Go to main content

Managing SMB File Sharing and Windows Interoperability in Oracle® Solaris 11.3

Exit Print View

Updated: December 2017
 
 

Managing SMB Shares

You can add, view, and update SMB shares. A directory must exist before it can be shared. For more information about SMB shares, see SMB Shares.

The Oracle Solaris 11 OS introduced a new method for sharing and managing SMB and NFS shares. The zfs command has been enhanced to manage shares and share properties on Oracle Solaris ZFS file systems. The zfs command supports SMB and NFS sharing by means of the share, share.smb, and share.nfs properties. For information about Oracle Solaris 11 command syntax, see Sharing and Unsharing ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.3.

The legacy sharemgr command is no longer available to manage SMB shares. Instead, use the enhanced zfs, share, and unshare commands. Also, the automatic sharing of SMB and NFS shares is managed by SMF rather than by the legacy /etc/dfs/dfstab file, which has been removed.

You can continue to use the legacy file-sharing method to manage shares on file servers that run previous versions of the Oracle Solaris OS. For information about the differences between the new and legacy file-sharing methods, see Sharing and Unsharing ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.3.

Managing SMB Shares (Task Map)

The following table points to the tasks that you can use to manage SMB shares.

Task
Description
For Instructions
Enable cross-protocol locking.
Use the mount or the zfs create command to enable cross-protocol locking by setting the nbmand option.
Create an SMB share by using the ZFS file system's share property.
Makes a dataset available to clients.
Modify the properties of an SMB share by using the share command.
Changes share property values.
Enable guest access to an SMB share.
Use the zfs command to enable guest access for a specified share by setting the guestok property.
Enable access-based enumeration (ABE) for an SMB share.
Use the zfs command to enable ABE filtering for a specified share by setting the abe property to true.
Remove an SMB share by using the unshare command.
When you remove a share, it can no longer be accessed by a system.
Create an autohome share rule.
Specify custom share rules for autohome shares.
Restrict host access to a share by using the ZFS file system share property.
Use this procedure to restrict access to a client host in one of the following ways: read-write access, read-only access, or no access. You might use this procedure if you are familiar with the ZFS file system sharenfs property.

About Cross-Protocol Locking

The SMB protocol assumes mandatory locking, but UNIX traditionally uses advisory locking. The Oracle Solaris OS can be configured to use mandatory locking on a per mount basis by using the non-blocking mandatory locking (nbmand) mount option.

When set, the nbmand mount option enforces mandatory cross-protocol share reservations and byte-range locking.

When the nbmand mount option is set, the SMB server enforces mandatory share reservations and byte-range locking internally for all SMB clients. If the nbmand mount option is not set, there is limited coordination with NFS and local processes.

How to Enable Cross-Protocol Locking

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Set the nbmand mount option for an existing file system by using one of the following methods:
    • Set the option by using the zfs create command.

      When using the ZFS file system, you can also set the nbmand option when the file system is created so that the file system uses nbmand automatically:

      # zfs create -o nbmand=on pool/dataset

      The following example combines the nbmand option with the mixed-case sensitivity option:

      # zfs create -o casesensitivity=mixed -o nbmand=on -o mountpoint=mntpt ztank/myfs

      Note -  The casesensitivity property is set to mixed by default on ZFS file systems.
    • Set the option by using the zfs set command.
      # zfs set nbmand=on pool/dataset

      For example, the following command sets the nbmand option for the ztank/myfs file system:

      # zfs set nbmand=on ztank/myfs

      Note -  The nbmand property takes effect only after the file system is unmounted and remounted.

Creating and Modifying SMB Shares

When you are using SMB, create a mixed-mode ZFS file system, which is the default. If you have both NFS and SMB clients using a mixture of different character sets on the same file system, you might also want to set the utf8only property and consider specifying the charset=access-list NFS share property.

The share.smb property can be set to on or off. Specifying share.smb=on during dataset creation shares the dataset with the default share properties.

How to Create an SMB Share (zfs)

This procedure describes how to use the ZFS file system's share property to create ZFS shares on the SMB server.

You can also use the share command to create shares on various file system types. See the share(1M) man page.

