- Joined
- Mar 6, 2014
- Messages
- 9,554
Caveat: This is a work-in-progress
Correctly setting permissions on any server requires care and planning. In the case of Samba servers this becomes even more important for the server administrator because he or she has to understand the differences between Windows and Unix permissions models (Windows ACLs vs ZFS ACLs vs Unix mode bits, Windows SIDs vs Unix UID/GID, etc), as well as Samba's methods to implement the Windows permissions model on Unix servers. To this end, Samba offers several points of control for permissions. While this is extremely useful for experienced admins (and is necessitated by the sheer variety of devices and operating systems supported by the Samba project), the flexibility of samba permissions often trips up new users. This how-to will cover the basic points of control for Samba (CIFS) permissions and give an example of a fairly simple working Samba configuration on a FreeNAS server.
Access Control Methods for FreeNAS Samba Servers
Access control for SMB shares on a Windows server are determined through two sets of permissions: NTFS Access Control Lists (ACLs) and share permissions (which are primarily used for access control on Windows filesystems that do not support ACLs). In contrast with this, there are four primary access control facilities for Samba on FreeNAS: dataset user and group permissions in the FreeNAS webgui, Access Control Lists (ACLs), Samba share definitions, and share permissions.
Dataset User and Group Permissions
Dataset user and group permissions are controlled through the FreeNAS webgui by expanding "Storage" in the left pane of the webgui, clicking on the "View Volumes" button, selecting the dataset corresponding to your samba share in the right panel, then clicking on the "Change Permissions" icon in the lower-left side of the aforementioned panel. Permissions type should be set to "Windows" regardless of client type. By default "full control" of your samba share is granted to the owner(user) and owner(group), and "read-only" access to all other authenticated users. Additional fine-tuning should be managed through modifying filesystem ACLs. This procedure is more fully explained in the freenas handbook at the following site: http://doc.freenas.org/11/storage.html#change-permissions
Access Control Lists (ACLS)
An access control list (ACL) is a data structure containing permissions attached to a file or folder. An ACL contains zero or more Access Control Entries (ACEs) which specify which users or groups are allowed or denied access to the file or folder. ZFS (the filesystem used by FreeNAS) provides a pure ACL model, where all files have an ACL. There are two types of Access Control Lists (ACLs) - trivial and non-trivial. Trivial (default) ACLs only represent the traditional UNIX owner/group/other entries. These are initially configured via webgui as described above in "Dataset User and Group Permissions". Non-Trivial ACLs contain Explicit Access Control Entries (ACEs), which cannot be expressed through traditional Unix mode bits. Typically, permissions on a FreeNAS Samba server in a multi-user environment are managed through creating and maintaining explicit ACEs. ACLs under ZFS are broadly compatible with the NTFS ACLs used by Windows Servers, which allows FreeNAS samba servers to be an almost drop-in replacement for a Windows file server.
Modifying Access Control Lists (ACLS)
Windows File Explorer is by far the simplest and best tool to manage ACLS on a FreeNAS server. To use fine-tune permissions using File Explorer, navigate to \\ip-address or \\hostname, right-click on your share, click on "properties", then click on the "security tab". The various permissions options are documented on various microsoft websites such as: http://windows.microsoft.com/en-us/windows/what-are-permissions#1TC=windows-7 and https://msdn.microsoft.com/en-us/library/bb727008.aspx.
There are two methods to modify ACLs from the FreeNAS command line: smbcacls and setfacl.
