![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
OpenSolaris derived ZFS NAS/ SAN (OmniOS, OpenIndiana, Solaris and napp-it)
- Thread starter _Gea
- Start date
Ok, lot of work/ news today.
about your problem with permissions
You need to know first, that unix uses user id's and group id's while
Windows uses security id's (completely different format)
Also group management is completely different. Unix passwords have a different format
than Windows passwort, so they are generated and stored separatly.
Sun developed Solaris to be a Windows server replacement as best as possible
under this conditions. This means that ACL' are mostly compatible and there is a
automatic mapping mechanism between user and group id's (only supported by
a unix filesystem) and Windows security id's beside a manual mapping mechanism between.
If you want to set permissions for a SMB share, you have the following option:
1. the owner of a share is root, so only root can modify permissions
After installing napp-it (this includes setup of smb service) you need to reenter password for
root to create an addtitional smb password on CLI via passwd root
You can then smb login to a share from Windows as user root.
Right Klick to the shared folder and select properties-security.
You can now either select local users or domain users and set permissions for them.
-> automatical id-mapping
Problem: Some Windows versions are not able to remote set ACL like home versions and Win7 ultimate
best are Win XP pro, Win 2003 and Win7 pro
2. Active directory only: You can set a manual mapping like winuser:xyz => unixuser: root
or wingroup=abc => unixgroup staff
If you connect now as xyz you have root permissions and if you connect as a member of
ad group abc you have the same permission like unixgroup staff.
You can use and see these users and groups for smb from a Windows machine that is also a domain member.
You can use local Solaris users even in domain mode
3. Workgroup mode
You create users via napp-it menu user (used both on unix and smb) and smb groups
and you can add users to these smb groups like power users and administrators and
your own added groups. You can use and see these users and groups for smb from a Windows machine.
4. you can use the napp-it acl extension to set permissions and ACL (under development) via napp-it
This is the only comfortable way to correctly set ACL because Solaris ACL behaves different from Windows.
Windows processes first all deny then all allow while Solaris uses only the order of the ACL list with the
first matching entry do the job.
5. you can set permissions and ACL via CLI
Only an option if you know what you are doing
6. Beside the above shared folder permissions, you can set permissions on a share level
just like you can do with a real Windows server
6a. With computer management from a Windows machine that is connected to Solaris
as a member of smb-group administrators (a little bit complicated)
6b with CLI on Solaris
very complicated
6c with napp-it ACL extension
in development
Last edited:
Thanks a lot. That really helped me understand how it works.
It seems like it should work how I'm doing it but it just doesn't.
Here is what i did
In napp-it ui / Users add ++ smb user made 3 users
In Windows 2003+Win7Enterprice+2008+XP pro right click a folder (Connected with root) on the share in security tap add and type in user name from napp-it
Result object not found for any of the users in all windows versions.
Is there something in this that i might be doing wrong? Its like the users i made does not exists.
you must type in usernames like hostname\user
but the easiest way is to use the advanced -search user dialog in the
Windows security windows to select the user from a list of all available user/ groups
update:
newest available netatalk version 2.2.0p6 from
http://sourceforge.net/mailarchive/[email protected]&forum_name=netatalk-admins
http://www.netafp.com/downloads/changelog/
wget -O - www.napp-it.org/afp22p6 | perl
newest available netatalk version 2.2.0p6 from
http://sourceforge.net/mailarchive/[email protected]&forum_name=netatalk-admins
http://www.netafp.com/downloads/changelog/
wget -O - www.napp-it.org/afp22p6 | perl
mmmmmdonuts
Gawd
- Joined
- Oct 7, 2009
- Messages
- 821
Reinstalled ESXi 4.1 just like danswartz suggested and not only did it fix this problem I was having here but it seemed to fix my OI reading/writing issue with smb as well. Two birds one stone. I am very happy.
