CephFS Windows ACLs
-
CephFS supports extended attributes and therefore Windows ACLs when a member of the AD.
-
Permissions can be managed via a Windows Machine, rather than altering the permissions in smb.conf
Enable Extended ACL Support in the smb.conf File
-
To configure shares using extended access control lists (ACL), you must enable the support in the smb.conf file. To enable extended ACL support globally, add the following settings to the [global] section of your smb.conf file:
-
vfs objects = acl_xattr map acl inherit = yes store dos attributes = yes
Granting the SeDiskOperatorPrivilege Privilege
-
Only users and groups having the SeDiskOperatorPrivilege privilege granted can configure share permissions.
-
To grant the SeDiskOperatorPrivilege privilege to the Domain Admins group, enter:
-
# net rpc rights grant "45LAB\Domain Admins" SeDiskOperatorPrivilege -U "45LAB\administrator" Enter 45LAB\administrator's password: Successfully granted rights.
-
-
To list all users and groups having the SeDiskOperatorPrivilege privilege granted, enter:
-
# net rpc rights list privileges SeDiskOperatorPrivilege -U "45LAB\administrator" Enter administrator's password: SeDiskOperatorPrivilege: BUILTIN\Administrators 45LAB\Domain Admins
-
Adding a Share
-
To share the /mnt/cephfs/fsgw/Demo/ directory using the Demo share name:
-
Create the directory you want to share
-
mkdir -p /mnt/cephfs/fsgw/Demo/
-
-
To enable accounts other than the domain user Administrator to set permissions on Windows, grant Full control (rwx) to the user or group you granted the SeDiskOperatorPrivilege privilege.
-
chown root:"Domain Admins" /mnt/cephfs/fsgw/Demo/ chmod 0770 /mnt/cephfs/fsgw/Demo/
-
-
Add the [Demo] share definition to your smb.conf file:
-
[Demo] path = /mnt/cephfs/fsgw/Demo/ read only = no
-
-
Reload samba config
-
smbcontrol all reload-config
-
-