Unsolved
This post is more than 5 years old
3 Posts
0
825
Is it possible to prevent UNIX permissions from merging into ACL in a multiprotocol environment?
We have a multiprotocol environment where the same folder can be both SMB shared and NFS exported. The UNIX hosts have a handful of local users (passwd). The Windows hosts use AD, everyone in my company is in that AD. When an UNIX user creates a file with permission 666, every user in the UNIX host can access it, the way we wanted. However, "everyone" with read/write access is also added to the ACL, now everyone in AD can access that file, not what we wanted.
Is there a way to configure the ACL policy so that when someone creates a file or chmod 666, it will not merge into ACL? The files created in UNIX need to be accessible by Windows accounts, those accounts are controlled by security permissions inherited from the parent folder. I've experimented with different ACL policy settings, so far I don't see a way to achieve what we need. We've be using Celerra/VNX for many years and haven't experience this issue. By the way, I have no control over the UNIX users and I can't make them adopt 660.
AdamFox
254 Posts
1
August 4th, 2016 20:00
There is no way to do that except to disable ACLs from the cluster and be UNIX only from a permissions point of view. Windows users could still access it but they would get synthetic ACLS and would not be able to set ACLs.
VNX does keep separate permissions for UNIX and Windows. It's one of the few multi protocol boxes that is designed that way, at least that I'm aware of. Isilon keeps one set of permissions so if you want both sides to be able to change permissions you get merged permissions.
skadden1
3 Posts
0
August 5th, 2016 08:00
Thanks AdamFox. I think you're right, I've tried most ACL policy settings and still couldn't achieve the separation of UNIX and Windows permissions. None of the articles I've read suggest it can be done.