alfonsohuang
n00b
- Joined
- Jul 8, 2011
- Messages
- 7
sorry for not clear
under pool A,
smb- directory-->smbshare
directory-->test
under smbshare
my Videocam files,file size larger than 4gb
my pics, raw file -->10 to 20 MB
moving files form pool A to pool B on the same Server
move videocam files, good.....
speed over 200MB/s
but camera files,,,,,no good
speed is unstable
it could be very very slow, or maybe faster...but not over 200MB/s
sometimes it like hangs
so....lots of small size files will cause this problem
and I don't know why
I tried this for two weeks
under two Solaris 11 express Server..both are i5-2400 Z68
I used OpenSolaris for almost three years ,and using samba
pool to pool , no problem
and samba between my HTPC & OpenSolaris ,speed is 100MB/s almost
I'm wondering, if "smb" causing this problem
thank u all
thats the known problem with some Windows versions.
One user reported success after such a problem after a mapping via net use
otherwise try
- use another Windows
- use groups instead of users (don't know if that works)
- try napp-it ACL extension (I'a developping that because of this problem)
My problem is that every version of windows does this. That is Win7 Enterprice, XP Pro, 2003 and 2008r2
Ill guess ill go with napp-it ACL where do i find that, and how do i use it?
menu extension - acl settings
selct pool and folder and add needed ACL
(extension under development)
I'm finding the same issue, with Win7 Pro and WinXP. No users show up when setting ACL's, no matter how I set it up.
If you use the ACL extension, just add a user to the SMB share, then that same user should show up when viewing from Windows.
its currently a problem like some have it others not.
I have it not. I suppose we have to collect experiences to find the issue
In the meantime, you may try and evaluate the napp-it acl-extension.
If you have set ACL in any way, a SMB client must respect
Last edited:
Works for me when I use the settings under "Extensions -> acl settings"
I'm not sure how to set it up via. the acl extension.
This is what i see http://dl.dropbox.com/u/4118803/acl.png
This is what i see http://dl.dropbox.com/u/4118803/acl.png
You can restrict SMB-access to your ZFS Server either via file and folder permissions
or with restrictions on the share.
With the napp-it ACL extension, you can set ACL on files and folders of your ZFS-Folder
in menu extension -> acl setting after selecting a shared folder
You are in the submenu extension -> acl setting -> smb share
where you can set ACL on the share after selecting a share.
This setting does not modify files and folders ACL
but are like a general restriction independent of file or folder settings
A SMB client must respect both settings
hi
i would like to turn my old main pc into a nas, and i would like to use zfs, so nappit on one of the mentioned OS seems a good idea.
i don't want the nas to be running 24/7, that's just to much power usage. is there a way to put any of the supported OS in suspend mode while using nappit, maybe even automatically after some idle time? and if suspend is possible, is wake-on-lan possible?
thanks for any help.
i would like to turn my old main pc into a nas, and i would like to use zfs, so nappit on one of the mentioned OS seems a good idea.
i don't want the nas to be running 24/7, that's just to much power usage. is there a way to put any of the supported OS in suspend mode while using nappit, maybe even automatically after some idle time? and if suspend is possible, is wake-on-lan possible?
thanks for any help.
Solaris is a Enterprise OS without focus to energy saving.
Power it off when not needed (you can set that in napp-it) and power on when needed
either with a power timer or with the help of IPMI (remote power on/off via browser)
I would not.
Most AMD systems have Raltek Nics, not suggested with any Solaris.
I would currently prefer a Intel server chipset based mainboard with 5520, 3420
or 202/204 chipset.
Look at SuperMicro based X8 or X9 series with ..-F (IPMI remote manageent)
They are quite affordable and the best to buy for any Solaris (my opinion)
!! Solaris is not mainstream. There is not too many hardware that is really good to use
Solid Cactus
n00b
- Joined
- Jan 11, 2011
- Messages
- 16
Hi all,
I'm looking for a bit of advice on the creation of a pure SSD pool for my VMs.
I currently have bulk storage with SSD read/write caches but I have recently acquired some Crucial C300s and I was looking to make a pool of them exclusively for storing my VMs.
