| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris Administration: SMB and Windows Interoperability Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris Administration: SMB and Windows Interoperability Oracle Solaris 11 Information Library |
1. Windows Interoperability (Overview)
2. Identity Mapping Administration (Tasks)
3. SMB Server Administration (Tasks)
How to Disable the Samba Service
Configuring the SMB Server Operation Mode (Task Map)
How to Configure the SMB Server in Domain Mode
How to Configure the SMB Server in Workgroup Mode
Managing SMB Shares in This Release
Managing SMB Shares (Task Map)
How to Enable Cross-Protocol Locking
How to Create an SMB Share (zfs)
How to Enable Guest Access to an SMB Share
How to Enable Access-Based Enumeration for a Share
How to Modify SMB Share Properties (zfs)
How to Remove an SMB Share (zfs)
Managing SMB Groups (Task Map)
How to Add a Member to an SMB Group
How to Remove a Member From an SMB Group
How to Modify SMB Group Properties
Enabling CATIA V4/V5 Character Translations
How to the Enable CATIA Interoperability Feature
Configuring SMB Printing (Task Map)
How to Enable the SMB Print Service
You can add, view, and update SMB shares. A directory must exist before it can be shared. For more information about SMB shares, see SMB Shares.
The Oracle Solaris 11 OS introduces a new method for sharing and managing SMB and NFS shares. The zfs command has been enhanced to manage shares and share properties on Oracle Solaris ZFS file systems. The zfs command now supports SMB and NFS sharing by means of the share, sharesmb, and sharenfs properties.
The legacy sharemgr command is no longer available to manage SMB shares. Instead, use the enhanced zfs, share, and unshare commands. Also, the automatic sharing of SMB and NFS shares is managed by SMF rather than by the legacy /etc/dfs/dfstab file, which has been removed.
You can continue to use the legacy file-sharing method to manage shares on file servers that run previous versions of the Oracle Solaris OS. For information about the differences between the new and legacy file-sharing methods, see New ZFS Sharing and Legacy Share Command Summary in Oracle Solaris Administration: ZFS File Systems.
The following table points to the tasks that you can use to manage SMB shares.
|
The SMB protocol assumes mandatory locking, but UNIX traditionally uses advisory locking. The Oracle Solaris OS can be configured to use mandatory locking on a per mount basis by using the non-blocking mandatory locking (nbmand) mount option.
When set, the nbmand mount option enforces mandatory cross-protocol share reservations and byte-range locking.
When the nbmand mount option is not set, the SMB server will enforce mandatory share reservations and byte-range locking internally for all SMB clients. However, without nbmand set, there is only limited coordination with NFS and local processes.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# mount -o nbmand=on fsname
For example, the following command sets the nbmand mount option for the ztank/myfs file system:
# mount -o nbmand ztank/myfs
When using the ZFS file system, you can also set the nbmand option when the file system is created, so that the file system uses nbmand automatically:
# zfs create -o nbmand=on fsname
The following example combines the nbmand option with the mixed-case sensitivity option:
# zfs create -o casesensitivity=mixed -o nbmand=on -o mountpoint=mntpt ztank/myfs
Note - The casesensitivity property is set to mixed by default on ZFS file systems.
This procedure describes how to use the ZFS file system's share property to create ZFS shares on the SMB server.
You can also use the share command to create shares on various file system types. See the share(1M) man page.
To create an autohome share, you must have defined autohome rules. For more information, see How to Create a Specific Autohome Share Rule.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
By default, ZFS file systems enable mixed-case mode.
# zpool create pool-name vdev # zfs create -o nbmand=on fsname
A share name can include any alphanumeric characters, but not the characters listed here:
" / \ [ ] : | + ; , ? * =
The sharesmb property must be set to on to enable SMB sharing on the dataset.
