Last modified: July 3, 2019
CephFS Windows ACLs

  • CephFS supports extended attributes and therefore Windows ACLs when a member of the AD.
  • Permissions can be managed via a Windows Machine, rather than altering the permissions in smb.conf
  • To configure shares using extended access control lists (ACL), you must enable the support in the smb.conf file. To enable extended ACL support globally, add the following settings to the [global] section of your smb.conf file:
  • vfs objects = acl_xattr
    map acl inherit = yes
    store dos attributes = yes
  • Only users and groups having the SeDiskOperatorPrivilege privilege granted can configure share permissions.
  • To grant the SeDiskOperatorPrivilege privilege to the Domain Admins group, enter:
    • # net rpc rights grant "45LAB\Domain Admins" SeDiskOperatorPrivilege -U "45LAB\administrator"
      Enter 45LAB\administrator's password:
      Successfully granted rights.
  • To list all users and groups having the SeDiskOperatorPrivilege privilege granted, enter:
    • # net rpc rights list privileges SeDiskOperatorPrivilege -U "45LAB\administrator"
      Enter administrator's password:
        45LAB\Domain Admins
  • To share the /mnt/cephfs/fsgw/Demo/ directory using the Demo share name:
    • Create the directory you want to share
      •  mkdir -p /mnt/cephfs/fsgw/Demo/
    • To enable accounts other than the domain user Administrator to set permissions on Windows, grant Full control (rwx) to the user or group you granted the SeDiskOperatorPrivilege privilege.
      • chown root:"Domain Admins" /mnt/cephfs/fsgw/Demo/
        chmod 0770 /mnt/cephfs/fsgw/Demo/
    • Add the [Demo] share definition to your smb.conf file:
      • [Demo]
               path = /mnt/cephfs/fsgw/Demo/
               read only = no
    • Reload samba config
      • smbcontrol all reload-config