Example usage of setfacl:
Once permissions have been fine-tuned at the root of a share through setfacl, the permissions can be recursively applied by running the following command locally:
Example usage of smbcacls:
The above command will add an ACE for the user "TestUser", grant full control to the existing folder and enable inheritance so that all newly created files / folders under TestShare will also allow TestUser full control. Valid values for "permissions" include "READ", "CHANGE", "FULL". The smbcacls utility is more fully documented in its manpage here: https://www.samba.org/samba/docs/man/manpages/smbcacls.1.html
Behavior Differences between NTFS ACLs and ZFS ACLs and Some Caveats
ZFS ACLs and NTFS ACLs are largely identical, but there are some minor differences:
There are edge cases where a FreeNAS Samba administrator may need to use these parameters, but when in doubt, use ACLs to define permissions for samba shares. It is highly advisable to use the easiest to maintain and the least ambiguous method for controlling access, and it can be hard to predict how different access control methods will interact. However, in some situations it is distinctly desirable to force all file system operations as if a single user were doing so. The use of the force user and force group behavior will achieve this. In other situations it may be necessary to use a paranoia level of control to ensure that only particular authorized persons will be able to access a share or its contents. Here the use of the valid users or the invalid users parameter may be useful.
root@FOOTEST:/usr/ports/net/samba49 # ls -l /zroot/
total 27
drwxr-xr-x+ 3 root wheel 4 Jun 10 09:22 insens
drwxr-xr-x 71 root wheel 85 Jan 16 06:30 newports
drwxrwxr-x 7 root wheel 8 May 30 05:47 samba
drwx------+ 3 root wheel 3 Jan 15 12:47 test
drwxr-xr-x+ 6 root wheel 6 Feb 13 15:55 users
drwxr-x---+ 2 root wheel 11 Dec 27 10:15 zfsquota
Share Definition Auxiliary Parameters Affecting Permissions
A name starting with a '@' is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database. A name starting with '+' is interpreted only by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters '+' and '&' may be used at the start of the name in either order so the value +&group means check the UNIX group database, followed by the NIS netgroup database, and the value &+group means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).
Example:
Share Permissions
Permissions set on shared directories are called share permissions, and they determine who can use shared directories over the network, and in what manner. These are the only access control method available for shared directories on FAT volumes on Windows servers, and in the Windows world are generally recommended only for shares on filesystems that lack ACL support.
In Samba, Share Permissions are handled through the share_info.tdb file and function independently of file system permissions. The share-level permissions as defined here only represent the maximum level of access a user or group has in a share. These can provide a relatively simple and intuitive way to manage access control in situations where managing access control through NTFS / ZFS ACLs is impractical or undesirable. In the absence of specific restrictions, the default setting in Samba is to allow the global user Everyone - Full Control (full control, change and read).
Share Permissions can be modified locally on the FreeNAS server by using the command line utility sharesec, which is a part of the Samba Suite. An administrator will need to view the idmap entries on the local FreeNAS servers to determine the appropriate SID value for the user / group to which he or she wishes to grant access. A sample command to add full access for
Share Permissions can also be managed through the Computer Management Console from a Windows client while authenticated with a user who has appropriate privileges.
The Share-level ACL can be viewed locally from the command line on a FreeNAS server by entering the command
In the case that share_info.tdb file an entry for a share, samba will fake-up a "FULL CONTROL" ACE for S-1-1-0 (everyone).
Glossary
Access Control List (ACL)
An access control list (ACL) is a data structure containing permissions attached to a file or folder. An ACL contains zero or more Access Control Entries (ACEs) which specify which users or groups are allowed or denied access to the file or folder. The access control list for a file or folder can be viewed through the command line utility getfacl and set through the command line utility setfacl. There are multiple models of ACLs. Examples include NTFS, NFSv4, and POSIX-draft. ZFS on FreeNAS uses the NFSv4 model.
Access Control Entry (ACE)
An access control entry (ACE) is an element in an access control list. Each ACE contains the following components in the following order: Access Control Entry Type (ACE Tag and Qualifier), Access Permissions, Inheritance-Flags, and ACE Type (Deny | Allow). Examples of Access Control Entries -
Special Access Control Entry
Special Access Control Entry Types consist of: owner@, group@, and everyone@. owner@ specifies the access granted to the owner of the file or folder. group@ specifies the access granted to the owning group of the file or folder. everyone@ specifies the access granted to any user or group that does not match any other ACE in the access control list. If an ACL only contains owner@, group@, and everyone@ ACEs, then it is considered a Trivial ACL.