To create an autohome share, you must have defined autohome rules. For more information, see How to Create a Specific Autohome Share Rule.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Create a ZFS pool and a mixed-case ZFS file system that supports cross-protocol locking.

    By default, ZFS file systems enable mixed-case mode.

    # zpool create pool vdev
    # zfs create -o nbmand=on pool/dataset

    A share name can include any alphanumeric characters, but not the characters listed here:

    " / \ [ ] : | + ; , ? * =
  3. Enable SMB sharing for the ZFS file system on the dataset or on individual specified shares.

    To enable SMB sharing on the dataset, set the share.smb property to on.

    # zfs set share.smb=on pool/dataset

    To enable SMB sharing on individual named shares, first set share.smb=off on the dataset and then set share.smb=on on the individual shares.


    Note -  The zfs command automatically constructs the default share name which is based on the name of the dataset mount point. Any characters that are illegal for share names are replaced by an underscore (_).
  4. (Optional) Create an SMB share that has non-default property values or an SMB share for a directory other than the mount point of the dataset.
    # zfs share -o share.smb=on pool/dataset%share-name

    Use the zfs command to set share properties. See the zfs(1M) man page.

    Share properties are stored as ZFS dataset properties, and the share ACL for each share is stored in the .zfs/shares directory of the dataset.

    Use the ls command to show the share-level ACLs on these entries. Use the chmod command to modify the share-level ACLs on the entries in this directory. See the ls(1) and chmod(1) man pages.

    For example, create the dataset and share:

    # zfs create -o mountpoint=/users tank/users
    # zfs share -o share.smb=on tank/users%ushare
  5. (Optional) Specify additional SMB share properties.

    For more information about SMB share properties, see SMB Share Properties, and the share_smb(1M), share(1M), and zfs(1M) man pages.

  6. Verify how the file system is shared by using one of the following methods:
    • Use the zfs get command.
      # zfs get share.smb.all tank/admins%ashare
      NAME                PROPERTY                VALUE  SOURCE
      tank/admins%ashare  share.smb.abe           off    default
      tank/admins%ashare  share.smb.ad-container         default
      tank/admins%ashare  share.smb.catia         off    default
      tank/admins%ashare  share.smb.csc           auto   local
      tank/admins%ashare  share.smb.dfsroot       off    default
      tank/admins%ashare  share.smb.guestok       on     local
      tank/admins%ashare  share.smb.none                 default
      tank/admins%ashare  share.smb.ro                   default
      tank/admins%ashare  share.smb.rw                   default
    • Use the share command.
      # share
      IPC$     smb     -       Remote IPC
      ashare  /admins  smb     csc=auto,guestok=true
    • View the /etc/dfs/sharetab file.
      # cat /etc/dfs/sharetab
      -       IPC$   smb - Remote IPC
      /admins ashare smb guestok,csc=auto
Example 8  Creating a Share With the Client-Side Caching Policy Set to auto

The following command creates a new share with the client-side caching policy set to auto:

# zfs create -o mountpoint=/admins tank/admins
# zfs share -o share.smb=on -o share.smb.csc=auto tank/admins%ashare

You can also add properties to existing shares. The following command sets the guest access policy of the share that was created by the previous command to true:

# zfs set share.smb.guestok=on tank/admins%ashare
Example 9  Inherited SMB Sharing for ZFS File Systems in a Pool

For information about ZFS share property inheritance, see Sharing and Unsharing ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.3.

The following commands create a pool and enable SMB sharing for that pool. When you create the ZFS file systems in that pool, the file systems inherit SMB sharing.

