Unsolved
This post is more than 5 years old
1 Rookie
•
28 Posts
0
1899
July 27th, 2018 13:00
Isilon Permissions and ls -led behavior
Isilon OneFS v8.0.0.4
Windows AD with RFC2307 enabled
CIFS share issue with permissions
NOTE: We recently just enabled RFC2307 for NFS4 w/ kerberos support. We are NOT doing multi-protocol. We have one zone for CIFS, one for NFS3 and one for NFS4.
We are troubleshooting some CIFS permissions issues and while working with the isi auth user/group view as well as ls -led we are seeing some strange behavior.
Here is an example:
isilon-1# ls -led
drwxrwx--- + 11 ADDOMAIN\user1 ADDOMAIN\domain users 332 Jun 19 14:49 .
OWNER: user:ADDOMAIN\user1
GROUP: group:ADDOMAIN\domain users
CONTROL:dacl_auto_inherited,dacl_protected
0: group:5555555 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
1: group:5555555 allow dir_gen_all,object_inherit,container_inherit
2: group:444444 allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
3: group:ADDOMAIN\group1 allow dir_gen_all,object_inherit,container_inherit
4: group:ADDOMAIN\group2 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
5: group:ADDOMAIN\domain-admins allow dir_gen_all,object_inherit,container_inherit
My first thought is, why am I seeing GID numbers instead of Windows group names? The path we ran ls -led on is for a CIFS only share.
Let's look up that GID and see what the Isilon says it is:
isilon-1# isi auth groups view --gid=5555555
Failed to find group for 'GID:5555555': No such group
I ask the user, I am seeing this group but not sure what it is....they give me some possible Windows groups so I try looking those up from the Isilon and I get a hit:
isilon-1# isi auth groups view --group=ADDOMAIN\\group-manager
Name: ADDOMAIN\group-manager
DN: OU= Groups,OU=ADDOMAIN,DC=school,DC=edu
SID: S-5-5-55-5555555-5555555-5555555-5555555
GID: 5555555
Domain: ADDOMAIN
Sam Account Name: group-manager
Provider: lsa-activedirectory-provider:ADDOMAIN.SCHOOL.EDU
Generated GID: No
I do another ls -led on the directory and NOW I am seeing the Windows group name instead of the GID:
isilon-1# ls -led
drwxrwx--- + 11 ADDOMAIN\user1 ADDOMAIN\domain users 332 Jun 19 14:49 .
OWNER: user:ADDOMAIN\user1
GROUP: group:ADDOMAIN\domain users
CONTROL:dacl_auto_inherited,dacl_protected
0: group:ADDOMAIN\group-manager allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
1: group:ADDOMAIN\group-manager allow dir_gen_all,object_inherit,container_inherit
2: group:444444 allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit
3: group:ADDOMAIN\group1 allow dir_gen_all,object_inherit,container_inherit
4: group:ADDOMAIN\group2 allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit
5: group:ADDOMAIN\domain-admins allow dir_gen_all,object_inherit,container_inherit
For the heck of it I run the group view by GID and it comes back with an answer this time!:
isilon-1# isi auth groups view --gid=5555555
Name: ADDOMAIN\group-manager
DN: OU= Groups,OU=ADDOMAIN,DC=school,DC=edu
SID: S-5-5-55-5555555-5555555-5555555-5555555
GID: 5555555
Domain: ADDOMAIN
Sam Account Name: group-manager
Provider: lsa-activedirectory-provider:ADDOMAIN.SCHOOL.EDU
Generated GID: No
Why was the first ls -led showing GID instead of Windows Group Name?
Why did the first isi auth groups view not resolve the GID?
Only after I was able to view the group by the Windows Name, the previous two commands were more "complete".
Is this expected behavior from the Isilon?
Also, when doing just an ls -al, we have seen the Owner/Group switch between UID/GID and Windows User/Group.
Thanks for reading!
SKT2
2 Intern
•
1.3K Posts
0
August 1st, 2018 22:00
There is a blog post here on Multi-protocol Concepts , that might help a little