Highlighted
YCAH
1 Nickel

windows ACL - System user on Isilon, emcopy

Hello Everyone,

I am noticing an ACL on windows data (shown below in picture) which resides on Isilon that has full control and i am not sure if i am able to access the data using that account although i log in to the server in which i am accessing the data using my own account but not 'SYSTEM' account. I dont see any other groups or users which can provide permissions for me to access the data on smb share and 'SYSTEM' is the only account that i have no idea about. There are no groups on windows share created on Isilon except everyone with full control and the permissions are actually managed with AD groups on files and folders.

Is this account an built account on Isilon ? I did use isi auth command but i cant find it on Isilon or i might be using a wrong command ?

Has anyone come across this before or any idea how to figure this out, please help me out

Below is the output from the cluster

# isi auth mapping list --source-group=system

Type       Mapping                                                                                                                                                 

---------- ---------------------------------------------------------------------------------------------------------------------------------------------------------

Name       SYSTEM

On-disk    None

Unix uid   None

Unix gid   None

SMB        None

NFSv4      None

# isi auth groups view --group=SYSTEM

Failed to find group for 'GROUP:SYSTEM': No such group

# isi auth mapping token --user=SYSTEM

Failed to map user 'SYSTEM': No such user

0 Kudos
4 Replies
johnsonka
2 Iron

Re: windows ACL - System user on Isilon, emcopy

Hello YCAH,

Thank you for your question! The SYSTEM account is something that is coming over from Windows, can you let us know a few more things so we can better help you?

  • Which version of Windows are you looking at this on?
  • Which other system/server did you migrate this data from?
  • Which flags/options were used in EMCopy?
  • Is this the only file/directory with this permission set?

Can you also provide us with a full set of share permissions and file system level permissions for this path? Please let us know if there is anything else we can help you with!

0 Kudos
YCAH
1 Nickel

Re: windows ACL - System user on Isilon, emcopy


Hi Katie,

  • Which version of Windows are you looking at this on?  Its a 32-bit Win 2008 server.
  • Which other system/server did you migrate this data from?  The source is Isilon and target is VNX and its all windows data
  • Which flags/options were used in EMCopy?

emcopy S:\ T:\  /c /o /a /secfix /s /de /r:0 /w:1 /preserveSIDh /purge /log:dirlog1.txt

  • Is this the only file/directory with this permission set?  The picture that i pasted is from source directory, Isilon. Apart from SYSTEM account, i see 'CREATOR OWNER' with full control and couple of AD groups which does not belong to storage team
  • The permissions on the share are just 'everyone' with full control and the AD groups are added only at file level but not at share level
0 Kudos
johnsonka
2 Iron

Re: windows ACL - System user on Isilon, emcopy

Hello,

The ACLs that you are seeing are coming from the Windows OS. For the most part, they could be removed as they are primarily used when you have a standalone Windows installation. I would caution removing anything that pertains to CREATOR_OWNER as they may impede access to users files.

Additionally, a NAS platform will ignore these ACLs as they are meant for Windows. They will be ignored on the cluster and I expect the same would be true on a platform such as VNX.

As for any AD groups added to the permission set, I cannot speak to these if they are not also present on the cluster. Do you see the other AD groups in the permission set on the cluster?

0 Kudos
YCAH
1 Nickel

Re: windows ACL - System user on Isilon, emcopy

The AD groups are not defined on cluster. THe windows server that i am using is not a standalone windows installation. I dont see 'SYSTEM' account present on all the shares that are mapped to the windows server i am using, not sure why it appears only in one particular share

0 Kudos