# zfs create rpool/admins/user1
# zfs create rpool/admins/user2
# zfs set share.smb=on rpool/admins
# zfs get -r share.smb rpool/admins
NAME                 PROPERTY   VALUE  SOURCE
rpool/admins         share.smb  on     local
rpool/admins%        share.smb  on     inherited from rpool/admins
rpool/admins/user1   share.smb  on     inherited from rpool/admins
rpool/admins/user1%  share.smb  on     inherited from rpool/admins
rpool/admins/user2   share.smb  on     inherited from rpool/admins
rpool/admins/user2%  share.smb  on     inherited from rpool/admins
# zfs set share.smb=off rpool/admins/user2
# zfs get -r share.smb rpool/admins
NAME                 PROPERTY   VALUE  SOURCE
rpool/admins         share.smb  on     local
rpool/admins%        share.smb  on     inherited from rpool/admins
rpool/admins/user1   share.smb  on     inherited from rpool/admins
rpool/admins/user1%  share.smb  on     inherited from rpool/admins
rpool/admins/user2   share.smb  off    local
Example 10  SMB Sharing for a ZFS File System

The following commands create a ZFS pool and a mixed-case file system that supports cross-protocol locking and SMB sharing:

# zpool create system1 c0t3d0
# zfs create -o share.smb=on -o nbmand=on system1/fs1

In this example, the share name system1_fs1 is based on the dataset mount point system1/fs1.

The zfs get -r share.smb command lists all shares that are defined on a mounted file system.

# zfs get -r share.smb system1/fs1
NAME          PROPERTY   VALUE  SOURCE
system1/fs1   share.smb  on     local
system1/fs1%  share.smb  on     inherited from system1/fs1

You can also view the list of active shares on the system from the /etc/dfs/sharetab file.

The zfs get command shows a subset of the share properties:

# zfs get share.smb.all system1/fs1%
NAME          PROPERTY                VALUE  SOURCE
system1/fs1%  share.smb.abe           off    default
system1/fs1%  share.smb.ad-container         default
system1/fs1%  share.smb.catia         off    default
system1/fs1%  share.smb.csc                  default
system1/fs1%  share.smb.dfsroot       off    default
system1/fs1%  share.smb.guestok       off    default
system1/fs1%  share.smb.none                 default
system1/fs1%  share.smb.ro                   default
system1/fs1%  share.smb.rw                   default

To view the local and inherited share properties, use the following command:

# zfs get -rs local,inherited -e share.smb.all system1
NAME                 PROPERTY           VALUE      SOURCE
system1/fs1          share.smb.guestok  on         local
system1/fs1%         share.smb.guestok  on         inherited from system1/fs1
system1/fs2          share.smb.guestok  on         local
system1/fs2          share.smb.ro       otherhost  local
system1/fs2          share.smb.rw       myhost     local
system1/fs2%myshare  share.smb.guestok  on         inherited from system1/fs2
system1/fs2%myshare  share.smb.ro       otherhost  inherited from system1/fs2
system1/fs2%myshare  share.smb.rw       myhost     inherited from system1/fs2

To view all the share properties, use the following command:

# zfs get share.all system1/fs1%
NAME          PROPERTY         VALUE         SOURCE
system1/fs1%  share.desc                     default
system1/fs1%  share.name       system1_fs1   -
system1/fs1%  share.nfs        off           default
system1/fs1%  share.nfs.*      ...           default
system1/fs1%  share.path                     default
system1/fs1%  share.point      /system1/fs1  -
system1/fs1%  share.protocols  smb           inherited from system1/fs1
system1/fs1%  share.smb        on            inherited from system1/fs1
system1/fs1%  share.smb.*      ...           default
system1/fs1%  share.state      shared        -

A property value of ... can be expanded further by using the .all keyword. For example, you can view the share.smb.* properties by using the following command:

# zfs get share.smb.all system1/fs1%
NAME          PROPERTY                VALUE         SOURCE
system1/fs1%  share.smb.abe           off           default
system1/fs1%  share.smb.ad-container                default
system1/fs1%  share.smb.catia         off           default
system1/fs1%  share.smb.csc                         default
system1/fs1%  share.smb.dfsroot       off           default
system1/fs1%  share.smb.guestok       off           default
system1/fs1%  share.smb.none                        default
system1/fs1%  share.smb.ro                          default
system1/fs1%  share.smb.rw                          default

You can also view both the global share properties and the SMB properties by using the following command:

