Adding local access zone user to folder permissions

Dumb questions here but...

1.  What permissions did you provide to the local account, Dynamox?

2.  Also, does your application have the PW your local account is using?

3.  What level of access does the local account need?

Just trying to work this out in my head.  I don't use access zones here (no reason) and the local accounts I have aren't for zone access.

Brian,

1) I need to give this account either Full or Modify permissions, have not decided yet.

2) Yes, this application runs on a server that is not joined to AD. The application has a place where you specify username and password.

3) Not sure what you mean ?

Be Very careful using the 'local' auth provider in access zones.  Why?  Because if you have to SyncIQ the data to another cluster, those local accounts wouldn't exist.  I would, instead, suggest using a file provider inside the access zone, so if the root path of the access zone is: /ifs/zone2, create a directory called /ifs/zone2/auth/ and store the local passwd and group file in it. SyncIQ that folder 'auth' to the target cluster, and then you can setup the file provider on the DR cluster as well.  Of course it's read-only there.

Just consider it a friendly suggestion if DR of the data is of concern.

-Chris

What I mean is what level of access does the local account need.  Root?

Chris,

DR is handled by application.  Application in question is GE Enterprise Archive, it will be configured to write to two Isilon clusters at the same time. So i have created the same local account on both clusters (different access zones names but that should be immaterial here)

Any thoughts on how to add local account to folder permissions ?

Thank you

Brian,

this account should be just able to read/write data to a CIFS share, it will not need to do anything at cluster level (ssh, REST ..etc)

Thanks Dynamox, just asking here (out of curiosity, I don't know that I have the answer you need). I was thinking about local accounts and what level of access it needs.  When you created the local use, did you select a primary and any additional groups? 

EG:  For Primary group are you choosing from A/D or the local groups (ie: Administrator, Isilon Users, etc) and then adding additional groups?  In my head I am trying to figure out the right setting for the permission level you need.

Cheers

Yes, I can provide local user access to a SMB share.  That is why I was asking what level of permissions (explicitly) that you're applying to the local account.

In my case, I have some applications that require ROOT/WHEEL level privileges for the local account. Does that help?  What OneFS version are you using BTW?

Brian,

I did not enter anything for UID nor Primary Group, i entered username and password and changed Unix shell to "no login" and enabled the account.

I know you are not using access zones, on your cluster can you create a local account and assign it to folder permissions ?

I'm using 8.0.0.4 as well.  We're going to 8.0.1 in October. 

Did you click "Locations" and try to select the cluster itself and not use A/D?  I would think since you're trying to add a local user you'd bypass A/D and just try to use a local account.

When I select "Locations", I then type in my local account name and click "check names".  It shows up as...

clustername\useraccount

It should, from there, be trying to use the local account. Disclaimer: I have not tested this yet

upgraded to 8.0.0.4 two weekends ago.

I assume your cluster is joined to AD, so when you go into Windows Explorer on your PC, right click on folder, properties, Security and select Add.  What do you type, do you simply enter the account name or do you use cluster_computeraccountname\user_account format ?

Dynamox,

I was able to do what I think you are trying to accomplish.   

1) Create User in LOCAL:System, select appropriate Primary Group in Local: System, like "Isilon Users"

*System is this access zone here, but it could be any zone you select. 

2) Make sure to set a password and enable the account

   *Ensure the account is enabled.  Sometimes when creating the account it gets created, but not enabled.

3) Modify the share in the appropriate access zone and select the user under LOCAL: System

4) Grant the share permissions required

5) Depending on what other users/groups are in the share, you may need to move the new user up in the list to be "seen" first. 

6) Try mapping a drive with the new user: as following \ along with the password. 

*In some cases, you might need to use the FQDN of the smartconnectname. 

This worked for me.  I was able to do this in my system access zone as well as another zone. 

Brian,

i tested using clustername\local_account, smartconnect\local_account ...can't seem to find the account.

In explorer, did you follow the steps I showed you?  Just asking here because Im lost at where you're at.