This post is more than 5 years old
10 Posts
0
12020
Configure Windows ACLs from Isilon cli
Hi All,
I'm trying to build a script that automatically applies custom Windows ACL's as part of an SMB File share creation process. I can create the share and set the file share permissions and even change the ownership of the directory but I can't quite grasp the correct syntax to use chmod and add the AD groups with the correct permissions.
This is what I get from ls -led on a directory that's configured the way I want it using Windows Explorer.
Cluster01-1# ls -led /ifs/share
drwxrwx--- + 2 group 2147400003 27 Mar 19 17:16 /ifs/share
OWNER: group:domain\Share_RW
GROUP: group:2147400003
CONTROL:dacl_auto_inherited,dacl_protected
0: group:domain\Share_RW allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
1: group:domain\nas-operators allow dir_gen_all,object_inherit,container_inherit
2: group:Administrators allow dir_gen_all,object_inherit,container_inherit
3: group:domain\Share_RO allow dir_gen_read,object_inherit,container_inherit
Cluster01-1#
AdamFox
254 Posts
0
March 20th, 2015 14:00
Here are some tips:
First, you can clear out the current ACLs with the following:
chmod -D /ifs/share
I think that's easier than removing each one.
Then add back in any entries following this example:
chmod +a group domain\\group_name allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit /ifs/share
Notice the double \\, this helps the shell interpret the backslash properly. This should be on all one line, not sure if the editor here will allow that or not. But assume it is. So do that for each entry with the correct names and properties as appropriate.
Then for CONTROL properties, do the following:
chmod -c +dacl_auto_inherited /ifs/share
chmod -c +dacl_protected /ifs/share
So, in your case, it could be a series of chmod commands, but if it's scripted, it shouldn't be too bad.
It can be a bit confusing, but once you get used to it, it's not too bad. The man page for chmod is very good at explaining what each of the settings mean as well as syntax. You just have to pan down to the bottom where the Isilon-specific ACL settings are.
Hope this helps.
ALadd2
10 Posts
0
March 20th, 2015 18:00
Thanks Adam!
That's exactly what I was looking for. I had opened the man page for chmod but didn't read far enough down to see the Isilon customizations.
I knew chmod was the answer and chmod +a was the first part of the command to add the permissions but I \was over thinking the syntax for the attributes. Imaging that, something as simple as plain English.
ALadd2
10 Posts
0
March 24th, 2015 08:00
D'Alessandro or Verrico?
AdamFox
254 Posts
0
March 24th, 2015 08:00
Glad to hear it.
Say hi to Vinnie for me.
AdamFox
254 Posts
0
March 24th, 2015 12:00
Verrico. He's on of the SEs I support as a CAE.
ALadd2
10 Posts
0
March 24th, 2015 13:00
Will do. Probably talking to him later this week.