Access Problem : Solaris 10 5/08 + Samba 3.0.28 + ZFS + ACLs
807557Oct 17 2008 — edited Oct 12 2009Dear all,
i am completely out of ideas so I hope you could give me a hint on this issue in run into.
I do run a Solaris 10 5/08 system that shall serve as nfs and windows fileserver using ZFS (incl. ACLs) as filesystem.
I configured Solaris to use winbind as passwd and group backend which works quite well.
I configured my ZFS filesystems and set up some very basic ACLs.
I can do a su - <myWindowsUsername> and I can cd into my ZFS filesystem that is protected with ACLs.
Using su - <myWindowsUsername> I can create dirs, files etc, within this filesystems everything on side
of Solaris works quite fine.
But when I try to acces the Samba share that point to the same ZFS filesystem I get
"'/export/zfs/sharedata/public/IT' does not exist or permission denied when connecting to [it] Error was Permission denied"
I already searched google, sun and other sites and played with smb.conf parameters
"acl check permissions" and "vfs objects = zfsacl".
But still no luck and no access to this share.
I even changed /etc/system to support more than Solaris' default max number of groups by
adding "set ngroups_max=64".
If i run groups <myWindowsUsername> all groups i am a member are listed.
Even if i do a "chown <myWindowsUsername> <myShare>" i still have no access via samba to that share.
I use a ldap server as idmap backend. This also works quite fine.
So here's an excerpt of my smb.conf:
================================================================
[global]
workgroup = XXXXXXXXXX
interfaces = filer-de/255.255.240.0
netbios name = filer-de
server string = Solaris Samba Server
debug level = 5
security = ADS
realm = XXXXXXXXXXXX.XXXXX
domain master = no
allow trusted domains = yes
ldap admin dn = xxxxxxxxxxxxxxxxxxxxxx
ldap idmap suffix = ou=samba
ldap suffix = o=root
idmap backend = ldap:ldap://xxxxxxxxx:ppppp
idmap uid = 150000-550000
idmap gid = 150000-550000
winbind cache time = 1
winbind enum groups = yes
winbind enum users = yes
winbind nested groups = yes
winbind use default domain = yes
password server = xxxxxxx, xxxxxxxxx
encrypt passwords = yes
template shell = /bin/bash
socket options = TCP_NODELAY SO_KEEPALIVE
admin users = @domain-admins
client schannel = no
client use spnego = yes
bind interfaces only = yes
printcap name = /dev/null
load printers = no
[scmondir]
comment = Monitor directory for Sun Cluster 3.2
path = /tmp
browseable = no
[it]
comment = IT DEPARTMENT
path = /export/zfs/sharedata/public/IT
acl check permissions = False
browseable = yes
public = yes
writeable = yes
vfs objects = zfsacl
nfs4: mode = special
create mask = 0770
directory mask = 0770
================================================================
many thanks in advance for any ideas or hints
cheers
joerg