Explicit Access Control Entry
Explicit Access Control Entry Types are indicated by "user" or "group". user - specifies the access granted to an additional user of the file or folder. This entry must contain a valid username or UID. Example: user:Bob. group - specifies the access granted to an additional group of the object. The entry must contain a valid groupname or GID. Example:
Inheritance Flags
The purpose of using ACL inheritance is so that a newly created file or directory can inherit the ACLs they are intended to inherit, but without disregarding the existing permissions on the parent directory. By default, ACLs are not propagated.
Trivial ACL
An ACL is trivial if it can be fully expressed as a POSIX mode without losing information:
Non-Trivial ACL
An access control list containing one or more explicit Access Control Entries. Sample Non-Trivial ACL:
Another example of a non-trivial ACL:
FreeBSD will indicate whether an ACL is trivial by showing a + sign to the right of the POSIX mode in the output of
Security Identifier (SID)
In the Windows world, every user, user group, or other security principal has a unique identifier called its SID. SIDs will typically look like this: S-1-5-21-1004336348-1177238915-682003330-2132 following the form S-R-X-D0-D1-D2-D3-RID. The S indicates that the string is a SID. The R indicates the version of SID structure that is used in the SID. The X indicates the identifier authority value. The everyone group has an authority value of "1". Specific Windows users and groups will have an identifier value of 5 (NT Authority). D0 represents a subauthority value and when combined with D1-D3 represent a unique domain identifier. D1, D2, and D3 are three randomly generated 32-bit numbers. SIDs for accounts and groups in the Built-In domain have a domain identifier value of 32 (for example the Built-in Administrators group has a SID of S-1-5-32-544). The Relative identifier (RID) is a variable length number that is assigned to objects at creation and uniquely identifies particular accounts or groups relative to a domain. Windows ACLs use SIDs to uniquely identify users and their group memberships. Samba has the capability of mapping Windows SIDs to Unix UIDs / GIDs through various winbind idmap backends. Unix users and groups that do not have passdb entries in samba will have a SID pefix of S-1-22-1 for users and S-1-22-2 for groups.
Like Built-in accounts, "well-known SIDs" are also an exception to the "S-1-5-21-D1-D2-D3-RID" rule. For more information, consult Microsoft Windows documentation https://support.microsoft.com/en-us/kb/243330.
Resources
Correctly setting permissions on any server requires care and planning. In the case of Samba servers this becomes even more important for the server administrator because he or she has to understand the differences between Windows and Unix permissions models (Windows ACLs vs ZFS ACLs vs Unix mode bits, Windows SIDs vs Unix UID/GID, etc), as well as Samba's methods to implement the Windows permissions model on Unix servers. To this end, Samba offers several points of control for permissions. While this is extremely useful for experienced admins (and is necessitated by the sheer variety of devices and operating systems supported by the Samba project), the flexibility of samba permissions often trips up new users. This how-to will cover the basic points of control for Samba (CIFS) permissions and give an example of a fairly simple working Samba configuration on a FreeNAS server.
Access Control Methods for FreeNAS Samba Servers
Access control for SMB shares on a Windows server are determined through two sets of permissions: NTFS Access Control Lists (ACLs) and share permissions (which are primarily used for access control on Windows filesystems that do not support ACLs). In contrast with this, there are four primary access control facilities for Samba on FreeNAS: dataset user and group permissions in the FreeNAS webgui, Access Control Lists (ACLs), Samba share definitions, and share permissions.
