Isilon Permissions and ls -led behavior

Question

Isilon OneFS v8.0.0.4 Windows AD with RFC2307 enabled CIFS share issue with permissions NOTE:   We recently just enabled RFC2307 for NFS4 w/ kerberos support.  We are NOT doing multi-protocol.  We have one zone for CIFS, one for NFS3 and one for NFS4. We are troubleshooting some CIFS permissions issues and while working with the isi auth user/group view as well as ls -led we are seeing some strange behavior. Here is an example: isilon-1# ls -led drwxrwx--- +  11 ADDOMAIN\user1  ADDOMAIN\domain users  332 Jun 19 14:49 . OWNER: user:ADDOMAIN\user1 GROUP: group:ADDOMAIN\domain users CONTROL:dacl_auto_inherited,dacl_protected 0: group:5555555 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit 1: group:5555555 allow dir_gen_all,object_inherit,container_inherit 2: group:444444 allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit 3: group:ADDOMAIN\group1 allow dir_gen_all,object_inherit,container_inherit 4: group:ADDOMAIN\group2 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit 5: group:ADDOMAIN\domain-admins allow dir_gen_all,object_inherit,container_inherit My first thought is, why am I seeing GID numbers instead of Windows group names?  The path we ran ls -led on is for a CIFS only share. Let's look up that GID and see what the Isilon says it is: isilon-1# isi auth groups view --gid=5555555 Failed to find group for 'GID:5555555': No such group I ask the user, I am seeing this group but not sure what it is....they give me some possible Windows groups so I try looking those up from the Isilon and I get a hit: isilon-1# isi auth groups view --group=ADDOMAIN\group-manager               Name: ADDOMAIN\group-manager               DN: OU= Groups,OU=ADDOMAIN,DC=school,DC=edu              SID: S-5-5-55-5555555-5555555-5555555-5555555              GID: 5555555           Domain: ADDOMAIN Sam Account Name: group-manager         Provider: lsa-activedirectory-provider:ADDOMAIN.SCHOOL.EDU    Generated GID: No I do another ls -led on the directory and NOW I am seeing the Windows group name instead of the GID: isilon-1# ls -led drwxrwx--- +  11 ADDOMAIN\user1  ADDOMAIN\domain users  332 Jun 19 14:49 . OWNER: user:ADDOMAIN\user1 GROUP: group:ADDOMAIN\domain users CONTROL:dacl_auto_inherited,dacl_protected 0: group:ADDOMAIN\group-manager allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit 1: group:ADDOMAIN\group-manager allow dir_gen_all,object_inherit,container_inherit 2: group:444444 allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit 3: group:ADDOMAIN\group1 allow dir_gen_all,object_inherit,container_inherit 4: group:ADDOMAIN\group2 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit 5: group:ADDOMAIN\domain-admins allow dir_gen_all,object_inherit,container_inherit For the heck of it I run the group view by GID and it comes back with an answer this time!: isilon-1# isi auth groups view --gid=5555555             Name: ADDOMAIN\group-manager               DN: OU= Groups,OU=ADDOMAIN,DC=school,DC=edu              SID: S-5-5-55-5555555-5555555-5555555-5555555              GID: 5555555           Domain: ADDOMAIN Sam Account Name: group-manager         Provider: lsa-activedirectory-provider:ADDOMAIN.SCHOOL.EDU    Generated GID: No Why was the first ls -led showing GID instead of Windows Group Name? Why did the first isi auth groups view not resolve the GID? Only after I was able to view the group by the Windows Name, the previous two commands were more 'complete'. Is this expected behavior from the Isilon? Also, when doing just an ls -al, we have seen the Owner/Group switch between UID/GID and Windows User/Group. Thanks for reading!

SKT2 · Answer

There is a blog post here on Multi-protocol Concepts , that might help a little

Isilon

Was this post helpful?