Help. NFS exported folder inside SMB shared folder

Question

To give a little background on my situation. I work for a government agency that supports multiple other govt. agencies. Upon intial directory setup on our Isilon we decided to create a directory for each agency under ifs and place anything to be billed to the agencies in the agency folder. iFor example agency A "shared" directory would go into /ifs/AgencyA/shared. We would then create a SMB share named "AgencyA_shared" that points to the shared folder so when typing in \\smartzone_name you would see AgencyA_shared. In the meantime we also had requestes for NFS exports so we created /ifs/AgencyA/nfsexport1 and exported that as NFS. At this point there is no issue.

We then realized that once we get a large number of agency specific shared created we are going have a large number of shares of of the root of the smartconenct zone name. To keep from having such a large number of shares at the root, we decided to create the shares at the agency level and handle permissions on the folders inside the agency folders. So where before you had \\smartzone_name\AgencyA_shared you now have \\smartzone_name\Agency_A\shared. So, the probelm we have now created is that we have and NFS exported folder "nfsexport1" located inside of an SMB share "Agency_A". My suspiscion is that is that this is probably not a recommended practice. We have allowed "everyone" read access at the agency level so when a folder is created under neath it it inherits this security. The problem with that is that if that folder happens to be exported through NFS, SMB users can browse the directory and access files that are onthe NFS exported directory. I'm sure i dont have to tell you that is not a good thing.

I guess my question is how should I handle this? My thoughts are to create a seperate directory that will house NFS exports that cannot end up underneath an SMB share. For example. /ifs/AgencyANFS/

Any input is appreciated.

dynamox · Answer

did you also consider incorporating ABE (access based enumeration) and not create many shares for the same agency ?

dynamox · Answer

when we first purchased our cluster i went with this configuration:

/ifs/data/cifs/department1

/ifs/data/cifs/department2

/ifs/data/nfs/department1

/ifs/data/nfs/department2

i was concerned if i went with something like this:

/ifs/data/department1

/cifs

/nfs

and gave department access at "department1" level, they would try to "fix" cifs permissions and would break NFS access.

crklosterman · Answer

Of course it should go without saying to not test this in production.  The setting I suggested may not also meet your workflow needs, and is cluster-wide, hence the need to test in a non-production environment first.

dynamox · Answer

Chris, how do you add root and wheel to ACLs without overwriting ACLs ?

crklosterman · Answer

Ryan,

A good thread is available here on how best to layout a filesystem:

Isilon folder layout - /ifs/data usage

As to your multiprotocol issue, what you'll find is that of course the default behavior of POSIX permissions and ACLs are very different. This is specifically related to inheritance. Once a top level folder has an ACL, everything underneath it will inherit that ACL. In POSIX, this is different per distribution, but in general without a sticky bit POSIX does not inherit. To manage this disparity, your best bet (in general) is to either separate the folders that need to be NFS only from those that need to be SMB only. That's the cleanest approach. But to go multiprotocol, ACLs aren't supported over NFSv3, however Isilon will still check them, so you could add Root and Wheel back to the ACL for instance. But also be careful to set ACLs created on directories by UNIX chmod:

To:

Make them inheritable.

The reason for this is that you as an NFS user might write a file, and if the POSIX permissions on the top-level folder in an ACL aren't inherited down, you might not have access to write the file that you just created.

~Chris Klosterman

Senior Solution Architect

EMC Isilon Offer & Enablement Team

chris.klosterman@emc.com

ryan_meyers · Answer

Thank you for the reply. I wish I would have seen the link you attached before we ever created a directory on our Isilon. We created all of our agency folders in the root of ifs when in hindsight we should have created a folder similar to “ClusterA” in your example since we do in fact replicate to another location. Which in turn replicates back to this location. Fortuanetly we have not started putting anything other than replicated data on our remote side so I can at least create a “ClusterB” on that side before we do start using it.

As for my initial issue of how to handle the NFS exports I think I will create a second folder for each agency in /ifs that will be just for NFS shares. i.e ifs/personnel and ifs/personelnfs. Fortunatley we do not have very many created so far so it shouldn’t not be too painful reconfiguring them. I assuming I can just created the new directory and present it as an NFS Export and then just copy the data to the new location and mount the new export. Does this sound correct?

dynamox · Answer

yes, unix admins will need to change the path

ryan_meyers · Answer

Thank you for the reply. I wish I would have seen the link you attached before we ever created a directory on our Isilon. We created all of our agency folders in the root of ifs when in hindsight we should have created a folder similar to “ClusterA” in your example since we do in fact replicate to another location. Which in turn replicates back to this location. Fortuanetly we have not started putting anything other than replicated data on our remote side so I can at least create a “ClusterB” on that side before we do start using it.

As for my initial issue of how to handle the NFS exports I think I will create a second folder for each agency in /ifs that will be just for NFS shares. i.e ifs/personnel and ifs/personelnfs. Fortunatley we do not have very many created so far so it shouldn’t not be too painful reconfiguring them. I assuming I can just created the new directory and present it as an NFS Export and then just copy the data to the new location and mount the new export. Does this sound correct?

crklosterman · Answer

use chmod +ai from the cluster CLI.  Isilon has enhanced chmod to be able to modify ACLs, so for all the options, look at 'man chmod'.  Also to look at the existing ACLs, do an ls -le /path.

cincystorage · Answer

If you are still running and older version of OneFS you can use setfacl, but it is depreciated. In new versions you need to use chmod.

"chmod +a" will add an ACL to the top of the local allow and local deny lists.

"chmod +ai" will add inherited entires of the ACL

The correct form for an ACL order is:

local deny

local allow

inherited deny

inherited allow

If, for whatever reason, you need a specific order of ACLs you van use "chmod +a#" or "chmod +ai#" for inserting at a specific location.

To remove an ACL you can "chmod -a". If you need to remove all ACLs you can use a brute force option, "chmod -N or chmod -RN for recursive" which will delete all ACLs and write a null ACL.

I also have a script which will clone permissions (including ACLs) from a source file onto a target which you can find here. You can also use a PermissionRepairJob to do the same thing, but may be overkill if you need just a few files.

crklosterman · Answer

Mark, I use Komodo a Perl IDE when working with Perl. It suggested a few syntax tweaks to your script, so I've made them, and would like to send you the revised copy, if you want to reach out to me directly with your contact info. (nothing really major).

Chris Klosterman

chris.klosterman@emc.com

Isilon

Help. NFS exported folder inside SMB shared folder

Was this post helpful?