Dataset User and Group Permissions
Dataset user and group permissions are controlled through the FreeNAS webgui by expanding "Storage" in the left pane of the webgui, clicking on the "View Volumes" button, selecting the dataset corresponding to your samba share in the right panel, then clicking on the "Change Permissions" icon in the lower-left side of the aforementioned panel. Permissions type should be set to "Windows" regardless of client type. By default "full control" of your samba share is granted to the owner(user) and owner(group), and "read-only" access to all other authenticated users. Additional fine-tuning should be managed through modifying filesystem ACLs. This procedure is more fully explained in the freenas handbook at the following site: http://doc.freenas.org/11/storage.html#change-permissions
Access Control Lists (ACLS)
An access control list (ACL) is a data structure containing permissions attached to a file or folder. An ACL contains zero or more Access Control Entries (ACEs) which specify which users or groups are allowed or denied access to the file or folder. ZFS (the filesystem used by FreeNAS) provides a pure ACL model, where all files have an ACL. There are two types of Access Control Lists (ACLs) - trivial and non-trivial. Trivial (default) ACLs only represent the traditional UNIX owner/group/other entries. These are initially configured via webgui as described above in "Dataset User and Group Permissions". Non-Trivial ACLs contain Explicit Access Control Entries (ACEs), which cannot be expressed through traditional Unix mode bits. Typically, permissions on a FreeNAS Samba server in a multi-user environment are managed through creating and maintaining explicit ACEs. ACLs under ZFS are broadly compatible with the NTFS ACLs used by Windows Servers, which allows FreeNAS samba servers to be an almost drop-in replacement for a Windows file server.
Modifying Access Control Lists (ACLS)
Windows File Explorer is by far the simplest and best tool to manage ACLS on a FreeNAS server. To use fine-tune permissions using File Explorer, navigate to \\ip-address or \\hostname, right-click on your share, click on "properties", then click on the "security tab". The various permissions options are documented on various microsoft websites such as: http://windows.microsoft.com/en-us/windows/what-are-permissions#1TC=windows-7 and https://msdn.microsoft.com/en-us/library/bb727008.aspx.
There are two methods to modify ACLs from the FreeNAS command line: smbcacls and setfacl.
smbcacls
is a part of samba, and at present lacks the ability the recursively set permissions through a file tree. If you don't have a windows PC available to configure permissions when setting up your samba shares, you can use smbcacls to add the required access control entries prior to copying data.Example usage of setfacl:
setfacl -m g:"DOMAIN\domain admins":full_set:fd:allow,g:"DOMAIN\domain users":modify_set:fd:allow,owner@:modify_set:fd:allow,group@:modify_set:fd:allow,everyone@::fd:allow /mnt/dozer/SHARE
Once permissions have been fine-tuned at the root of a share through setfacl, the permissions can be recursively applied by running the following command locally:
winacl -a clone -rv -p /mnt/dozer/SHARE
Example usage of smbcacls:
smbcacls //<ip-address>/<share name> / -U <user name> --add ACL:<user>:type:flags/permissions
smbcacls //192.168.24.42/TestShare / -U root --add ACL:TestUser:ALLOWED/3/FULL
The above command will add an ACE for the user "TestUser", grant full control to the existing folder and enable inheritance so that all newly created files / folders under TestShare will also allow TestUser full control. Valid values for "permissions" include "READ", "CHANGE", "FULL". The smbcacls utility is more fully documented in its manpage here: https://www.samba.org/samba/docs/man/manpages/smbcacls.1.html
Behavior Differences between NTFS ACLs and ZFS ACLs and Some Caveats
ZFS ACLs and NTFS ACLs are largely identical, but there are some minor differences:
- There is no strict equivalent of Special ACEs in a windows environment and so Samba has to translate these into something that windows understands. This behavior is controlled by the share configuration parameter "nfs4:mode = special | simple", which in FreeNAS 11.2 and earlier defaults to "nfs4:mode = special". In 11.3 and later, this parameter defaults to "simple". In the case of "simple", owner@ and group@ are mapped to CREATOR-OWNER and CREATOR-GROUP respectively and windows behavior for these well-known-SIDs is reproduced.
- Windows documentation suggests that if some but not all requested access bits have been allowed, then DENY aces will still apply even if they only deny bits among those already allowed. This has the somewhat bizarre result that an ACL can allow certain permissions individually but deny them in combination. The NFSv4 ACL algorithm doesn't have this property.
- The Windows UI places restrictions on the order of ACLs. Hence, it is best to let Samba handle generating the ACLs (either through Windows Explorer or smbcacls). This issue is can be worked around in the ixnas module starting in FreeNAS 11.3 by setting the share-level auxiliary parameter "ixnas:zfsacl_sortaces = true"
- Windows allows to open a file without the read, write or execute permission. For example to read the permissions of a file. The practical result of this difference is that files and folders on the FreeNAS Samba server will be invisible to a user if he or she does not have at a minimum "Read attributes".
