00a0\u00a0\u00a0\u00a0\u00a0 uid:2147483813\r\n\r\n# idmap dump -n | grep 147484149\r\nwingroup:DFS_Eng-CA-Dirs-Engineering-Bugzilla_rw@domain.com\u00a0\u00a0 ==\u00a0\u00a0\u00a0\u00a0\u00a0 gid:2147484149<\/pre>\n
Permissions after re-applying from Windows:<\/strong><\/p>\n
# \/bin\/ls -dv Bugzilla\/\r\nd---------+ 17 2147483650 smbusers\u00a0\u00a0\u00a0\u00a0\u00a0 18 Nov 12 20:12 Bugzilla\/\r\n\u00a0\u00a0\u00a0\u00a0 0:group:2147483763<\/span><\/strong>:list_directory\/read_data\/add_file\/write_data\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/add_subdirectory\/append_data\/read_xattr\/write_xattr\/execute\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/delete_child\/read_attributes\/write_attributes\/delete\/read_acl\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/synchronize:file_inherit\/dir_inherit:allow\r\n\u00a0\u00a0\u00a0\u00a0 1:group:2147483660<\/span><\/strong>:list_directory\/read_data\/read_xattr\/execute\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/read_attributes\/read_acl\/synchronize:file_inherit\/dir_inherit\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :allow\r\n\u00a0\u00a0\u00a0\u00a0 2:group:2147484149<\/span><\/strong>:list_directory\/read_data\/add_file\/write_data\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/add_subdirectory\/append_data\/read_xattr\/write_xattr\/execute\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/read_attributes\/write_attributes\/delete\/read_acl\/synchronize\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 :file_inherit\/dir_inherit:allow<\/pre>\n
Just checking a new file we just created for good measure:<\/strong><\/p>\n
# \/bin\/ls -v | grep Test\r\nd---------+\u00a0 2 2147483740 smbusers\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2 Nov 12 20:12 Test<\/pre>\n","protected":false},"excerpt":{"rendered":"
Recently had an issue with a CIFS share on a Solaris 11 box.\u00a0 Still not sure how this happened but<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16,15,17],"tags":[],"class_list":["post-79","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-cifs","category-idmap"],"_links":{"self":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/79","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/comments?post=79"}],"version-history":[{"count":0,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/posts\/79\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/media?parent=79"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/categories?post=79"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ls-al.com\/wp-json\/wp\/v2\/tags?post=79"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}