yogad

78 Posts

5938

September 17th, 2015 20:00

windows ACL - System user on Isilon, emcopy

Hello Everyone,

I am noticing an ACL on windows data (shown below in picture) which resides on Isilon that has full control and i am not sure if i am able to access the data using that account although i log in to the server in which i am accessing the data using my own account but not 'SYSTEM' account. I dont see any other groups or users which can provide permissions for me to access the data on smb share and 'SYSTEM' is the only account that i have no idea about. There are no groups on windows share created on Isilon except everyone with full control and the permissions are actually managed with AD groups on files and folders.

Is this account an built account on Isilon ? I did use isi auth command but i cant find it on Isilon or i might be using a wrong command ?

Has anyone come across this before or any idea how to figure this out, please help me out

Below is the output from the cluster

# isi auth mapping list --source-group=system

Type Mapping

---------- ---------------------------------------------------------------------------------------------------------------------------------------------------------

Name SYSTEM

On-disk None

Unix uid None

Unix gid None

SMB None

NFSv4 None

# isi auth groups view --group=SYSTEM

Failed to find group for 'GROUP:SYSTEM': No such group

# isi auth mapping token --user=SYSTEM

Failed to map user 'SYSTEM': No such user

Responses(4)

johnsonka

130 Posts

0

September 18th, 2015 10:00

Hello YCAH ,

Thank you for your question! The SYSTEM account is something that is coming over from Windows, can you let us know a few more things so we can better help you?

Which version of Windows are you looking at this on?
Which other system/server did you migrate this data from?
Which flags/options were used in EMCopy?
Is this the only file/directory with this permission set?

Can you also provide us with a full set of share permissions and file system level permissions for this path? Please let us know if there is anything else we can help you with!

yogad

78 Posts

0

September 19th, 2015 12:00

Hi Katie,

Which version of Windows are you looking at this on? Its a 32-bit Win 2008 server.
Which other system/server did you migrate this data from? The source is Isilon and target is VNX and its all windows data
Which flags/options were used in EMCopy?

emcopy S:\ T:\ /c /o /a /secfix /s /de /r:0 /w:1 /preserveSIDh /purge /log:dirlog1.txt

Is this the only file/directory with this permission set? The picture that i pasted is from source directory, Isilon. Apart from SYSTEM account, i see 'CREATOR OWNER' with full control and couple of AD groups which does not belong to storage team
The permissions on the share are just 'everyone' with full control and the AD groups are added only at file level but not at share level

johnsonka

130 Posts

0

September 22nd, 2015 11:00

Hello,

The ACLs that you are seeing are coming from the Windows OS. For the most part, they could be removed as they are primarily used when you have a standalone Windows installation. I would caution removing anything that pertains to CREATOR_OWNER as they may impede access to users files.

Additionally, a NAS platform will ignore these ACLs as they are meant for Windows. They will be ignored on the cluster and I expect the same would be true on a platform such as VNX.

As for any AD groups added to the permission set, I cannot speak to these if they are not also present on the cluster. Do you see the other AD groups in the permission set on the cluster?

yogad

78 Posts

0

September 26th, 2015 17:00

The AD groups are not defined on cluster. THe windows server that i am using is not a standalone windows installation. I dont see 'SYSTEM' account present on all the shares that are mapped to the windows server i am using, not sure why it appears only in one particular share

View All

No Events found!