Recursively apply AD Group permissions to a tree?

[GeoffK]

So I'm building a Redirected folders share that is backed by ZFS (for the lovely purposes of snapshots etc).

I have redirected folders working no problems - and normally to grant domain admins (or a backup user or whatever) access to the redirected folders, you'd run a script over them which takes ownership of the folder hierarchy, adds the desired user/group in, then gives ownership back to the user.

Normally you'd run said script on the fileserver and its no problems.

Obviously BSD doesn't really give a hoot what powershell has to say, nor has any idea what takeown and calcs are.

So I looked into it.

Essentially I need to run

Code:

setfacl -Rm g:domain\domain admins:rwxpDdaARWcCo-:fd----:allow /mnt/pool0/shares/users/FolderRedirections/

however this doesn't work for a few reasons;

1. BSD's setfacl doesn't support -R for recursion
2. the syntax of the group is wrong (although the permissions are right).

I think however - as a bonus - that root counts as "system" which means i don't have to steal ownership to add these permissions, then put it back (otherwise Redirected folders doesn't work).

I think I need to use;

Code:

find /mnt/pool0/shares/users/FolderRedirection/ -type f -exec setfacl .... 

But i'm not sure on the setfacl syntax to get my AD based group in there...

 

[GeoffK]

AH HA!

figured it out.

Code:

find /mnt/pool0/shares/users/FolderRedirections/ -type d -exec setfacl -m g:"domain\group":rwxpDdaARWcCo-:fd----:allow {} \;