# zfs set sharesmb=on fsname
Note - The zfs command automatically constructs the default share name in the following circumstances:
When you create the dataset and set the sharesmb property to on
When you create a share without specifying a name property value
The share name is based on the name of the dataset mount point. Any characters that are illegal for share names are replaced by an underscore (_).
Use the zfs command to set the share property, which is used to create one or more shares per dataset. The share property value is a comma-separated list of name-value pairs that define a share. See the zfs(1M) man page.
The shares are stored in the .zfs/shares directory of the dataset's mount point.
Use the ls command to show the share-level ACLs on these entries. Use the chmod command to modify the share-level ACLs on the entries in this directory. See the ls(1) and chmod(1) man pages.
For example, you must specify at least the name, path, and protocol properties to create a share:
# zfs set share=name=myshare,path=/mntpnt/directory,prot=smb pool-name/fsname
For more information about SMB share properties, see Share Properties, and the share_smb(1M), share(1M), and zfs(1M) man pages.
The following command creates a new share with the client-side caching policy set to auto:
# zfs set share=name=smb_share,path=/mntpnt/dir2,prot=smb,csc=auto tank/home name=smb_share,path=/mntpnt/dir2,prot=smb,csc=auto
You can also add properties to existing shares. The following command sets the guest access policy of the share that was created by the previous command to true:
# zfs set share=name=smb_share,prot=smb,guestok=true tank/home name=smb_share,path=/mntpnt/dir2,prot=smb,csc=auto,guestok=true
The /etc/dfs/sharetab file contains information about all active shares on the system.
# cat /etc/dfs/sharetab /admins ashare smb csc=auto,guestok=true
Example 3-3 Inherited SMB Sharing for ZFS File Systems in a Pool
The following commands create a pool and enable SMB sharing for that pool. When you create the ZFS file systems in that pool, the file systems inherit SMB sharing.
# zpool create sandbox -o sharesmb=on c0t3d0 # zfs create -o nbmand=on sandbox/fs1 # zfs create -o nbmand=on sandbox/fs2 # zfs get -r share sandbox NAME PROPERTY VALUE SOURCE sandbox share name=sandbox,path=/sandbox,prot=smb local sandbox/fs1 share name=sandbox_fs1,path=/sandbox/fs1,prot=smb local sandbox/fs2 share name=sandbox_fs2,path=/sandbox/fs2,prot=smb local
Example 3-4 SMB Sharing for a ZFS File System
The following commands create a ZFS pool and a mixed-case file system that supports cross-protocol locking and SMB sharing:
# zpool create sandbox c0t3d0 # zfs create -o nbmand=on -o sharesmb=on sandbox/fs1
The ZFS file system constructs the share name based on the dataset mount point when the share is created by setting sharesmb=on. Any illegal characters in the share name are replaced by an underscore (_). In this example, the share name sandbox_fs1 is based on the dataset mount point sandbox/fs1.
The zfs get share command lists all shares that are defined on a mounted file system.
# zfs get share sandbox/fs1 NAME PROPERTY VALUE SOURCE sandbox/fs1 share name=sandbox_fs1,path=/sandbox/fs1,prot=smb local
You can also view the list of active shares on the system from the /etc/dfs/sharetab file.
The following commands create another file system in the sandbox pool called fs2, associate the file system with the myshare share name, and enable SMB sharing:
# zfs create -o nbmand=on sandbox/fs2 # zfs set share=name=myshare,path=/sandbox/fs2,prot=smb sandbox/fs2 name=myshare,path=/sandbox/fs2,prot=smb # zfs set sharesmb=on sandbox/fs2
You can use the zfs get command to view the sharesmb and share property values for the sandbox pool.
# zfs get -r sharesmb sandbox NAME PROPERTY VALUE SOURCE sandbox sharesmb off default sandbox/fs1 sharesmb on local sandbox/fs2 sharesmb on local # zfs get -r share sandbox NAME PROPERTY VALUE SOURCE sandbox/fs1 share name=sandbox_fs1,path=/sandbox/fs1,prot=smb local sandbox/fs2 share name=myshare,path=/sandbox/fs2,prot=smb local
You can also see the list of all active shares on the system by viewing the /etc/dfs/sharetab file.
