Startseite
Bild
Bild
  • sofort einsetzbarer und komfortabler ZFS Storage-Server für iSCSI/FC, NFS und SMB
  • Active Directory Support mit Snaps als Vorherige Version
  • komfortable Web-GUI
  • alle Funktionen für ein fortschrittliches NAS/SAN
  • kommerzielle Nutzung erlaubt
  • kein Speicherlimit
  • freier Download für End-User


Bild
  • Individualsupport und Beratung
  • Bugfix/ Updates auf neueste Versionen oder Fehlerbehebungen
  • Extensions wie komfortables ACL Management, Disk und Echtzeitmonitoring oder Remote Replikation
  • Appliance Diskmap, Security und Tuning (Pro complete)
  • Redistribution/Bundling/ Installation im Kundenauftrag optional
Fordern Sie ein Angebot an.
Details: Featuresheet.pdf

ACL and user management extension (Solarish only)

  • File and Folder ACL settings via Web-GUI
  • Care about order of ACL settings (not possible from Windows)
  • Allow deny rules (not possible from Windows)
  • Share based ACL settings (Permissions on a share itself, not on files or folders)
  • Trivial ACL (similar to unix permissions) like owner@, group@ and everyone@
  • Control of ACL order (Solaris ACL are order sensitive; Windows cares first about deny then about allow rules)
  • Control of ACL inheritance for newly created files and folders
  • Local user and groups
  • Active Directory user and groups
  • human readable ACL set names like full_set, modify_set,  read_set, create_fileset, create_folderset, owner_default, etc
  • reset all ACL (recursively) to defaults like modify, roor only, owner only, etc
  • Control of ACL-inherit and ACL-mode property

  • User-Quota, Group-Quota settings via Web-UI (napp-it menu ZFS filesystem -> used)
  • IDmappings via Web-UI (Menu user)
  • Restore all napp-it, user, smbgroup and idmapping settings from backup job data (Menu user - restore settings)


How to setup


  • You need a licence key on every server (you can request evaluation keys)
  • To request a license key, you need the machine-ID from menu Extensions > Get Machine ID
  • Register the machine ID key: copy/paste the whole key-line into menu extension-register, example:
    complete h:m123..4m90 - 20.06.2022::VcqmhqsmVsdcnetqsmVsTTDVsK

    Usage of a Pro license is restricted to subscription time or perpetual with an unlimited edition.


What you should know about ACL and SMB


You need to know three principles about SMB sharing (=Windows alike sharing)

1. Solaris CIFS server is like Windows. It cares only about ACL

napp-it allows setting/ displays Unix permissions as well. But this is mainly for NFS3 or to discover problems.

A good start is to set Unix permissions of a SMB share to 777 and set ACL as needed. The Unix permissions are reduced automatically to fit these settings. You can use trivial ACL like owner@, group@ or everyone@ to have similar settings like with unix permissions but with ACL inheritance for newly created files and folders within such a folder.


2. With a Solaris CIFS server, you can restrict access in general and independently from
file and folder settings on a share level.

This is originally also a Windows server behaviour. It allows to restrict access independently from file and folder settings as a general setting. No file or folder permission can go above this global pre-setting. You can check and set share level ACL with the napp-it ACL extension under menu ACL on SMB shares. The default value is everyone@=full (no restriction from this side).


3. With a Solaris CIFS server, you can restrict access on a file and folder level.

Each file or folder can have Unix permissions as well as ACL. If you have a file listing with permissions, the ACL existence is shown by a + after the Unix permissions. If you create a new dataset and share, only root (the owner) has access and connect from Windows. If you need access for other users, you must allow them. You can use the napp-it ACL extension to add more users to File or folders

Your effectice rights are equal to the lower of 2. and 3.  settings.


4. special settings

- If you allow guest access, you can modify files and folders in a share without login from a SMB client.
- If you enable NFS share for a SMB shared folder, it is a good idea to set the ACL of the folder to everyone@=modify with file and folder
   inheritance activated to have access from SMB and NFS side for newly created files. If you need to restrict SMB access, use share level settings.
- If you activate AFP sharing, you must allow everyone@=modify on the shared folder or it will not work.
  You can restrict ACL on files and folders that you create within.
- If you reset permissions like chmod -r 700,  ACL with ACL inheritance settings are deleted.
- If you need to reset all permissions recursively to a default level like everyone@=modifi or owner only, you can use
  the ACL extension. Select menu ACL on folders, select a folder and use (bottom of folder/ file window):  reset ACL
  You can reset file or folder ACL of the selected folder or recursively.


5. Some examples (all with guest access on shares=disabled and without any idmapping)

You want to connect as user peter
from Windows without entering PW

- create and share a dataset /pool/data (owner is root, without setting anything, only root has access)
- set share-level ACL of /pool/data to everyone=full
- create user peter on OI with same PW like on Windows
- set folder-level ACL of /pool/data to peter =full or everyone=full

Connect from Windows without entering pw, when logged in on Windows as paul or as any other local OI user with PW.


You want to connect as user peter, paul and mary with full permissions from Windows.
Each can access only their private folder dataset/mary or dataset/paul and a common folder dataset/all
peter is admin

- set share-level ACL of /pool/dataset to everyone=full
- create user peter, paul and mary on OI optionally with same PW like on Windows
- create and share dataset /pool/data
- set folder-level ACL of /pool/dataset to paul=full with inheritance to files and folders enabled

SMB connect as paul and create the needed folders peter, paul, mary and all
- add folder-level ACL of /pool/dataset/user with user=full with inheritance to files and folders enabled-
- add folder-level ACL of /pool/dataset  with everyone=read with inheritance to files and folders disabled
- add folder-level ACL of /pool/dataset/all with everyone=modify with inheritance to files and folders enabled
- add folder-level ACL of /pool/dataset/user with user=full with inheritance to files and folders enabled
repeat last step for all user-folder


You want to connect as user peter (admin) and any others with full permissions from Windows.
Each can access only their private folder like dataset/'any user who creates a folder'
peter is admin

- set share-level ACL of /pool/dataset to everyone=full
- create user peter, paul and mary on OI optionally with same PW like on Windows
- create and share dataset /pool/data

- add folder-level ACL of /pool/dataset with paul=full with inheritance to files and folders enabled
- add folder-level ACL of /pool/dataset with everyone=read with inheritance to files and folders disabled
- add folder-level ACL of /pool/dataset with everyone=create with inheritance to files and folders disabled

- add folder-level ACL of /pool/dataset with owner@ = full with inheritance to files and folders enabled

Any known user can now connect and can create a folder where he or she has full access, others not


You want to reduce all permissions to read without changing file or folder ACL (and keep peter=full)

set share-level ACL to peter=full
add share-level ACL  everyone@=read (readx when set on Solarish)

Share level ACL is like a gatekeeper that can reduce all permsisions independently from files or folders


You want to connect as AD user
Same, but your OI server must be a Domain-member. You can the login either as Domainmember or local user

napp-it 27.12.2023