# zfs get share.all,share.smb.all system1/fs1%
NAME          PROPERTY                VALUE         SOURCE
system1/fs1%  share.desc                            default
system1/fs1%  share.name              system1_fs1   -
system1/fs1%  share.nfs               off           default
system1/fs1%  share.nfs.*             ...           default
system1/fs1%  share.path                            default
system1/fs1%  share.point             /system1/fs1  -
system1/fs1%  share.protocols         smb           inherited from system1/fs1
system1/fs1%  share.smb               on            inherited from system1/fs1
system1/fs1%  share.smb.*             ...           default
system1/fs1%  share.state             shared        -
system1/fs1%  share.smb.abe           off           default
system1/fs1%  share.smb.ad-container                default
system1/fs1%  share.smb.catia         off           default
system1/fs1%  share.smb.csc                         default
system1/fs1%  share.smb.dfsroot       off           default
system1/fs1%  share.smb.guestok       off           default
system1/fs1%  share.smb.none                        default
system1/fs1%  share.smb.ro                          default
system1/fs1%  share.smb.rw                          default

The following commands create another file system in the system1 pool called fs2, associate the file system with the myshare share name, and enable SMB sharing:

# zfs create -o nbmand=on system1/fs2
# zfs share -o share.smb=on system1/fs2%myshare

You can use the zfs get command to view the share.smb and share property values for the system1 pool.

# zfs get -r share.smb.all system1
NAME                 PROPERTY   VALUE  SOURCE
system1              share.smb  off    default
system1/fs1          share.smb  on     local
system1/fs1%         share.smb  on     inherited from system1/fs1
system1/fs2          share.smb  off    default
system1/fs2%myshare  share.smb  on     local

# zfs get -r share.smb.all system1
NAME                 PROPERTY                VALUE  SOURCE
system1              share.smb.abe           off    default
system1              share.smb.ad-container         default
system1              share.smb.catia         off    default
system1              share.smb.csc                  default
system1              share.smb.guestok       off    default
system1              share.smb.none                 default
system1              share.smb.ro                   default
system1              share.smb.rw                   default
system1/fs1          share.smb.abe           off    default
system1/fs1          share.smb.ad-container         default
system1/fs1          share.smb.catia         off    default
system1/fs1          share.smb.csc                  default
system1/fs1          share.smb.guestok       off    default
system1/fs1          share.smb.none                 default
system1/fs1          share.smb.ro                   default
system1/fs1          share.smb.rw                   default
system1/fs1%         share.smb.abe           off    default
system1/fs1%         share.smb.ad-container         default
system1/fs1%         share.smb.catia         off    default
system1/fs1%         share.smb.csc                  default
system1/fs1%         share.smb.dfsroot       off    default
system1/fs1%         share.smb.guestok       off    default
system1/fs1%         share.smb.none                 default
system1/fs1%         share.smb.ro                   default
system1/fs1%         share.smb.rw                   default
system1/fs2          share.smb.abe           off    default
system1/fs2          share.smb.ad-container         default
system1/fs2          share.smb.catia         off    default
system1/fs2          share.smb.csc                  default
system1/fs2          share.smb.guestok       off    default
system1/fs2          share.smb.none                 default
system1/fs2          share.smb.ro                   default
system1/fs2          share.smb.rw                   default
system1/fs2%myshare  share.smb.abe           off    default
system1/fs2%myshare  share.smb.ad-container         default
system1/fs2%myshare  share.smb.catia         off    default
system1/fs2%myshare  share.smb.csc                  default
system1/fs2%myshare  share.smb.dfsroot       off    default
system1/fs2%myshare  share.smb.guestok       off    default
system1/fs2%myshare  share.smb.none                 default
system1/fs2%myshare  share.smb.ro                   default
system1/fs2%myshare  share.smb.rw                   default

You can also see the list of all active shares on the system by viewing the /etc/dfs/sharetab file.

The following command creates a child file system of system1/fs2 called system1/fs2/fs2_sub1:

# zfs create system1/fs2/fs2_sub1

The new file system inherits the share.smb property from its parent, system1/fs1, which causes a new default share to be created.