The following command creates a child file system of sandbox/fs2 called sandbox/fs2/fs2_sub1:
# zfs create -o nbmand=on sandbox/fs2/fs2_sub1
The new file system inherits the sharesmb property from its parent, sandbox/fs2, which causes a new default share to be created.
# zfs get share sandbox/fs2/fs2_sub1 NAME PROPERTY VALUE SOURCE sandbox/fs2/fs2_sub1 share name=sandbox_fs2_fs2_sub1, path=/sandbox/fs2/fs2_sub1,prot=smb local
You can also see the list of all active shares on the system by viewing the /etc/dfs/sharetab file.
If you disable SMB sharing for sandbox/fs2, that file system and its children are affected.
# zfs set sharesmb=off sandbox/fs2 # zfs get -r sharesmb sandbox/fs2 NAME PROPERTY VALUE SOURCE sandbox/fs2 sharesmb off local sandbox/fs2/fs2_sub1 sharesmb off inherited from sandbox/fs2
Note that disabling the sharesmb property only unpublishes the shares but does not remove the share definitions. The /etc/dfs/sharetab file shows that only the sandbox_fs1 share is still published, while the myshare and sandbox_fs2_fs2_sub1 shares still exist but are no longer published.
# cat /etc/dfs/sharetab
/sandbox/fs1 sandbox_fs1 smb -
# zfs get -r share sandbox
NAME PROPERTY VALUE SOURCE
sandbox/fs1 share name=sandbox_fs1,path=/sandbox/fs1,prot=smb local
sandbox/fs2 share name=myshare,path=/sandbox/fs2,prot=smb local
sandbox/fs2/fs2_sub1 share name=sandbox_fs2_fs2_sub1,
path=/sandbox/fs2/fs2_sub1,prot=smb localExample 3-5 Using ls and chmod to Manage SMB Share-Level ACLs
The following example shows how to view the share-level ACLs on SMB shares in the .zfs/shares directory. This example also shows how to use the chmod command to modify the ACLs on these shares. Finally, the example shows how to verify that the ACL has been correctly updated by using the ls command. For more information about using the chmod command to modify ACLs, see the chmod(1) man page.
This example shows how you can manage share ACLs on an Oracle Solaris system. However, it is best practice to use Windows utilities to manage share ACLs.
The ACLs are stored on resources located in the .zfs/shares subdirectory in the root of the shared file system. In this example, the shared file system is /zpool/cosmos and one resource, pluto, is stored in the .zfs/shares directory for this file system.
After changing to the /zpool/cosmos/.zfs/shares directory, you can use the ls -lv command to view the ACL information on the resources in that directory.
# cd /zpool/cosmos/.zfs/shares
# ls -lv
total 2
----------+ 1 root root 0 Feb 8 18:35 pluto
0:everyone@:read_data/write_data/append_data/read_xattr/write_xattr
/execute/delete_child/read_attributes/write_attributes/delete
/read_acl/write_acl/write_owner/synchronize:allow
The ls -lv output shows that the pluto resource is owned by the root user and the root group. The everyone ACL entry covers all other users who are not the root user or part of the root group. The everyone ACL entry shows that everyone has all access privileges, which is the default.
Next, use the chmod command to add a user, terry, who only has read access to the pluto resource. After running the chmod command, the ls -lv command shows you the new ACL entry for user terry. Note that the ACL entry for everyone is unchanged.
