![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
I sent this to the OmniOS discussion list, but thought I'd run it by you guys as well.
I'm setting up a ZFS OmniOS storage server with SMB shares for AD
authenticated group shares. I got Active Directory integration, and Access
Based Enumeration to working, then focused on quotas. I understand, I can
have user/fs, group/fs, and a generic fs quotas.
Originally, I was going to use a single fs with directories for the
different groups, but then I found that the group/fs quota is based on the
primary group in AD, which is "Domain User" for all my users, and I don't
have the rights to modify this. Besides, there may be situations where a
single user may have multiple group memberships with differing quotas. So,
I then created nested fs's under the "group" fs and set generic quotas on
those. In the end, this more accurately accomplishes what I wanted to do
but.....
Two bad things happened. ACL inheritance broke and ABE broke.
ACL of the nested fs reverted to the default ACL (@owner, @group,
@everyone) instead of inheriting from "group". I was able to work around
this by manually setting my admin account permissions on the server (could
have also used root), then via windows adding the additional users/groups.
But when I did this, it "rediscovered the inherited permissions from
"group", so had two entries. I just deleted the non-inherited entries. It
seems like I'd have to do this for every group nested fs. Is there an
easier way to do this?
I also noticed that the nested fs, which shouldn't be visible because of
ABE, are now visible. The ACL security settings is properly blocking access,
but I don't want them seen if the user doesn't have access. I have not
been able to fix this. Any ideas here?
Thanks!
I'm setting up a ZFS OmniOS storage server with SMB shares for AD
authenticated group shares. I got Active Directory integration, and Access
Based Enumeration to working, then focused on quotas. I understand, I can
have user/fs, group/fs, and a generic fs quotas.
Originally, I was going to use a single fs with directories for the
different groups, but then I found that the group/fs quota is based on the
primary group in AD, which is "Domain User" for all my users, and I don't
have the rights to modify this. Besides, there may be situations where a
single user may have multiple group memberships with differing quotas. So,
I then created nested fs's under the "group" fs and set generic quotas on
those. In the end, this more accurately accomplishes what I wanted to do
but.....
Two bad things happened. ACL inheritance broke and ABE broke.
ACL of the nested fs reverted to the default ACL (@owner, @group,
@everyone) instead of inheriting from "group". I was able to work around
this by manually setting my admin account permissions on the server (could
have also used root), then via windows adding the additional users/groups.
But when I did this, it "rediscovered the inherited permissions from
"group", so had two entries. I just deleted the non-inherited entries. It
seems like I'd have to do this for every group nested fs. Is there an
easier way to do this?
I also noticed that the nested fs, which shouldn't be visible because of
ABE, are now visible. The ACL security settings is properly blocking access,
but I don't want them seen if the user doesn't have access. I have not
been able to fix this. Any ideas here?
Thanks!