# zfs create -o nbmand=on system1/fs1/fs1_sub1
# zfs get -r share.smb system1
NAME                   PROPERTY   VALUE  SOURCE
system1                share.smb  off    default
system1/fs1            share.smb  on     local
system1/fs1%           share.smb  on     inherited from system1/fs1
system1/fs1/fs1_sub1   share.smb  on     inherited from system1/fs1
system1/fs1/fs1_sub1%  share.smb  on     inherited from system1/fs1
system1/fs2            share.smb  off    default
system1/fs2%myshare    share.smb  on     local
system1/fs2/fs2_sub1   share.smb  off    default

You can also see the list of all active shares on the system by viewing the /etc/dfs/sharetab file.

# cat /etc/dfs/sharetab
/system1/fs2              myshare                   smb     -
/system1/fs1              system1_fs1               smb     -
/system1/fs1/fs1_sub1     system1_fs1_fs1_sub1      smb     -

If you disable SMB sharing for system1/fs1, that file system and its children are affected.

# zfs set share.smb=off system1/fs1
# zfs get -r share.smb system1
NAME                  PROPERTY   VALUE  SOURCE
system1               share.smb  off    default
system1/fs1           share.smb  off    local
system1/fs1/fs1_sub1  share.smb  off    inherited from system1/fs1
system1/fs2           share.smb  off    default
system1/fs2%myshare   share.smb  on     local
system1/fs2/fs2_sub1  share.smb  off    default

# cat /etc/dfs/sharetab | grep system1
/system1/fs2      myshare smb     -

Note that disabling the share.smb property unpublishes the shares but does not remove the share definitions. The /etc/dfs/sharetab file shows that only the myshare share is still published, while the system1_fs1 and system1_fs2_fs2_sub1 shares still exist but are no longer published.

Example 11  Setting the csc Property for Shares

The following example shows how to configure client-side caching on shares.

First, create and share a file system.

If you specify share.smb=on during dataset creation, the share is automatically created as a default share. The name of the share is based on the share path, where slashes (/) are replaced by underscores (_).

The automatic (auto) share is represented as tank/zvol%, which is the ZFS property name for the auto share. The default share name is constructed from the file system name. Invalid characters are converted to underscores. The share.name property stores the default share name, which is the name by which the share is published. The following example uses a default share name of tank_zvol.

# zfs create -o utf8only=on -o share.smb=on tank/zvol
# share
IPC$                            smb     -       Remote IPC
c$              /var/smb/cvol   smb     -       Default Share
tank_zvol       /tank/zvol      smb     -
# zfs get name,share.protocols,share.state,share.point tank/zvol%

NAME        PROPERTY         VALUE       SOURCE
tank/zvol%  name             tank/zvol%  -
tank/zvol%  share.protocols  smb         local
tank/zvol%  share.state      shared      -
tank/zvol%  share.point      /tank/zvol  -

To list automatic shares, use the zfs list -o share command:

# zfs create -o utf8only=on -o share.smb=on tank/zvol
# zfs get share tank/zvol%
# zfs list -o share
NAME        SHARENAME  PROTOCOLS  STATE        SHAREPOINT
tank/zvol%  tank_zvol  smb        shared       /tank/zvol
# zfs get share.name tank/zvol%
NAME        PROPERTY    VALUE      SOURCE
tank/zvol%  share.name  tank_zvol  -

To create a share with non-default values, use the zfs command, as shown in the following example:

  1. Create the dataset.

    # zfs create -o utf8only=on tank/zvol
  2. Create and enable an SMB share with the name of ashare.

    # zfs share -o share.smb=on tank/zvol%ashare
    # zfs get name,share.protocols,share.state,share.point tank/zvol%ashare
    NAME                    PROPERTY        VALUE                   SOURCE
    tank/zvol%ashare        name            tank/zvol%ashare        -
    tank/zvol%ashare        share.protocols smb                     local
    tank/zvol%ashare        share.state     -                       -
    tank/zvol%ashare        share.point     /tank/zvol              -
  3. View the active shares on the system.