- In FreeBSD presently "write data" (w) implies "delete" (D) and "delete child" (d). This issue is mitigated in the ixnas module starting in 11.3.
There are edge cases where a FreeNAS Samba administrator may need to use these parameters, but when in doubt, use ACLs to define permissions for samba shares. It is highly advisable to use the easiest to maintain and the least ambiguous method for controlling access, and it can be hard to predict how different access control methods will interact. However, in some situations it is distinctly desirable to force all file system operations as if a single user were doing so. The use of the force user and force group behavior will achieve this. In other situations it may be necessary to use a paranoia level of control to ensure that only particular authorized persons will be able to access a share or its contents. Here the use of the valid users or the invalid users parameter may be useful.
root@FOOTEST:/usr/ports/net/samba49 # ls -l /zroot/
total 27
drwxr-xr-x+ 3 root wheel 4 Jun 10 09:22 insens
drwxr-xr-x 71 root wheel 85 Jan 16 06:30 newports
drwxrwxr-x 7 root wheel 8 May 30 05:47 samba
drwx------+ 3 root wheel 3 Jan 15 12:47 test
drwxr-xr-x+ 6 root wheel 6 Feb 13 15:55 users
drwxr-x---+ 2 root wheel 11 Dec 27 10:15 zfsquota
Share Definition Auxiliary Parameters Affecting Permissions
Code:
force group: Specifies a UNIX group name that will be assigned as the default primary group for all users connecting to this service. force user: Specifies a UNIX username that will be assigned as the default user for all users connecting to this service. This is useful for sharing files. Incorrect use can cause security problems. read list: List of users that are given read-only access to a service. Users in this list will not be given write access, no matter what the read-only option is set to. valid users: List of users that should be allowed to login to this service. write list: List of users that are given read-write access to a service.
A name starting with a '@' is interpreted as an NIS netgroup first (if your system supports NIS), and then as a UNIX group if the name was not found in the NIS netgroup database. A name starting with '+' is interpreted only by looking in the UNIX group database via the NSS getgrnam() interface. A name starting with '&' is interpreted only by looking in the NIS netgroup database (this requires NIS to be working on your system). The characters '+' and '&' may be used at the start of the name in either order so the value +&group means check the UNIX group database, followed by the NIS netgroup database, and the value &+group means check the NIS netgroup database, followed by the UNIX group database (the same as the '@' prefix).
Example:
valid users = greg, @pcusers
Share Permissions
Permissions set on shared directories are called share permissions, and they determine who can use shared directories over the network, and in what manner. These are the only access control method available for shared directories on FAT volumes on Windows servers, and in the Windows world are generally recommended only for shares on filesystems that lack ACL support.
In Samba, Share Permissions are handled through the share_info.tdb file and function independently of file system permissions. The share-level permissions as defined here only represent the maximum level of access a user or group has in a share. These can provide a relatively simple and intuitive way to manage access control in situations where managing access control through NTFS / ZFS ACLs is impractical or undesirable. In the absence of specific restrictions, the default setting in Samba is to allow the global user Everyone - Full Control (full control, change and read).
Share Permissions can be modified locally on the FreeNAS server by using the command line utility sharesec, which is a part of the Samba Suite. An administrator will need to view the idmap entries on the local FreeNAS servers to determine the appropriate SID value for the user / group to which he or she wishes to grant access. A sample command to add full access for
SID S-1-5-21-1866488690-1365729215-3963860297-17724
on the share "test" is as follows: sharesec test -a S-1-5-21-1866488690-1365729215-3963860297-17724:ALLOWED/0/FULL.
Share Permissions can also be managed through the Computer Management Console from a Windows client while authenticated with a user who has appropriate privileges.