# chmod A+user:terry:read_data/read_xattr/read_attributes/read_acl:allow pluto
# ls -lv
total 2
-rwxrwxrwx+ 1 root root 0 Feb 8 18:35 pluto
0:user:terry:read_data/read_xattr/read_attributes/read_acl:allow
1:everyone@:read_data/write_data/append_data/read_xattr/write_xattr
/execute/delete_child/read_attributes/write_attributes/delete
/read_acl/write_acl/write_owner/synchronize:allow
Use the chmod command to modify the ACL entry for user terry to permit all access privileges. Now, the ls -lv command shows that the ACL entry for user terry has been updated to have all access privileges.
# chmod A0=user:terry:read_data/write_data/append_data/read_xattr/ \ write_xattr/execute/delete_child/read_attributes/write_attributes/delete/ \ read_acl/write_acl/write_owner/synchronize:allow pluto
# ls -lv
total 2
-rwxrwxrwx+ 1 root root 0 Feb 8 18:35 pluto
0:user:terry:read_data/write_data/append_data/read_xattr/write_xattr
/execute/delete_child/read_attributes/write_attributes/delete
/read_acl/write_acl/write_owner/synchronize:allow
1:everyone@:read_data/write_data/append_data/read_xattr/write_xattr
/execute/delete_child/read_attributes/write_attributes/delete
/read_acl/write_acl/write_owner/synchronize:allow
When you have guest access to a share, you are permitted access to the share even if you are not a regular user of the system. You do not need to present credentials for authentication to gain access to that share.
The SMB server uses the guestok share property to specify whether guest access is permitted for a given share. If guestok is set to true, guest access is enabled. However, if guestok is not defined or is set to false, guest access is disabled. By default, the guest access is disabled.
This procedure shows how to use the zfs command to enable guest access, but you can also use the share command for other file system types. See the share(1M) man page.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# zfs set share=name=share-name,path=/mntpnt/ds,prot=smb,guestok=true pool/dataset
Example 3-6 Setting the guestok Property to Enable Guest Access to an SMB Share
The following example uses the zfs command to enable guest access for the myshare share:
# zfs set share=name=myshare,path=/mntpnt/dir,prot=smb,guestok=true tank/home name=myshare,path=/mntpnt/dir,prot=smb,guestok=true
If you attempt a connection to an SMB server without an account name or a valid account, the request is interpreted as a guest connection. Such a connection is not authenticated unless the guest account has a password. Windows systems typically use a predefined local account called Guest to represent guest connections. Note that this account can be renamed. In the Oracle Solaris OS, you can define an idmap name-based rule to map the Guest Windows user to any local Oracle Solaris user name, such as guest or nobody.
The following command creates a name-based mapping between the Windows user, Guest, and the Oracle Solaris user, guest:
# idmap add winname:Guest unixuser:guest
If the local account has an SMB password in the /var/smb/smbpasswd file, the guest connection is authenticated against that password. Any connection over SMB that is made by using an account that maps to the local guest account is designated as a guest connection. In the absence of an idmap rule for Guest, an ephemeral ID is generated for this Windows account by the idmap service.
The access-based enumeration (ABE) feature filters directory content based on the access granted to the user who is browsing the directory. This feature is compatible with the Windows ABE feature.
When ABE filtering is enabled, you see only the files and directories to which you have access. This behavior has benefits such as the following:
It is easier to find files in directories that contain many files by reducing the number of files shown in the listing.
An “out-of-sight, out-of-mind” policy is implemented.
ABE filtering is managed on a per-share basis by using the zfs command to set the Boolean abe property. See the zfs(1M) man page.
ABE filtering is also supported on autohome shares. See the smbautohome(4) man page.
Note - With ABE filtering enabled, you still might see files in a directory listing that you cannot open. For example, if you have the ability to read the attributes of a file, ABE filtering shows the file in the directory listing, but you will be denied access if you attempt to open the file for reading or writing. Also, user privileges might result in files being shown, even though the ACL appears to deny all access.
When abe=true, ABE filtering is enabled on the share. Any directory entries to which you have no access are omitted from directory listings. When abe=false or is not defined, ABE filtering is not performed on the share. By default, the abe property is not defined.