    # cat /etc/dfs/sharetab
    /tank/zvol ashare smb -

The following command creates a new share, bshare, with the csc property set to auto:

# zfs share -o share.smb=on -o share.smb.csc=auto tank/zvol%bshare
# zfs get share.smb.all tank/zvol%bshare
NAME                    PROPERTY                VALUE                   SOURCE
tank/zvol%bshare        name                    tank/zvol%bshare        -
tank/zvol%bshare        share.protocols         smb                     -
tank/zvol%bshare        share.state             -                       -
tank/zvol%bshare        share.point             /tank/zvol              -
tank/zvol%bshare        share.smb.abe           off                     default
tank/zvol%bshare        share.smb.ad-container                          default
tank/zvol%bshare        share.smb.catia         off                     default
tank/zvol%bshare        share.smb.csc           auto                    local
tank/zvol%bshare        share.smb.dfsroot       off                     default
tank/zvol%bshare        share.smb.guestok       off                     default
tank/zvol%bshare        share.smb.none                                  default
tank/zvol%bshare        share.smb.ro                                    default
tank/zvol%bshare        share.smb.rw                                    default

Using the zfs command enables you to add properties to a share without specifying all the other previously specified properties and their values.

In the following example, the first command creates a share with the name of cshare. The second command adds the csc property.

# zfs share -o share.smb=on tank/zvol3%cshare
# zfs set -o share.smb.csc=auto tank/zvol3%cshare

You can also set the csc property on autohome shares in the smbautohome map. As with the ZFS share property, multiple property-value pairs can be specified in a comma-separated list. The following smbautohome map disables client-side caching by default, but sets csc=auto for /export/home/john:

*      /export/home/&   share.smb.csc=disabled,description=&
john   /export/home/&   share.smb.csc=auto,dn=oracle,dn=com,ou=users
Example 12  Using ls and chmod to Manage SMB Share-Level ACLs

Although you can manage share ACLs on an Oracle Solaris system, a better practice is to use Windows utilities to manage share ACLs. The ACLs are stored on resources located in the .zfs/shares subdirectory in the root of the shared file system. For more information about using the chmod command to modify ACLs, see the chmod(1) man page.

In this example, the shared file system is /zpool/cosmos and one resource, pluto, is stored in the .zfs/shares directory for this file system.

After changing to the /zpool/cosmos/.zfs/shares directory, you can use the ls -lv command to view the ACL information on the resources in that directory.

# cd /zpool/cosmos/.zfs/shares
# ls -lv
total 2
----------+  1 root     root           0 Feb  8 18:35 pluto
     0:everyone@:read_data/write_data/append_data/read_xattr/write_xattr
         /execute/delete_child/read_attributes/write_attributes/delete
         /read_acl/write_acl/write_owner/synchronize:allow

The ls -lv output shows that the pluto resource is owned by the root user and the root group. The everyone ACL entry covers all other users who are not the root user or part of the root group. The everyone ACL entry shows that everyone has all access privileges, which is the default.

Next, use the chmod command to add a user, john, who only has read access to the pluto resource. After running the chmod command, the ls -lv command shows you the new ACL entry for user john. Note that the ACL entry for everyone is unchanged.

# chmod A+user:john:read_data/read_xattr/read_attributes/read_acl:allow pluto
# ls -lv
total 2
-rwxrwxrwx+  1 root     root           0 Feb  8 18:35 pluto
     0:user:john:read_data/read_xattr/read_attributes/read_acl:allow
     1:everyone@:read_data/write_data/append_data/read_xattr/write_xattr
         /execute/delete_child/read_attributes/write_attributes/delete
         /read_acl/write_acl/write_owner/synchronize:allow

Use the chmod command to modify the ACL entry for user john to permit all access privileges. Now, the ls -lv command shows that the ACL entry for user john has been updated to have all access privileges.

# chmod A0=user:john:read_data/write_data/append_data/read_xattr/ \
write_xattr/execute/delete_child/read_attributes/write_attributes/delete/ \
read_acl/write_acl/write_owner/synchronize:allow pluto
# ls -lv
total 2
-rwxrwxrwx+  1 root     root           0 Feb  8 18:35 pluto
     0:user:john:read_data/write_data/append_data/read_xattr/write_xattr
         /execute/delete_child/read_attributes/write_attributes/delete
         /read_acl/write_acl/write_owner/synchronize:allow
     1:everyone@:read_data/write_data/append_data/read_xattr/write_xattr
         /execute/delete_child/read_attributes/write_attributes/delete
         /read_acl/write_acl/write_owner/synchronize:allow

Enabling Guest Access

When you have guest access to a share, you are permitted access to the share even if you are not a regular user of the system. You do not need to present credentials for authentication to gain access to that share.

