Unsolved
This post is more than 5 years old
2 Intern
•
178 Posts
0
15574
Isilon: SMB permissions CLI
Could any please suggest any documentation or CLI commands to assign permissions to user/groups for SMB shares.
Thank you in advance.
Unsolved
This post is more than 5 years old
2 Intern
•
178 Posts
0
15574
Could any please suggest any documentation or CLI commands to assign permissions to user/groups for SMB shares.
Thank you in advance.
Top
Stdekart
104 Posts
0
January 4th, 2016 08:00
khkris:
The CLI admin guide for you respective version of OneFS will have information on setting up and configuring SMB shares via the CLI.
For example 7.2.0 CLI Admin Guide Page 393:
https://support.emc.com/docu56048_OneFS-7.2.0-CLI-Administration-Guide.pdf?language=en_US
Sounds like you're looking for # isi smb shares permission modify
crklosterman
450 Posts
2
January 4th, 2016 09:00
Hello Khkris,
A few things here.
1. SMB Share permissions in 95%+ of enterprises are set to either 'Everyone' --> 'Full Control' or 'Authenticated Users' --> 'Full Control.
The CLI syntax varies slightly by version so download the command line reference from support.emc.com for your version of OneFS. Here is an example:
#create a share
isi01-1# isi smb share create data /ifs/data
#view share permissions
isi01-1# isi smb share permission list data
Account Account Type Run as Root Permission Type Permission
----------------------------------------------------------------
Everyone wellknown False allow read
----------------------------------------------------------------
Total: 1
#modify an existing share permission entry to change Everyone to Full Control
isi01-1# isi smb share permission modify data --wellknown Everyone -p full -d allow
isi01-1# isi smb share permission list data
Account Account Type Run as Root Permission Type Permission
----------------------------------------------------------------
Everyone wellknown False allow full
----------------------------------------------------------------
Total: 1
2. Keeping in mind that Isilon is a multiprotocol filesystem, and supports multiple auth providers, the best way to control data access is through filesystem permissions, either NTFS ACLs, or POSIX mode bits. If it were up to me, I would say use this workflow for creating any new shares on the system.
1. Create a directory at a path like this: /ifs/clustername/accesszonename/newshare . Create the directory at the OneFS CLI, and ensure that no ACLs are inherited down: See Example:
Example
isi01-1# mkdir -p /ifs/clustername/accesszonename/newshare
isi01-1# ls -led /ifs/clustername/accesszonename/newshare
drwxr-xr-x 2 root wheel 0 Jan 4 11:43 /ifs/clustername/accesszonename/newshare
OWNER: user:root
GROUP: group:wheel
SYNTHETIC ACL
0: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
1: group:wheel allow dir_gen_read,dir_gen_execute
2: everyone allow dir_gen_read,dir_gen_execute
2. Now create a share and again set the permissions to just everyone full control:
Example:
isi01-1# isi smb share create newshare /ifs/clustername/accesszonename/newshare
isi01-1# isi smb share permission modify newshare --wellknown Everyone -d allow -p full
isi01-1# isi smb share permission list newshare
Account Account Type Run as Root Permission Type Permission
----------------------------------------------------------------
Everyone wellknown False allow full
----------------------------------------------------------------
Total: 1
3. Now set the filesystem permissions. Right now they're just root/wheel POSIX, which will not do anyone much good. You have two options to set them.
Option #1
Set the permissions manually with chmod. Isilon enhanced the chmod syntax that exists natively in BSD to allow interaction with ACLs. Type 'man chmod' to see your options.
Option #2
Create an administratively hidden share one level up. Give some group, like AD or security admins rights to it with run as root. Let them then set the rights at the folder one level deep using Windows Explorer. This may be an easier route for most AD Admins, because it uses tools that are familiar to them.
Example:
#creating the administratively hidden share, notice the dollar sign at the end, which hides it
si01-1# isi smb share create accesszonename$ /ifs/clustername/accesszonename
#deleting the default everyone credential:
isi01-1# isi smb share permission delete accesszonename$ --wellknown Everyone
Are you sure you want to delete persona from accesszonename$? (yes/[no]): yes
#giving domain admins run-as-root access to the share
isi01-1# isi smb share permission create accesszonename$ --group="ninja\\domain admins" --run-as-root
#now they would connect to \\smartconnectzonename.domain.com\accesszonename$ and set the permissions on the folder newsharename
Anyway long answer, but I hope it helps,
~Chris Klosterman
Advisory Solution Architect
EMC Enablement Team
chris.klosterman@emc.com
twitter: @croaking