The Share-level ACL can be viewed locally from the command line on a FreeNAS server by entering the command
sharesec --view-all
or sharesec <share_name> -v
. For instance, if a FreeNAS server has the share test, the ACL on test can be viewed through the command sharesec test -v
. Sample output from this command is as follows:Code:
[root@rivendell] ~#sharesec test -v REVISION:1 CONTROL:SR|DP OWNER: GROUP: ACL:S-1-1-0:ALLOWED/0x0/FULL
In the case that share_info.tdb file an entry for a share, samba will fake-up a "FULL CONTROL" ACE for S-1-1-0 (everyone).
Glossary
Access Control List (ACL)
An access control list (ACL) is a data structure containing permissions attached to a file or folder. An ACL contains zero or more Access Control Entries (ACEs) which specify which users or groups are allowed or denied access to the file or folder. The access control list for a file or folder can be viewed through the command line utility getfacl and set through the command line utility setfacl. There are multiple models of ACLs. Examples include NTFS, NFSv4, and POSIX-draft. ZFS on FreeNAS uses the NFSv4 model.
Access Control Entry (ACE)
An access control entry (ACE) is an element in an access control list. Each ACE contains the following components in the following order: Access Control Entry Type (ACE Tag and Qualifier), Access Permissions, Inheritance-Flags, and ACE Type (Deny | Allow). Examples of Access Control Entries -
group@:rwxpDdaARWcCo-:fd-----:allow and group:IT:rwxpDdaARWcCo-:fd-----:allow
Special Access Control Entry
Special Access Control Entry Types consist of: owner@, group@, and everyone@. owner@ specifies the access granted to the owner of the file or folder. group@ specifies the access granted to the owning group of the file or folder. everyone@ specifies the access granted to any user or group that does not match any other ACE in the access control list. If an ACL only contains owner@, group@, and everyone@ ACEs, then it is considered a Trivial ACL.
Explicit Access Control Entry
Explicit Access Control Entry Types are indicated by "user" or "group". user - specifies the access granted to an additional user of the file or folder. This entry must contain a valid username or UID. Example: user:Bob. group - specifies the access granted to an additional group of the object. The entry must contain a valid groupname or GID. Example:
group:Domain Admins.
Code:
everyone@:r-x---a-R-c--s:-------:allow ||||||||||||||:||||||| (r)read data +|||||||||||||:||||||+ (I)nherited (w)rite data -+||||||||||||:|||||+- (F)ailed access (audit) root@FOOTEST:/usr/ports/net/samba49 # ls -l /zroot/ total 27 drwxr-xr-x+ 3 root wheel 4 Jun 10 09:22 insens drwxr-xr-x 71 root wheel 85 Jan 16 06:30 newports drwxrwxr-x 7 root wheel 8 May 30 05:47 samba drwx------+ 3 root wheel 3 Jan 15 12:47 test drwxr-xr-x+ 6 root wheel 6 Feb 13 15:55 users drwxr-x---+ 2 root wheel 11 Dec 27 10:15 zfsquota e(x)ecute --+|||||||||||:||||+-- (S)uccess access (audit) a(p)pend ---+||||||||||:|||+--- (n)o propagate (d)elete ----+|||||||||:||+---- (i)nherit only (D)elete child -----+||||||||:|+----- (d)irectory inherit read (a)ttrib -------+|||||||:+------ (f)ile inherit write (A)ttrib -------+|||||| (R)ead xattr --------+||||| (W)rite xattr ----------+|||| read a(c)l ----------+||| write a(C)l -----------+|| change (o)wner ------------+| sync -------------+
Inheritance Flags
The purpose of using ACL inheritance is so that a newly created file or directory can inherit the ACLs they are intended to inherit, but without disregarding the existing permissions on the parent directory. By default, ACLs are not propagated.
