Skip Navigation Links | |
Exit Print View | |
Managing SMB File Sharing and Windows Interoperability in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Sharing Files Between Windows and Oracle Solaris Systems
The SMB File Sharing Environment
Managing SMB Configuration Properties
Configuring the SMB Server - Process Overview
Utilities and Files Associated With the SMB Server and Client
Authentication, Directory, Naming, and Time Services
Host-Based Access Control to SMB Shares
Access Control Lists on SMB Shares
Client-Side Caching for Offline Files
SMB Share Execution Properties
SMB Support for the Distributed File System
2. Setting Up Identity Mapping Between Windows and Oracle Solaris Systems
3. Setting Up a Oracle Solaris SMB Server to Manage and Share Files
A shared resource, or share, is a local resource on a server that is accessible to SMB clients on the network. For the SMB server, a share is typically a directory. Each share is identified by a name on the network. An SMB client sees the share as a complete entity on the SMB server, and does not see the local directory path to the share on the server.
Note - A share and a directory are independent entities. Removing a share does not affect the underlying directory.
Shares are commonly used to provide network access to home directories on a network file server. Each user is assigned a home directory. A share is persistent and remains defined regardless of whether users are connected to the server.
The SMB server provides a special kind of share called an autohome SMB share. An autohome share is a transient share of a user's home directory that is created when a user logs in and removed when the user logs out.
When a user browses the system, only statically defined shares and his autohome share will be listed.
You can use share properties to modify the attributes and behavior of an SMB share. Use the zfs set and share commands to set share properties. There are two types of share properties: global and protocol-specific.
The global share properties include the following:
desc – Specify an optional description of the share
name – Specify the name of the share
path – Specify the mount point of the share
prot – Specify the protocol of the share, such as SMB or NFS
The protocol-specific share properties for the SMB protocol include the following:
abe – Enable or disable access-based enumeration for a share
ad-container – Specify the name of an AD container in which to publish a share
catia – Specify whether to perform CATIA character substitution
csc – Set the client-side caching policy
guestok – Enable or disable guest access to a share
ro, rw, none – Set host-based access rules for a share
When you specify share properties, specify the global properties first, followed by the prot property and then by any protocol-specific properties. For more information about SMB share properties, see the share_smb(1M) man page.
To create a share, you must specify the path property. To change a global share property, specify only the global properties you want to change and not the prot property. To change protocol-specific property values, you must also specify the name and prot global share properties.
The SMB server uses the following access-control mechanisms to limit access by users, hosts, or both, to SMB shared file systems (shares):
Host-based access control limits host access to shares.
Access control lists (ACLs) limit user and group access to shares.
Host-based access control is applied first and grants or denies access to the client system. If the host is granted access, the share ACL is applied to grant or deny access to the user. Each mechanism acts as a filter, which might restrict the type of access granted based on the access-control setting.
Shares are always created with the default share ACL and, unless otherwise specified when the share is created, default host-based access control. You can apply non-default values to the share after the share is created.
This access-control mechanism enables you to limit the access of a host or group of hosts to an SMB share. This mechanism is a share-level access control and does not apply to local file access. By default, all hosts have full access to a share. The SMB server enforces host-based access control each time a client requests a connection to a share.
You can use the zfs set and share commands to specify host-based access control on a share. For more information, see How to Restrict Client Host Access to an SMB Share (zfs), and the share(1M) and zfs(1M) man pages.
An ACL on a ZFS share provides the same level of access control as a Windows ACL does for its shares. Each share can have an ACL that includes entries to specify which types of access are allowed or denied to users and groups. Like host-based access control, this mechanism is a share-level form of access control and does not apply to local file access.
These share ACLs are only available for ZFS shares. You can manage a ZFS share's ACL in the Oracle Solaris OS by using the chmod and ls commands. See the chmod(1) and ls(1) man pages. You can also manage these ACLs by using the Windows share management GUI on a Windows client.
Although a ZFS file system is used to store a share's ACL, the access control is enforced by the SMB server each time a client requests a connection to a share. The default ACL setting permits full access to everyone.
Note - You cannot specify an ACL on an autohome share. Autohome shares are created at runtime with a predefined, unmodifiable ACL that grants full control to the owner. Only the autohome share owner can access the share.
The autohome share feature eliminates the administrative task of defining and maintaining home directory shares for each user that accesses the system through the SMB protocol. The system creates autohome shares when a user logs in, and removes them when the user logs out. This process reduces the administrative effort needed to maintain user accounts, and increases the efficiency of service resources.
For example, if /home is a home directory that contains subdirectories for users bob and sally, you can manually define the shares as follows:
/home/bob
/home/sally
However, defining and maintaining directory shares in this way for each user is inconvenient. Instead, you can use the autohome feature.
To configure the autohome feature, you need to specify autohome share rules. For example, if a user's home directory is /fort/sally, the autohome path is /fort. The temporary share is named sally. Note that the user's home directory name must be the same as the user's login name. See How to Create a Specific Autohome Share Rule.
When a user logs in, the SMB server looks for a subdirectory that matches the user's name based on any rules that have been specified. If the server finds a match and if that share does not already exist, the subdirectory is added as a transient share. When the user logs out, the server removes that transient share.
Some Windows clients log a user out after 15 minutes of inactivity, which results in the autohome share disappearing from the list of defined shares. This behavior is expected for SMB autohome shares. Even after an SMB autohome share is removed, the share reappears when the user attempts to access the system (for example, in an Explorer window).
Note - All autohome shares are removed when the SMB server is restarted.
The SMB server can automatically share home directories when an SMB client connects. The autohome map file, /etc/smbautohome, uses the search options and rules to determine whether to share a home directory when an SMB client connects to the server.
For example, the following entries specify the autohome rules for a particular environment:
+nsswitch dc=ads,dc=oracle,dc=com,ou=users jane /home/?/& dc=ads,dc=oracle,dc=com,ou=users
The nsswitch autohome entry uses the naming service to match users to home directories. The second autohome entry specifies that the home directory for user jane is /home/j/jane.
A map entry, also referred to as a mapping, uses the following format:
key location [ container ]
key is a user name, location is the fully qualified path for the user's home directory, and container is an optional AD container.
If you intend to publish the share in AD, you must specify an AD container name, which is specified as a comma-separated list of attribute name-value pairs. The attributes use the Lightweight Directory Access Protocol (LDAP) distinguished name (DN) or relative distinguished name (RDN) format.
The DN or RDN must be specified in LDAP format by using the following prefixes:
cn= represents the common name.
ou= represents the organizational unit.
dc= represents the domain component.
cn=, ou=, and dc= are attribute types. The attribute type used to describe an object's RDN is called the naming attribute, which for AD includes the following object classes:
cn for the user object class
ou for the OU (organizational unit) object class
dc for the domainDns object class
The autohome feature supports the following wildcard substitutions for the value of the key field:
The ampersand (&) is expanded to the value of the key field for the entry in which it occurs. In the following example, & expands to jane:
jane /home/&
The question mark (?) is expanded to the value of the first character in the key field for the entry in which it occurs. In the following example, the path is expanded to /home/jj/jane:
jane /home/??/&
When supplied in the key field, the asterisk (*) is recognized as the “catch-all” entry. Such an entry matches any key not previously matched.
For example, the following entry would map any user to a home directory in /home in which the home directory name was the same as the user name:
* /home/&
Note - The wildcard rule is only applied if an appropriate rule is not matched by another map entry.
The nsswitch map is used to request that the home directory be obtained from a password database, such as the local, NIS, or LDAP database. If an AD path is appended, it is used to publish shares.
+nsswitch
Like the “catch-all” entry, the nsswitch map is only searched if an appropriate rule is not matched by another map entry.
Note - The wildcard and nsswitch rules are mutually exclusive. Do not include an nsswitch rule if a wildcard rule has already been defined.