2 Posts
0
1509
POSIX Home directory inaccessible to one user
Hello,
We have an isilon system that is providing home directories via SMB and also NFS automounts to a few Redhat servers. User mapping is working for everyone and our usernames match between AD and LDAP
We have many users who can access their home directories via SMB or when logging in to one of the linux hosts by SSH except one guy. The closest I can get him to functioning correctly is to add the ACLs with the chmod +a command but that breaks his SSH shared keys.
When I compare permissions from a working user to the broken one the only difference I can find is that the working home directories are typically owned by the Domain user but only have POSIX permissions. The broken homedir is awned by the LDAP user. I am not certain that this is the problem.
Adding the Domain user as the directory owner automatically adds ACLs and makes the POSIX permissions appear as 770 with the + sign even though they do not behave that way on the NFS client. This breaks the SSH shared keys because the POSIX permissions on the homedir appear as 770 (prefer 700). Removing the ACLs with chmod -b 700 breaks SMB access.
I have had this user try different Windows clients to make sure it was not his machine and have recreated his homedir but no luck.
Peter_Sero
1.2K Posts
0
December 13th, 2019 04:00
Double-check wether the mapping for this user is actually working.
Maybe it only appears to be in place due to some "lucky" circumstances.
Helpful reading:
https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h12417-wp-isilon-onefs-user-mapping.pdf
https://www.dellemc.com/resources/en-us/asset/white-papers/products/storage/h13115-wp-emc-isilon-onefs-multiprotocol-security-untangled.pdf
https://www.dellemc.com/en-us/collaterals/unauth/technical-guides-support-information/products/storage-5/docu63137.pdf
hth
-- Peter
frndrfoe
2 Posts
0
February 14th, 2020 12:00
Thanks Peter,
It turned out to be a mapping issue. I am not sure how it developed because we setup the mapping at initial install but it seems to have gone missing. DOM\* &= *