The SMB server uses the guestok share property to specify whether guest access is permitted for a given share. By default, guest access is disabled. To enable guest access set the guestok property to on.

If you attempt a connection to an SMB server without an account name or a valid account, the request is interpreted as a guest connection. Such a connection is not authenticated unless the guest account has a password. Windows systems typically use a predefined local account called Guest to represent guest connections although this account can be renamed. In the Oracle Solaris OS, you can define an idmap name-based rule to map the Guest Windows user to any local Oracle Solaris user name, such as guest or nobody.

The following command creates a name-based mapping between the Windows user, Guest, and the Oracle Solaris user, guest:

# idmap add winname:Guest unixuser:guest

If the local account has an SMB password in the /var/smb/smbpasswd file, the guest connection is authenticated against that password. Any connection over SMB that is made by using an account that maps to the local guest account is designated as a guest connection. In the absence of an idmap rule for Guest, an ephemeral ID is generated for this Windows account by the idmap service.

How to Enable Guest Access to an SMB Share

This procedure shows how to use the zfs command to enable guest access, but you can also use the share command for other file system types. See the share(1M) man page.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Enable guest access for a specified share.
    # zfs create -o mountpoint=/eng pool/eng
    # zfs share -o share.smb=on -o share.smb.guestok=on pool/eng%eshare
Example 13  Enabling Guest Access to an SMB Share

The following example uses the zfs command to enable guest access for the myshare share:

# zfs share -o share.smb=on -o share.smb.guestok=on tank/home%myshare

Enabling Access-Based Enumeration for a share

The access-based enumeration (ABE) feature filters directory content based on the access granted to the user who is browsing the directory. This feature is compatible with the Windows ABE feature.

    When ABE filtering is enabled, you see only the files and directories to which you have access. This behavior has the following benefits:

  • Finding files in directories that contain many files is easier because the number of files shown in the listing is reduced.

  • An “out-of-sight, out-of-mind” policy is implemented.

ABE filtering is managed on a per-share basis by using the zfs command to set the Boolean abe property. See the zfs_share(1M) man page.

ABE filtering is also supported on autohome shares. See the smbautohome(4) man page.

When abe=on, ABE filtering is enabled on the share. Any directory entries to which you have no access are omitted from directory listings. When abe=off or is not defined, ABE filtering is not performed on the share. By default, the abe property is set to off.


Note -  With ABE filtering enabled, you still might see files in a directory listing that you cannot open. For example, if you have the ability to read the attributes of a file, ABE filtering shows the file in the directory listing, but you will be denied access if you attempt to open the file for reading or writing. Also, user privileges might result in files being shown even though the ACL appears to deny all access.

How to Enable Access-Based Enumeration for a Share

This procedure shows how to use the zfs command to enable ABE filtering for a share, but you can also use the share command for other file system types. See the share(1M) man page.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Enable ABE filtering for a specified share.
    # zfs share -o share.smb=on -o share.smb.abe=on pool/dataset%share-name

    For example, the following command enables ABE filtering for the new myshare share:

    # zfs create tank/home
    # zfs share -o share.smb=on -o share.smb.abe=on tank/home%myshare

How to Modify SMB Share Properties (zfs)