I was wondering if anyone else has attempted this? What's the best practice for best performance? Is this a good idea?
Any tips/hints/experiences would be much appreciated.
Thanks!
I'm looking for a bit of advice on the creation of a pure SSD pool for my VMs.
I currently have bulk storage with SSD read/write caches but I have recently acquired some Crucial C300s and I was looking to make a pool of them exclusively for storing my VMs.
I was wondering if anyone else has attempted this? What's the best practice for best performance? Is this a good idea?
Any tips/hints/experiences would be much appreciated.
Thanks!
Sleepie_NL
n00b
- Joined
- Jul 31, 2011
- Messages
- 4
Since a few days I'm using OpenIndiana with napp-it on a home NAS box in order to be able to use ZFS. This works great.
However, I do have a problem with sharing:
I have a ZFS folder shared with smb with guest access (guest-ok). Guest access is needed because the Windows box connecting to this share is in an AD domain. This works fine, I can create/delete/rename files and folders from the Windows box.
However, if I look at the files on the OI box, I see they get a 'strange' UID/GID (a number like 2147483649). I don't know if this is normal? (Im used to Linux mapping this to nobody.nogroup). But it works fine so far.
Now I also share this folder with NFS.
I mount the NFS share on a Ubuntu box. This also works, I can create/delete/rename files and folders from the Ubuntu box.
However, the files/folders made on the Ubuntu box are 'read-only' in the Windows share pointing to that folder.
When I look at the files on the OI box, I see they get the UID/GID of the Ubuntu User (instead of being mapped to nobody.nobody). They are also created as 'rw-r--r--'
I've been trying for 1.5 days now to get this working.
Can someone please point me in the right direction (a share which is 'world accessible' though both smb and nfs?)
However, I do have a problem with sharing:
I have a ZFS folder shared with smb with guest access (guest-ok). Guest access is needed because the Windows box connecting to this share is in an AD domain. This works fine, I can create/delete/rename files and folders from the Windows box.
However, if I look at the files on the OI box, I see they get a 'strange' UID/GID (a number like 2147483649). I don't know if this is normal? (Im used to Linux mapping this to nobody.nogroup). But it works fine so far.
Now I also share this folder with NFS.
I mount the NFS share on a Ubuntu box. This also works, I can create/delete/rename files and folders from the Ubuntu box.
However, the files/folders made on the Ubuntu box are 'read-only' in the Windows share pointing to that folder.
When I look at the files on the OI box, I see they get the UID/GID of the Ubuntu User (instead of being mapped to nobody.nobody). They are also created as 'rw-r--r--'
I've been trying for 1.5 days now to get this working.
Can someone please point me in the right direction (a share which is 'world accessible' though both smb and nfs?)
RESTfulADI
2[H]4U
- Joined
- Feb 20, 2005
- Messages
- 2,218
I was planning an AMD system too, Intel NICs are $20 and I have an extra one, is there any other reason not to use AMD? Remember this is for home use, I need to save money where possible. Supermicro motherboards are at least $100 more than vanilla AMD motherboards and a Xeon (required for ECC) costs at least $200 vs $60 for a Phenom II X3 720. The $200 savings would pay for three 2TB or two 3TB hard drives.
Darknight670
n00b
- Joined
- May 27, 2011
- Messages
- 34
I use AMD with OI/napp-it. Everything is working as far as I know....
RESTfulADI
2[H]4U
- Joined
- Feb 20, 2005
- Messages
- 2,218
Have you measured your power consumption?
me too, I use a e-350 zacate/fusion APU and I use the realtek 8111E, everything runs great.
Solaris runs well with AMD. Most performance or stability problems are due to
not or not well supported Nics or Disk Controller. (Realtek is a often known candidate)
On the orher hand, you must define your use case, ex home NAS for Video and Backup,
then a quite slow machine is well, even with Atom or similar CPU's. I also use a backup
machine at home based on a older AMD board.
But
For me i always look for multi-purpose machines. and virtualisation is a must to have for me.
