Highlighted
ScottPhelps
1 Nickel

UNIX users denied access to files they just created?

Jump to solution

UNIX users are getting access denied in response to files and folders that they just created on an Isilon NFS export, how can that be?

Tags (1)
0 Kudos
1 Solution

Accepted Solutions
ScottPhelps
1 Nickel

Re: UNIX users denied access to files they just created?

Jump to solution
What is happening is that the user doesn't have access to the files because they are not in the Windows groups that have been allowed access to the folder.  Confusion results because an NFS user, even if they are root, can't see the Windows ACL, but only the POSIX bits. 
If a folder has an ACL that contains both Windows ACEs and UNIX ACEs, by default ONLY the Windows ACEs will be inherited.  What that means is that UNIX users can create a file, but then not have access to the file they just created. 

If you run ls -al you can see what directories and files have an ACL applied.  A "+" sign indicates and ACL.  You can tell what ACEs are in the ACL by using the special flag on the ls command (ls -le) from the Isilon cluster command line.  The "-e" allows you to see all of the ACEs within an ACL.

To fix this problem, there is a button in the OneFS WebUI under:

Protocols / ACLs / ACL Policies that allows you to "make ACLs created on directories by UNIX chmod" inheritable.



0 Kudos
1 Reply
ScottPhelps
1 Nickel

Re: UNIX users denied access to files they just created?

Jump to solution
What is happening is that the user doesn't have access to the files because they are not in the Windows groups that have been allowed access to the folder.  Confusion results because an NFS user, even if they are root, can't see the Windows ACL, but only the POSIX bits. 
If a folder has an ACL that contains both Windows ACEs and UNIX ACEs, by default ONLY the Windows ACEs will be inherited.  What that means is that UNIX users can create a file, but then not have access to the file they just created. 

If you run ls -al you can see what directories and files have an ACL applied.  A "+" sign indicates and ACL.  You can tell what ACEs are in the ACL by using the special flag on the ls command (ls -le) from the Isilon cluster command line.  The "-e" allows you to see all of the ACEs within an ACL.

To fix this problem, there is a button in the OneFS WebUI under:

Protocols / ACLs / ACL Policies that allows you to "make ACLs created on directories by UNIX chmod" inheritable.



0 Kudos