This post is more than 5 years old
9 Legend
•
20.4K Posts
0
10137
July 24th, 2017 12:00
Adding local access zone user to folder permissions
Hello guys/gals,
I have an application that has to use a local account created on Isilon. I want this application to connect to specific access zone so i created this local account within that access zone under LOCAL provider.
I then used Windows Explorer to create a folder inside of that access zone and now i am trying to grant this local account Full permissions to the folder. I have tried numerous combinations but none of them seem to be able to find the local account. I tried:
clustername\myaccount
access zonamename\myaccount
smartconnect zonaname\myaccount
no dice. Any suggestions, do i have to use the cli ?
Note: this cluster is joined to Active Directory. Provider LOCAL:zonename is listed as Authentication provider for that access zone.
Thank you
dynamox
9 Legend
•
20.4K Posts
0
July 25th, 2017 07:00
specifying clustername\localaccount is the same thing as going to location and changing it there. Neither option allows it to find the local account.
Peter_Sero
4 Operator
•
1.2K Posts
0
July 25th, 2017 07:00
Thought of explicitly using a SID?
Either the one generated by the cluster for the local user,
or the well-known generic S-1-3-0 for Creator-Owner.
-- Peter
dynamox
9 Legend
•
20.4K Posts
0
July 25th, 2017 07:00
i am trying to set folder permission in Windows explorer, not share permissions in Isilon WebUI.
crklosterman
450 Posts
2
July 25th, 2017 08:00
Yes you can:
Each access zone has it's own local auth provider:
isilon3-1# mkdir /ifs/zone2
isilon3-1# isi zone zones create zone2 /ifs/zone2
isilon3-1# isi zone zones view zone2
Name: zone2
Path: /ifs/zone2
Groupnet: groupnet0
Map Untrusted: -
Auth Providers: lsa-local-provider:zone2
NetBIOS Name: -
User Mapping Rules: -
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Cache Entry Expiry: 4H
Zone ID: 2
isilon3-1# isi auth user create localuser2 --enabled true --password abcd --zone=zone2
isilon3-1#
dynamox
9 Legend
•
20.4K Posts
0
July 25th, 2017 08:00
Chris,
the local account you created is in the system zone, can you create one in another access zone and perform the same steps ?
crklosterman
450 Posts
0
July 25th, 2017 08:00
Personally I'd set the filesystem permissions on the empty folder from the CLI. Isilon enhanced chmod in OneFS to interact with ACLs. For details on the exact syntax just do 'man chmod'.
I ran through all the steps you'd need for something like this. Hope it helps (see below):
isilon3-1# isi auth user create localuser1 --enabled true --password abcd --zone system
isilon3-1# isi auth user view localuser1
Name: localuser1
DN: CN=localuser1,CN=Users,DC=ISILON3
DNS Domain: -
Domain: ISILON3
Provider: lsa-local-provider:System
Sam Account Name: localuser1
UID: 2000
SID: S-1-5-21-3876962227-3662236066-2290214838-1000
Enabled: Yes
Expired: No
Expiry: -
Locked: No
Email: -
GECOS: -
Generated GID: No
Generated UID: No
Generated UPN: Yes
Primary Group
ID: GID:1800
Name: Isilon Users
Home Directory: /ifs/home/localuser1
Max Password Age: 4W
Password Expired: No
Password Expiry: 2017-08-22T16:46:46
Password Last Set: 2017-07-25T16:46:46
Password Expires: Yes
Shell: /bin/zsh
UPN: localuser1@ISILON3
User Can Change Password: Yes
isilon3-1# mkdir /ifs/application
isilon3-1# chown 2000:1800 /ifs/application
isilon3-1# chmod +a user localuser1 allow generic_all,object_inherit,container_inherit /ifs/application
isilon3-1# isi smb share create application /ifs/application
isilon3-1# isi smb share permission create application localuser1 -d allow -p full --zone system
isilon3-1# isi smb share permission list application
Account Account Type Run as Root Permission Type Permission
------------------------------------------------------------------
Everyone wellknown False allow read
localuser1 user False allow full
------------------------------------------------------------------
Total: 2
isilon3-1# isi smb share permission delete application --wellknown Everyone
Are you sure you want to delete persona from application? (yes/[no]): yes
---DONE---
~Chris
dynamox
9 Legend
•
20.4K Posts
0
July 25th, 2017 09:00
Chris,
how do i display the UID of an account the resides inside of an access zone from cli ? When i look at my local account in WebUI, it has UID 2000, so i tried to use that in my chmod command. Well, UID 2000 is also assigned to local account in system zone and that's what actually got set.
AdamFox
254 Posts
0
July 25th, 2017 09:00
Of course, if you just want to display the UID based on the name, you could just use isi auth users --name=X --provider=Y --zone=Z
AdamFox
254 Posts
1
July 25th, 2017 09:00
If you're running a FreeBSD command like 'ls' (as opposed to an isi command that has a --zone flag), you can use the isi_run command to run the command within the context of a particular access zone. It requires the numeric zone ID. So for the above example where the zone ID is 2 you could run:
# isi_run -z 2 ls -led /ifs/my/path/file.txt
This will cause the ls command to use the authentication providers in zone 2 rather than the System zone.
dynamox
9 Legend
•
20.4K Posts
0
July 25th, 2017 10:00
Adam,
does this syntax work in 8.x ? It's complaining about "unknow option name"
dynamox
9 Legend
•
20.4K Posts
0
July 25th, 2017 19:00
Adam,
When i create a local account within my access zone and select provider "LOCAL:system", i am able to connect to share with that account. When I use provider "LOCAL:myzonename", i am not able to connect to the share, it keeps prompting for credentials.
When i look at my access zone, Local:myzonename is listed in the list of authentication providers.
When i run isi_run -z 1 ls -led foldername, the LOCAL:system account is listed as it's name, where the account created under LOCAL:myzonename listed with its UID.
Any thoughts on what i am doing wrong ?
Thank you
Phil.Lam
3 Apprentice
•
625 Posts
0
July 25th, 2017 22:00
dynamox
Use the explicit UPN username
From Chris example:
UPN: localuser1@ISILON3
dynamox
9 Legend
•
20.4K Posts
0
July 26th, 2017 03:00
Phil,
that does not work, keeps prompting to authenticate.
Phil.Lam
3 Apprentice
•
625 Posts
0
July 26th, 2017 10:00
dynamox
Is the local provider listed as Auth Providers? Please give output of # isi zone zones view MyZoneName
example:
# isi zone zones view MyZoneName
Name: MyZoneName
Path: /ifs/MyZoneName
Groupnet: groupnet0
Map Untrusted: -
Auth Providers: lsa-local-provider:MyZoneName
NetBIOS Name: -
User Mapping Rules:
Home Directory Umask: 0077
Skeleton Directory: /usr/share/skel
Cache Entry Expiry: 4H
Zone ID: 1
#
Brian_Coulombe_
1 Rookie
•
107 Posts
0
July 28th, 2017 05:00
Glad you got it sorted out Dynamox. I've found with Isilon that when I apply permissions in the GUI that Isilon does not apply it immediately (or sometimes never). I find myself running CHMOD commands.
I have a 3 node test cluster on 8.0.1.1 so I can run some tests here for you. Since you're on our approved version (8.0.0.4) it should work.
Also, if you're doing any SNMP alerting, you might want to reach out to me. The new 9 digit codes work well but I've found not it doesn't in 8.0.04 but only 8.0.1.X versions. Long story