In my case there is no way around a Intel based mainboard with server chipsets to have hardware
virtualisation via vt-d. For me, this extra is worth the 50-70 Euro premium or the use of a Xeon,
even if its only a cheap Dualcore . You can also use AMD with IOMMU but they are similar in price.
My primary ESXi Storage pools are all SSD only (Sandforce based)
Read and write Performance is about 1 GByte/ s with 4 mirrored-pairs.
Reliability is not the best with these MLC ones. I have about 80 Disks
and about 10 % failure rate in the last 12 months.
Thats the reason i use 3 x mirrors because data on this pools is critical.
But I would not go back to spindels and expect to replace them after warranty in
about two years.
Main problem: SMB is ACL only while NFS3 is unix permission only.
You may try to modify NFS share options, you may try NFS4 (capable of ACL)
or you may disable guest access (join domain or use local user-login) and set
ACL according to your needs
I would either use SMB always or set the share to full access if its a secure net
_Gea, i could really use some help LOL. i swear i've read through whats been said but maybe i'm misunderstanding something. Here is the user page
and here is the ACL page
Now why is it i can see these usersnames when i right click for the security permissions for the share, but i can't actually use that name/password combo i created to login, i have to use root still. Did it need applied to documents and not the shareddocuments folder?
and here is the ACL page
Now why is it i can see these usersnames when i right click for the security permissions for the share, but i can't actually use that name/password combo i created to login, i have to use root still. Did it need applied to documents and not the shareddocuments folder?
Sleepie_NL
n00b
- Joined
- Jul 31, 2011
- Messages
- 4
I'm going to have a further look into this.
I don't want to join the domain, because i might opt for ESXi later, with the VMs stored on the NAS box, which means the DC won't be running when the NAS box starts.
I can try to mount the dir through smb/cifs in Ubuntu, but in my experience this is very slow (compared to NFS).
seems all ok.
but, file/ folder level acl are used after login, if you cannot login the problem is not with file/folder ACL
have you modified share level acl?
they work at login time
My problem is that i just dont know what to set.
My servers is named nas and it has a zfs folder named nas under this i have 2 folders that i want 2 users to have access to so they don't have access to the rest. Can you tell me how?
mrgstiffler
[H]F Junkie
- Joined
- Dec 20, 2000
- Messages
- 13,408
You may want to rethink your folder structure. Instead of a single ZFS folder, with directories under it, change those directories to be ZFS folders. You should be able to then share those out and set permissions on them.
I have no idea which is the share level ACL LOL. i'm very new to anything not windows and even napp-it has made me scratch my head LOL.
EDIT: well this is weird, my mom's worked just fine, i was like for sh*ts and giggles lets try it out, and sure enough it worked.... hmmmmmmm
EDIT 2: so i tried the other username/password combo's and thye all work, all except mine (moose) any idea? i also reset my password just in case i goofed it and s till no go LOL.
Last edited:
Share level ACL is a Windows thing
You can set file and folder acl in menu extension - acl setting
You can set share level acl in menu extension - acl setting - smb share
try to remove your account from smb administrators and see what happens
(you are then mapped to root and this may cause problems with workgroups)
ps
Unix and Windows are completely different in file system/ user/ group /acl basics
I tried several times to replace my Windows server with Linux + Samba and stopped that due
to too much problems with users/ groups/ pw/ acl
Solaris with Kernel based SMB server was the first system i found, where advantages are immense
and problems are manageable while you have to learn only a few unix basics to understand remaining problems
You can set file and folder acl in menu extension - acl setting
You can set share level acl in menu extension - acl setting - smb share
try to remove your account from smb administrators and see what happens
(you are then mapped to root and this may cause problems with workgroups)
ps
Unix and Windows are completely different in file system/ user/ group /acl basics
I tried several times to replace my Windows server with Linux + Samba and stopped that due
to too much problems with users/ groups/ pw/ acl
Solaris with Kernel based SMB server was the first system i found, where advantages are immense
and problems are manageable while you have to learn only a few unix basics to understand remaining problems
Last edited: