W2K & NFSv4 ACL mapping

This post is a development of another post, SMB & NFSv4 ACL mapping. It's specific to the Windows 2000 (and later) family systems. If necessary, please, check back the aforementioned "parent" post.

My discussion will be based on the following minimal scenario:
(box-01 is a Solaris 11.3 acting as a Windows 2000 Server)
 

The graphical interface of the (directory and files) unified ACL editor (Properties | Security) seems good to manage basic settings such as: List Folder Contents, Read & Execute, Modify and Full Control. But it is impossible to get the big picture at once, it may be confusing for handling inheritance and it mixes in more complex permissions sets. The point is: it should allow us to see the permissions for all names at once, it shouldn't have the confusing Read and Write options and it should have a more objective approach (other than the confusing dimmed or grayed out checkboxes alongside the Allow inheritable... checkbox) on the inheritance status. And on top of all this, by clicking on the checkboxes on a certain order (check Modify then clear Write, you would expect to be left with Read & Execute but you don't!) it's possible to mistakenly generate unwanted special permissions.
 

Unfortunately, the design of the Advanced option, entitled Access Control Settings is also bad because it adopts horizontal scrolling (which is terrible; they don't even persist the tedious adjustments of the listview columns that someone does in order to better see all the information without scrolling) instead of more concise graphical elements and filtering, or even a resize-able dialog, in order to really help an administrator do its job. Bottom line is it's also cumbersome as the basic one. Again, unfortunately, especially because Windows is so centric on ergonomics and GUI design. It's like this area has been greatly overlooked or treated with laziness (many out there could do a lot better than that...).
 

Still similarly to what I have done for Windows NT 4.0 (and before) let's initially focus just on the permissions sets that are displayed on the basic (Properties | Security) dialog.

The first thing to note is that the legacy permission flags (R, W, X, D, P and O) have all gone. They were replaced by other 13 (frequently even more confusing) flags which have no compact names but just descriptions and are only accessible after yet another click and more scrolling and a bunch more clicks. As you can see, a nightmare (I'm still not sure if they really wanted to discourage people or hide their mess, perhaps both, but there would be better ways, but, that's Windows!). In order to help put things in order we have the following 1-1 mapping between the each NFSv4 and Windows permission flag:
 

To help even more here is a mapping for the Windows 2000 basic permission sets dialog together with each flag setting, bor for the unnamed Windows flags and the UNIX NFSv4 ACLs (for simplicity here I'm intentionally omitting the name of the associated user or group that should be prefixed to each UNIX ACL and I'm also representing the 13 Windows flags as an ordered row resulting from a counter-clockwise rotation of 90°): 

Full Control
+Modify   +Read & Execute   +List Folder Contents   +Read   +Write

                        rwxpdDaARWcCos:fd-----:allow

Modify
+Read & Execute   +List Folder Contents   +Read   +Write

                        rwxpd-aARWc--s:fd-----:allow

Read & Execute
+List Folder Contents   +Read

                        r-x---a-R-c--s:fd-----:allow

List Folder Contents

                        r-x---a-R-c--s:-d-----:allow

Read

                        r-----a-R-c--s:fd-----:allow

Write

                        -w-p---A-W---s:fd-----:allow

NOTE

The preceding series of ACLs is formatted in terms of directory permissions but the same translation applies to file permissions (except, of course, List Folder Contents) if you disregard the respective ACL inheritance flags (between both colons in my listing) which contains an f and/or d. For instance, the Full Control for a file is depicted by rwxpdDaARWcCos:-------:allow, but depending on the inheritance it may show a trailing I inheritance flag.

NOTE

If needed, the Add & Read permission set from Windows NT 4.0 (and before)  must be manually created from the scratch by adding the following two permission sets to the desired user and directory:

r-x---a-R-c--s:f-i----:allow
rwxp--aARWc--s:-d-----:allow

Which, in other words, basically means:

Read & Execute for files and
Read, Write & Execute for directories (not their contents).

NOTE

As a variation of the Add & Read permission set above it could be interesting to have the possibility to add a folder just to a certain subtree root (or share) while all other permissions are inherited (as for giving read access to a group and so on). In that case, it's assumed (of course) that amongst the inherited permissions is the Full Control for the CREATOR OWNER identity. The permission that has to be added to the desired subtree root is:

r-xp--a-R-c--s:-------:allow

Well, beyond all the above, who knows, maybe someone can devise some useful and unanticipated sort of special access, but in general what's been seen is pretty much all about that.

With the knowledge of this post, it's not necessary to resort to a Windows box in order to set meaningful permissions according to Windows by using its GUI editors. You can do it from a Solaris 11.3 shell by using chmod(1).
   

NT4 & NFSv4 ACL mapping

This post is a development of another post, SMB & NFSv4 ACL mapping. It's specific to the Windows NT 4.0 (and before) family systems. If necessary, please, check back the aforementioned "parent" post.

The graphical interface of the ACL editors (Directory Permissions and File Permissions) are powerful yet reasonably nice, simple, concise and straightforward. And I mostly like it.

Let's focus just on the permissions sets which are listed on the "second colon" of the listboxes labeled Name for each user or group to which the ACL is to be enforced.

The first thing to note is that Directories Permissions have two pairs of parenthesis while Files Permissions just have one. On the former, the first pair of parenthesis refers to the permissions that apply just to the directory (not the files in it), while the second pair of parenthesis refers to the permissions of the (current or new) files in the directory (depending on the setting of the checkbox which text is Replace Permissions on Existing Files).

The second thing to note is that most of the permissions sets that are list on the dropdown-listbox labeled Type of Access are the "standard" ones (according to Windows). Whatever deviates from these is considered a Special Access case and treated accordingly in the interface.

The third thing to note is that on this world, exactly 6 permission flags (independent among each other) are recognized and they are as follows (but there are a few caveats around their names and effective meanings as it shall become more clear on the permissions sets below):

       Permission Flag
    R  Read 
    W  Write 
    X  Execute 
    D  Delete 
    P  Change Permissions 
    O  Take Ownership

The fourth thing to note is that from the Windows GUI ACL editors there's no direct way of telling if an ACL is being inherited or not. The rule is that if you override any ACL for a file system object than then what's previously inherited is copied alongside what's been changed.

Still solely from the Windows perspective let's summarize the ("standard", except for the Special Access) permissions sets as they are recognized by the system:

For directories:
                        Permission Set 
   (None  )   (None  )  No Access
   (R_X___)   (None  )  List
   (R_X___)   (R_X___)  Read
   (_WX___)   (None  )  Add
   (RWX___)   (R_X___)  Add & Read 
   (RWXD__)   (RWXD__)  Change
   (All   )   (All   )  Full Control
   (Other )   (Other )  Special Access


For files:
                        Permission Set 
              (None  )  No Access
              (R_X___)  Read 
              (RWXD__)  Change 
              (All   )  Full Control
              (Other )  Special Access
 

Now from the UNIX NFSv4 ACLs perspective each of the above permission set (interestingly) translates into the following (for simplicity here I'm intentionally omitting the name of the associated user or group that should be prefixed to each ACL):

No Access

 (None)(None)           rwxpdDaARWcCos:f-i----:deny
                        rwxpdDaARWcCos:-d-----:deny 

List

 (RX)(Not Specified)    r-x---a-R-c--s:-d-----:allow

Read

 (RX)(RX)               r-x---a-R-c--s:f-i----:allow
                        r-x---a-R-c--s:-d-----:allow

Add

 (WX)(Not Specified)    -wxp--aA-Wc--s:-d-----:allow

Add & Read

 (RWX)(RX)              r-x---a-R-c--s:f-i----:allow
                        rwxp--aARWc--s:-d-----:allow

Change

 (RWXD)(RWXD)           rwxpd-aARWc--s:f-i----:allow
                        rwxpd-aARWc--s:-d-----:allow

Full Control

 (All)(All)             rwxpdDaARWcCos:f-i----:allow
                        rwxpdDaARWcCos:-d-----:allow

NOTE

The preceding series of ACLs is formatted in terms of directory permissions but the same translation applies to file permissions if you consider just the second pair of parenthesis and the respective ACL inheritance flags (between both colons in my listing) which contain an f but removing both the f and i. For instance, the Full Control for a file is depicted by the ACL rwxpdDaARWcCos:-------:allow

So, as one can see, for directories, except when (Not Specified) is involved, each pair of parenthesis actually translates into 2 NFSv4 ACLs, one for the directory (which contains the d flag) and another (which contains the f flag) for files (for being implictly inherited by new files or overriden in existing files within the directory, this last case depending on the checkbox which text is Replace Permissions on Existing Files).

For attempting the ultimate fine-grained ACL mapping between NT4 and UNIX I'll put the following (hopefully) final listing of this (long) post:
 

 (Special Access)(R)    r-----a-R-c--s:-------:allow

 (Special Access)(W)    -w-p---A-Wc--s:-------:allow

 (Special Access)(X)    --x---a---c--s:-------:allow

 (Special Access)(D)    ----d--------s:-------:allow

 (Special Access)(P)    -----------C-s:-------:allow

 (Special Access)(O)    ------------os:-------:allow

Well, beyond all the above, who knows, maybe someone can devise some useful and unanticipated sort of special access, but in general what's been seen is pretty much all about that.

With the knowledge of this post, it's not necessary to resort to a Windows box in order to set meaningful permissions according to Windows by using its GUI editors. You can do it from a Solaris 11.3 shell by using chmod(1).
    

SMB & NFSv4 ACL mapping

Let's take a quick look at how Windows and UNIX NFSv4 ACLs can kind of co-exist. The purpose of this post is to clear out the inevitable hurdles on mapping permissions between these two systems when a UNIX system shares something to Windows via the SMB/CIFS protocol. To be honest, much of the trouble comes from the cumbersome permission flags (or its unexpected combinations and side-effects) from Windows which may in part reveal how clumsy Windows internals are (and why it's not surprising the vast amount of bugs/flaws per month that have to be patched; a nightmare).

To focus on what matters the scenario assumes no Active Directory, Kerberos, LDAP, and so on..., just plain WORKGROUP operational mode (which implies just the weak NTLM or NTLMv2 authentication mechanisms).

First I'll take at the legacy Windows NT family, then at the next-generation Windows NT family. With the former I cover the legacy and with the later I cover the more recent releases. I think Windows had a good chance by the time of these two mentioned releases, but then it seems to have lost its path amongst a vast amount of crap that was kicked into its code base. But that's not the topic of this post!
 
Windows NT 4.0 (and before - the legacy family)
Please check the details on the post NT4 & NFSv4 ACL mapping.

Windows 2000 (and later - the next-generation family)
Please check the details on the post W2K & NFSv4 ACL mapping.
 
And by the way, what's the point of this post?

Well, Windows is "viral" (sorry, just joking, forgive me) or at least it used to be a decade ago or so and it's still inevitable to interact with it at some point in time. Worse than that, it has spread it's SMB/CIFS protocol throughout the industry and there are many platforms out there which supports it, ranging from Mac laptops to high-end storage systems. And that's why Solaris 11.3 better than ever supports SMB/CIFS protocol, specially on the server side with its SMB version 2.1 implementation which, at least for file-sharing purposes, ranks Solaris 11.3 as a fast Windows 2000 Server (or Windows NT 5.0 Server) amongst other Windows boxes, which is more than enough for most purposes on this area. One silent advantage of SMB 2.1 is it's better operation over WAN, that is, links with moderate-to-high latency. On the client side, Solaris 11.3 stays as a SMB 1.0 client, but frankly, who cares?

root@box-01:/export/project# share
IPC$                      smb   -   Remote IPC
c$       /var/smb/cvol    smb   -   Default Share
Project  /export/project  smb   -   

The GNOME desktop

The GNOME 2 desktop series, although not perfect, is great!
 

Of course it's not by chance that Oracle has selected (to keep) GNOME desktop (version 2.30.2) as the default Solaris desktop since the very first incarnation of Solaris 11 that followed OpenSolaris.

It's stable enough and has many resources that most of us will ever need and I say not even system administrators and alike. This can be perceived in many ways and even if you change worlds to take a quick ride on what happens in terms of graphical user interface since Windows NT 4.0 onwards. On the Windows side on can see how kind of crazy things turned out as Windows NT 4.0 or Windows 2000 had already most that anyone would ever really need from a desktop. Of course, there are many small improvements and niceties. But all that crap, heavy and complex stuff that on can nowadays find since Windows Vista is too distracting and mostly useless. And I prefer to say nothing about Windows 8 and Windows 10.

It's true that GNOME 3 series also seems to have lost its path giving it away to all this "modern" desktop hype that is always trying to find a new and surprising way to do the same things.

But as I mentioned above GNOME 2 series still exhibits a good enough balance amongst stability, simplicity and features. Together with the associated but yet decoupled Window system model of the X subsystem it provides a really cool desktop experience that's still better than any Windows incarnation, except by very few detail which more than compensates for the lack of flexibility on Windows.

It's more and more clear that Windows is turning into a useless toy after the great expectations and hopes it gathered with Windows NT 4.0 and Windows 2000 releases. It's shocking to note that what was once great (it's graphical user interface) is turning against itself and misleading its quality and evolution on the last decade. Sorry, no offense, on the contrary.
  
By contrast, the UNIX world, the GNU software, the X system on nVidia desktop cards, the many desktop systems (in particular GNOME 2), that Compiz plug-in (and many other great ones), have proved their value and endurance across many more years, which counts a lot because no one that needs to run something on a long term basis are willing to go through a storm of bells and whistles just for the sake of not being bored with something well established that works flawless and without a lot of security holes exposures and clumsy and tedious time-consuming monthly patching and so on...
    
I have collected a few topics that matters to me on the GNOME Desktop.
I would hope it would be useful to you as well.
   

GNOME Notification Area

The GNOME Notification Area is nice but problematic bonobo-applet.
Nice because the other bonobo-applets it contains can be very useful.
Problematic because sometimes images (or icons) fails to show properly.

Here's mine (when it's working fine):

And here it is when it's flawed (the Keyboard indicator en was painted over the Timeslider icon which didn't repainted itself appropriately; only the pt indicator is in its correct area):

Now, surprise! It's nearly impossible to customize this applet!
There's no whatsoever user-friendly way of performing it! Give up!

DNS client configuration

This is a quick web log on how to manually configure the DNS client.
I already have a few other posts on DNS but this topic was missing.
The closest I've logged was part of an AI Configuration Profile.

I assume that an active (on-line) DefaultFixed NCP is established.
The DNS server IP address is 192.168.10.1 and domain is business.corp.

If old or damaged configuration is present, the following command should probably remove any old or bad setting allowing a start over from scratch configuration such as on a fresh system with any DNS configuration:

# nscfg unconfig -v svc:/network/dns/client:default
unconfiguring DNS...
Delete customizations.
Refresh ... : .../svccfg -s .../dns/client:default refresh
successful unconfigure.

To manually configure the DNS client, perform the following:
(config/domain is unnecessary if don't run DNS on your LAN)
(for more DNS client SMF properties check resolv.conf(4))

# svccfg -s dns/client
...> listprop config/*
config/value_authorization astring     solaris.smf...
...> setprop config/nameserver = net_address: (192.168.10.1) 
...> setprop config/domain = astring: ("business.corp") 
...> listprop config/*
config/value_authorization astring     solaris.smf...
config/nameserver          net_address 192.168.10.1
config/domain              astring     business.corp
...> select default
.../dns/client:default> refresh 
.../dns/client:default> quit
 
For legacy compatibility do:
 
# nscfg export -v svc:/network/dns/client:default
exporting DNS legacy...
Looking in /etc/mnttab, for lofs mount.
Save new legacy file...
    Legacy contents identical. skip save
successful export.
No change to FMRI: svc:/network/dns/client:default

And check...

# cat /etc/resolv.conf 
#
# _AUTOGENERATED_FROM_SMF_V1_
#
# WARNING: THIS FILE GENERATED FROM SMF DATA.
#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST.
# See resolv.conf(4) for details.

domain    business.corp
nameserver    192.168.10.1
    
And to finish, of course, (if not already so) we have to tell the system to consider the above DNS client configuration on host name resolutions (I have another post with additional details about name-services/switch):

# svccfg -s name-service/switch 
...> setprop config/host = astring: "files dns" 
...> select default 
.../name-service/switch:default> refresh 
.../name-service/switch:default> quit

Make sure the affected SMF services are running:

# svcs dns/client name-service/switch
STATE   STIME    FMRI
online  14:05:32 svc:/system/name-service/switch:default
online  14:41:07 svc:/network/dns/client:default
     
NOTE

Under Solaris 11 Express the dns/client SMF service just manages the associated daemon and doesn't hold any user configuration yet. The DNS client configuration is still done by editing the /etc/resolv.conf file directly, as usual.

  

Manual wired connection

This post is to log the most basic network setup to a Solaris 11 box.
Since Solaris 11/11 the network configuration procedure evolved.
While a lot of great things kicked in, it became more complex.
By Solaris 11.3 the procedures seems somewhat stable.

To make justice, the Solaris on-line documentation has been always great and under a continuous effort of improvement and correctness.

But when all that's required is a straightforward old and good static IP configuration to a standard wired ethernet network, the lots of new frameworks and subsystems may get in the way. The more you're in a hush, the more these small complexities can drive you mad. So, I tried to write this post as a sort of a more strait "complete" yet "minimalist" example.

As a minimum I assume:

• An on-line DefaultFixed NCP.
• A wired link that was already renamed to e0.
• Basic DNS services just for Internet access.
• Basic /etc/hosts for local host name resolution.
• The host being configured is box-01 at 192.168.10.10
• The gateway is at 192.168.10.1

CLEAN-UP

If you have some left over configuration from other scenarios or from failed attempts, you can try some of following commands in order to start over from the scratch and follow the rest of this post to the bottom:

# ipadm delete-addr e0/v4
...

# ipadm delete-ip e0
...

# route -p show
...

# route -p delete ...
...

# route flush
...
  
Visit the post DNS client configuration for its specific clean-up.

CONFIGURATION

Create the e0 ip interface over the link of the same name.
(I simply don't have any reason to use different names right now)

# ipadm create-ip e0
# ipadm show-if
IFNAME     CLASS    STATE    ACTIVE OVER
lo0        loopback ok       yes    --
e0         ip       down     no     --

Set up the static IP address to be used by the interface.
(An unambiguous /etc/hosts entry can be used instead of the IP)
(Depending on the IP, it may require a /prefixlen or /etc/netmasks)

# ipadm create-addr -T static -a 192.168.10.10 e0/v4
# ipadm show-addr
lo0/v4            static   ok           127.0.0.1/8
e0/v4             static   ok           192.168.10.10/24
lo0/v6            static   ok           ::1/128

Set up the persistent route to the default gateway to be used.
(Assume that the default gateway is at 192.168.10.1)

# route -p add default 192.168.10.1
add net default: gateway 192.168.10.1
add persistent net default: gateway 192.168.10.1

# route -p show
persistent: route add default 192.168.10.1

# grep default /etc/inet/static_routes-DefaultFixed
default 192.168.10.1

# netstat -rn -f inet 

Routing Table: IPv4
 Destination     Gateway     Flags Ref  Use   Interface
------------- -------------- ----- --- ------ ---------
default       192.168.10.1   UG      8   7774          
127.0.0.1     127.0.0.1      UH      2   2694 lo0      
192.168.10.0  192.168.10.10  U       3    196 e0       

Next, configure the DNS client accordingly.

Finally, check if you have a reasonably basic /etc/hosts in place:
   
# cat /etc/hosts
#
# ...
#
::1             localhost
127.0.0.1       localhost              loghost
#
192.168.2.10    box-01.business.corp   box-01
  

GNOME Menu Launcher

Sometimes it's nice to do small cosmetics to the GUI.
If you use a GUI it's because you value convenience, at least.

This time I'll just write down the easy setup of a GNOME Launcher as an item of the Main Menu, such as in the following example for NetBeans 8.1:

To set up that:

• Go to System | Preferences | Main Menu.
• Select Applications | Developer Tools.
• Click on the + New Item button.
• Fill in the blanks and choose an icon.
• Finish by clicking the Close button (of course!)

For instance:

 

When finished you'll see the newly configured menu item representing the launcher as per your above settings. It's just that simple!
























  

GNOME Nautilus terminals

This post is yet another example of GNOME Nautilus scripts.
Back in 2014 it seems I have forgotten to cover this handy feature.
The credits go to Oracle Solaris support team, not me.
I simply embellish the topic for the benefit of all.

Here's the recipe:

Change directories to your local GNOME configuration:

$ cd $HOME/.gnome2/nautilus-scripts

or maybe

$ cd ~/.gnome2/nautilus-scripts

Being there, create the following empty executable script:

$ touch open-in-terminal
$ chmod a+x open-in-terminal

At least under Solaris 11.3 which features Nautilus 2.30.1 under GNOME 2.30.2 is just that simple! The script can be empty and in fact any contents seems to be ignored. All that matters is the presence of the properly named script (executable) file called open-in-terminal.