Unsolved
This post is more than 5 years old
300 Posts
1
12033
Taking ownership on a folder without any ACLs
Hi everyone,
I am running an Isilon cluster on OneFS 7.0.2.7 in a windows only environment (the cluster is set up for windows only)
It now happend that someone removed all ACLs on a Folder - normally i am able to restore this by taking ownership of the folder and subfolders, setting new ACLs and the work is done - the Isilon prompts me with "Access denied" while trying to get the ownership. I have fullaccess on the top-folder
I tried it with Windows Explorer and "Setacl.exe" - both with the same error.
A) why does take ownership not work? (This did work with a Celerra and on any Windows Host)
B) is there a way to set ACLs from the CLI?
C) do the POSIX rights affect the folder? so would a chmod 777 on the folder give me a possibility to take ownership / change acls?
a possible solution to restore the folder would be to remove it via CLI (rm -rf /ifs/fu/bar) and restore it from a snapshot - but this can't be the thing.
Thanks in advance
chughh
122 Posts
2
May 20th, 2014 01:00
You can try permission repair job in Isilon & clone permission from path to target path this job will copy all permissions from source to target path.
dynamox
20.4K Posts
0
May 20th, 2014 04:00
i take ownership first and then use windows explorer to fix ACLs
chown -R -s MYDOMAIN\\myaccount
this will set folder ownership to my AD account, it's recursive.
sluetze
300 Posts
0
May 20th, 2014 04:00
hi dynamox,
this did not fix it in our (win-only) environment. the ownership on the folders was set to domain\user1 and user1 was unable to access / fix the ACLs via Windows Explorer
sluetze
300 Posts
0
May 20th, 2014 04:00
this is a fix to resolve the issue - but why is it only working with internal commands? why does take ownership over windows explorer not work? Is it not supported?
chughh
122 Posts
0
May 20th, 2014 05:00
from Isilon cluster webui in protocol tab select ACL check settings below and change it to make them inheritable and then try from windows explorer.
ACLs created on directories by UNIX chmod:
Group owner inheritance:
sluetze
300 Posts
0
May 20th, 2014 12:00
Hi chughh,
we will try to verify this in our lab. Thanks for the input.
Best Regards
Steffen
Von: chughh
Gesendet: Dienstag, 20. Mai 2014 14:09
An: Luetzenkirchen, Steffen
Betreff: Re: - Taking ownership on a folder without any ACLs
ECN
Taking ownership on a folder without any ACLs
reply from chughh in Isilon - View the full discussion
sluetze
300 Posts
0
July 24th, 2014 07:00
Hi chuggh,
sorry for the late reply. The Settings were already set as statet. it doesn't work anyway.
My current workaround is using the permission repair job with a genericfolder as source to gain access to the affected folder and create new ACLs afterwards.
colemd4
2 Posts
1
November 6th, 2014 16:00
Hi sluetze,
A little late here but I hope it is helpful for future viewing/site visitors
A) why does take ownership not work? <-- To allow ownership change for windows clients over SMB you need to allow the user making the change "run-as-root" in the SHARE level permissions list.
To view current share level permissions run
isi smb permissions list --sharename=myshare (6.5.5.x)
isi smb shares permission view (7.0+)
To modify share level permissions for run-as-root run
isi smb permissions create --sharename=myshare -p run-as-root (6.5.5.x)
isi smb shares permission modify myshare --name=CORP\\myuser --run-as-root=yes (7.0 +)
If you are still having difficulty check to see if you are not part of the Administrators group or the backup operators group if not then you can only change ownership of any filesystem object to:
1) Yourself
2) Administrators group
This is something which needs to be enabled windows side(it a conscious security restriction)
B) is there a way to set ACLs from the CLI? The documentation is listed in the man chmod page (about 3/4 of the way down) which defines each ACE, here is a quick example of the syntax usage:
chmod +a user "CORP\mylogin" allow dir_gen_all,object_inherit,container_inherit /ifs/data/path/to/folder/or/file.txt
If you are adding an ACE for a domain user then you will need to either put quotes around OR escape the backslash character.
Otherwise, if you are referring to PowerShell then it gets more complicated:
The standard way is to define a variable by pulling an ACL from an object which has the ACLs you want defined:
PS C:>$Acl = Get-Acl "C:\Folder_B" Set-Acl "C:\Folder_A" $Acl
Then with the variable defined apply to the object you would like to change
New-Item -type directory -path C:\MyFolder
PS C:>$Acl = Get-Acl "C:\MyFolder"
PS C:>$Ar = New-Object system.security.accesscontrol.filesystemaccessrule("username","FullControl","Allow")
PS C:>$Acl.SetAccessRule($Ar)
PS C:>Set-Acl "C:\MyFolder" $Acl
This can take some getting use to...
C) do the POSIX rights affect the folder? <--- Only if there are Synthetic ACLs are in use it is one or the other and OneFS makes the translation for instance if you are using ACLs OneFS will translate the ACLs to POSIX mode bits to allow communication with Unix-like clients
so would a chmod 777 on the folder give me a possibility to take ownership / change acls? <-- Please see the reply to question A