Trivial ACL
An ACL is trivial if it can be fully expressed as a POSIX mode without losing information:
Code:
[root@rivendell] ~# getfacl /mnt/Tank/TestShare/ # file: /mnt/Tank/TestShare/ # owner: root # group: wheel owner@:rwxp--aARWcCos:-------:allow group@:r-x---a-R-c--s:-------:allow everyone@:r-x---a-R-c--s:-------:allow
Non-Trivial ACL
An access control list containing one or more explicit Access Control Entries. Sample Non-Trivial ACL:
Code:
[root@rivendell] ~# getfacl /mnt/Tank/TestShare/ # file: /mnt/Tank/TestShare/ # owner: root # group: wheel owner@:rwxpDdaARWcCos:fd-----:allow group@:rwxpDdaARWcCos:fd-----:allow group:DOMAIN\Minions:r-x---a-R-c---:fd-----:allow group:DOMAIN\Domain Admins:rwxpDdaARWcCos:fd-----:allow
Another example of a non-trivial ACL:
Code:
[root@rivendell] ~# getfacl /mnt/Tank/TestShare/ # file: /mnt/Tank/TestShare/ # owner: root # group: wheel owner@:rwxpDdaARWcCos:fd-----:allow group@:rwxpDdaARWcCos:fd-----:allow everyone@:r-x---a-R-c---:fd-----:allow
FreeBSD will indicate whether an ACL is trivial by showing a + sign to the right of the POSIX mode in the output of
ls -l
.Code:
root@FOOTEST:/usr/ports/net/samba49 # ls -l /zroot/ total 27 drwxr-xr-x+ 3 root wheel 4 Jun 10 09:22 insens drwxr-xr-x 71 root wheel 85 Jan 16 06:30 newports drwxrwxr-x 7 root wheel 8 May 30 05:47 samba drwx------+ 3 root wheel 3 Jan 15 12:47 test drwxr-xr-x+ 6 root wheel 6 Feb 13 15:55 users drwxr-x---+ 2 root wheel 11 Dec 27 10:15 zfsquota
Security Identifier (SID)
In the Windows world, every user, user group, or other security principal has a unique identifier called its SID. SIDs will typically look like this: S-1-5-21-1004336348-1177238915-682003330-2132 following the form S-R-X-D0-D1-D2-D3-RID. The S indicates that the string is a SID. The R indicates the version of SID structure that is used in the SID. The X indicates the identifier authority value. The everyone group has an authority value of "1". Specific Windows users and groups will have an identifier value of 5 (NT Authority). D0 represents a subauthority value and when combined with D1-D3 represent a unique domain identifier. D1, D2, and D3 are three randomly generated 32-bit numbers. SIDs for accounts and groups in the Built-In domain have a domain identifier value of 32 (for example the Built-in Administrators group has a SID of S-1-5-32-544). The Relative identifier (RID) is a variable length number that is assigned to objects at creation and uniquely identifies particular accounts or groups relative to a domain. Windows ACLs use SIDs to uniquely identify users and their group memberships. Samba has the capability of mapping Windows SIDs to Unix UIDs / GIDs through various winbind idmap backends. Unix users and groups that do not have passdb entries in samba will have a SID pefix of S-1-22-1 for users and S-1-22-2 for groups.
Like Built-in accounts, "well-known SIDs" are also an exception to the "S-1-5-21-D1-D2-D3-RID" rule. For more information, consult Microsoft Windows documentation https://support.microsoft.com/en-us/kb/243330.
Resources
- https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/AccessControls.html
- https://sambaxp.org/archive_data/SambaXP2013-DATA/wed/track2/Alexander_Werth-NFSv4-ACLs.pdf
- https://sambaxp.org/archive_data/Sa...baxp2013-wed-track2-Alexander_Werth-NFSv4.mp3
- https://www.freebsd.org/cgi/man.cgi?query=setfacl&sektion=1
- https://wiki.freebsd.org/NFSv4_ACLs
- http://wiki.linux-nfs.org/wiki/index.php/ACLs
- http://docs.oracle.com/cd/E19253-01/819-5461/6n7ht6r54/index.html
- https://marc.info/?l=samba&m=143172764302830&w=2
- http://www.ietf.org/rfc/rfc3530.txt
- http://tools.ietf.org/id/draft-ietf-nfsv4-minorversion1-03.txt
- https://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx
- https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
Last edited: