How do permissions work once a sharing layer is involved?

Question

I have a fileserver running OpenIndiana, and I have multiple clients of all flavours. Windows, OSX and Linux (mainly Ubuntu). I share out some ZFS filesystems over AFP, CIFS, NFS. I understand the standard 777 style permissions on a local filesystem, and I understand ACLs to a limited extent.

What I dont understand is what happens when a sharing layer is introduced, how do permissions work then? I'm primarily interested in CIFS between Unix based systems as thats what I use mostly, but a general understanding will be great too.

To work towards an example, I have multiple application ubuntu machines that require on boot access to certain folder structures on a share. What would be the best way to manage their access?

Answer 1

Filesystem permissions apply to local system users.

All network sharing protocols have to rely on a translation layer to convert network access credentials to local user accounts.

For larger networks it helps if this can be centralized, with LDAP or NIS or the like.

ADDED: You specifically asked about CIFS between *nix machines - well, unless both support the winbindd stuff, any permissions and ownership are limited to what is set on the mount point.

That is, sharing /mnt/foo on host A over CIFS using user Joe, only the permissions set on the mount with user=Joe on host B will be relevant.

Any permissions on the original location are subsumed by the global ones set on the mount.

Answer 2

The permissions stack on top of each other.

For example: Grant Joe access to the share but not the underlying disk structure => access denied. Grant Joe access to the disk but not to the share itself => access denied. Grant Joe access to both => access granted.

This is easiest to see in a CIFS / SMB configuration.

Other products - NFS or CIFS in guest mode - may also masquerade all the inbound users under one specific account to the local file system.

Even for setups that use a guest mode the local file system still needs to provide the rights to the account associated with guest access.