This procedure shows how to use the zfs command to enable ABE filtering for a share, but you can also use the share command for other file system types. See the share(1M) man page.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# zfs set share=name=share-name,path=/mntpnt/dir,prot=smb,abe=true pool/dataset
For example, the following command enables ABE filtering for the new myshare share:
# zfs set share=name=myshare,path=/mntpnt/dir,prot=smb,abe=true tank/home name=myshare,path=/mntpnt/dir,prot=smb,abe=true
Use this procedure to change properties on a share.
This procedure shows how to use the zfs command to modify share properties, but you can also use the share command for other file system types. See the share(1M) man page.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# zfs get share tank/home NAME PROPERTY VALUE SOURCE tank/home share name=home,path=/tank/home,prot=smb,guestok=true, csc=auto tank/home
For example, first change the guestok property to false.
# zfs set share=name=home,guestok=false tank/home name=home,path=/tank/home,prot=smb,guestok=false,csc=auto
Then, change the value of the csc property from auto to disabled.
# zfs set share=name=home,prot=smb,csc=disabled tank/home name=home,path=/tank/home,desc=HOME,prot=smb,guestok=true,csc=disabled
This procedure describes how to remove an SMB share. When you remove an SMB share, the definition of the share is removed from the server. You can re-create the share with the zfs command.
This procedure shows how to use the zfs command to remove a share, but you can also use the unshare command for other file system types. See the unshare(1M) man page.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# zfs set -c share=name=share-name pool/dataset
For example, the following command removes the sales_share1 share from the tank/sales dataset:
# zfs set -c share=name=share_sales1 tank/sales share 'share_sales1' was removed
The autohome share feature eliminates the administrative task of defining and maintaining home directory shares for each user that accesses the system through the SMB protocol. The system creates autohome shares when a user logs in, and removes them when the user logs out. This procedure describes how to configure autohome shares by adding rules to a configuration file.
For information about the smbautohome format, see Autohome Entries and the smbautohome(4) man page.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
An autohome entry must be on a single line in the following format:
key location [container]
Usually this field is a user name, but it can also be one of the following:
+nsswitch – Uses the naming service to match users to home directories if no rule matches.
Asterisk (*) – Matches a user name to a home directory that uses the same name.
Specify the absolute path excluding the user name, or use one of the following substitution characters:
Question mark (?) – Substitutes for the first character of the user name.
Ampersand (&) – Substitutes for a complete user name.
For example, the following rule maps to /home/a/amy:
amy /home/?/&
For more information about the path, see Autohome Shares.
This procedure describes how to use the ZFS file system's share property to restrict access to a share based on a client's host address. This feature is known as host-based access control.
For more information about the access control mechanisms that are used for shares, see Access Control to Shares.
This procedure shows how to use the zfs command to restrict client host access, but you can also use the share command for other file system types. See the share(1M) man page.
A client host is permitted to have only one of the following types of access to a share:
Read-only access
Read-write access
No access
For information about access lists, see the share_smb(1M) man page.
For more information, see How to Obtain Administrative Rights in Oracle Solaris Administration: Security Services.
# zfs set share=name=name,path=pathname,prot=smb,ro=hostname[:hostname] pool/dataset # zfs set share=name=name,path=pathname,prot=smb,rw=hostname[:hostname] pool/dataset # zfs set share=name=name,path=pathname,prot=smb,none=hostname[:hostname] pool/dataset
A host name, a netgroup, or an IP address
Name of the dataset being shared
You can specify the host access policy by combining the access settings in a single command. For example, the following command specifies how particular hosts can access the files/acme.sales.logs share. The mercury and venus hosts have read-write access, mars has read-only access, and neptune has no access.
# zfs set share=name=acme_sales_logs,path=/files/acme.sales.logs,prot=smb,\ rw=mercury:venus,ro=mars,none=neptune files/acme.sales.logs
|