This procedure shows how to use the zfs command to modify share properties, but you can also use the share command for other file system types. See the share(1M) man page.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. View the existing share.
    # zfs get share.all,share.smb.all tank/home%home
    NAME            PROPERTY                VALUE       SOURCE
    tank/home%home  share.desc                          default
    tank/home%home  share.name              home        -
    tank/home%home  share.nfs               off         default
    tank/home%home  share.nfs.*             ...         default
    tank/home%home  share.path                          default
    tank/home%home  share.point             /tank/home  -
    tank/home%home  share.protocols         smb         local
    tank/home%home  share.smb               on          local
    tank/home%home  share.smb.*             ...         default
    tank/home%home  share.state             shared      -
    tank/home%home  share.smb.abe           off         default
    tank/home%home  share.smb.ad-container              default
    tank/home%home  share.smb.catia         off         default
    tank/home%home  share.smb.csc                       default
    tank/home%home  share.smb.dfsroot       off         default
    tank/home%home  share.smb.guestok       off         default
    tank/home%home  share.smb.none                      default
    tank/home%home  share.smb.ro                        default
    tank/home%home  share.smb.rw                        default
  3. Modify the SMB share properties.

    For example, first change the guestok property to false.

    # zfs set share.smb.guestok=off tank/home%home

    Then, change the value of the csc property from auto to disabled.

    # zfs set share.smb.csc=disabled tank/home%home

    For information about available SMB share properties, see the share_smb(1M) man page.

How to Remove an SMB Share (zfs)

This procedure describes how to remove an SMB share. When you remove an SMB share, the definition of the share is removed from the server. You can re-create the share with the zfs command.

This procedure shows how to use the zfs command to remove a share, but you can also use the unshare command for other file system types. See the unshare(1M) man page.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Remove an SMB share.
    # zfs destroy pool/dataset%share-name

    For example, the following command removes the sales_share1 share from the tank/sales dataset:

    # zfs destroy tank/sales%share_sales1

Creating an Autohome Share Rule

The autohome share feature eliminates the administrative task of defining and maintaining home directory shares for each user that accesses the system through the SMB protocol. The system creates autohome shares when a user logs in, and removes them when the user logs out.

How to Create a Specific Autohome Share Rule

This procedure describes how to configure autohome shares by adding rules to a configuration file.

For information about the smbautohome format, see SMB Autohome Entries and the smbautohome(4) man page.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Add an autohome entry to the /etc/smbautohome file.

    An autohome entry must be on a single line in the following format:

    key	location [container]
    key

    Usually a user name, but it can also be one of the following:

    • +nsswitch Uses the naming service to match users to home directories if no rule matches.

    • Asterisk (*) – Matches a user name to a home directory that uses the same name.

    location

    The location of the user's home directory in the location field.

      Specify the absolute path excluding the user name, or use one of the following substitution characters:

    • Question mark (?) – Substitutes for the first character of the user name.

    • Ampersand (&) – Substitutes for a complete user name.

    For example, the following rule maps to /home/a/amy:

    amy             /home/?/&

    For more information about the path, see SMB Autohome Shares.

How to Restrict Client Host Access to an SMB Share (zfs)

This procedure describes how to use the ZFS file system's share property to restrict access to a share based on a client's host address. This feature is known as host-based access control.

    A client host is permitted to have only one of the following types of access to a share:

  • Read-only access

  • Read-write access

  • No access

For more information about the access control mechanisms that are used for shares, see Host-Based Access Control to SMB Shares.

This procedure shows how to use the zfs command to restrict client host access, but you can also use the share command for other file system types. See the share(1M) man page.

For information about access lists, see the share_smb(1M) man page.

  1. Become an administrator.

    For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  2. Determine the type of access you want to grant for each client host.
  3. Restrict access by particular hosts to a share.
    # zfs share -o share.smb=on -o share.smb.ro=hostname[:hostname] pool/dataset%share-name
    # zfs share -o share.smb=on -o share.smb.rw=hostname[:hostname] pool/dataset%share-name
    # zfs share -o share.smb=on -o share.smb.none="" pool/dataset%share-name
    hostname

    A host name, a netgroup, or an IP address

    pool/dataset%share-name

    Name of the dataset and share being shared

    You can specify the host access policy by combining the access settings in a single command.

Example 14  Setting Host Access Policy by Using a Single Command

The following command specifies how particular hosts can access the acme.sales.logs share. The mercury and venus hosts have read-write access, mars has read-only access, and neptune has no access.

# zfs share -o share.smb=on -o share.smb.rw=mercury:venus,ro=mars,none="*" \
tank/sales/logs%acme.sales.logs