In summary of the issue, two shares are created as such:
1) inform -> share points to this folder /ifs/Crep/Inform giving domain\IT-Info full access
2) inform_access -> share points to this folder /ifs/Crep/Inform/Access/%U giving everyone read-write access
The issue is when a user TOM enters the share "inform_access" the TOM folder is created (the %U is working okay) with correct user permissions applied for TOM, but the permissions for domain\IT-Info user are not inherited as expected from the parent folders.
I was able to repro this with success. Here is how I set this up:
Create users dave and ituser to start with on a cluster running 7.2.
The major differences between the posted issue and the repro is -- I gave full permissions to everyone on the share inform_access and used generic_all for folder/file permissions.
I would also note the following red ace entries on the folders may not be required:
isi:# ls -led /ifs/Crep/Inform/
drwxrwxr-x + 20 root wheel 819 May 28 14:34 /ifs/Crep/Inform/
Thank you for the detail in brief explanation, i tried the solution by adding generic_all to everyone by below options, but throws with error and adding as dir_gen_all
Interestingly after modifying the security group "000-it-information security" to use generic_all it applied to dir_gen_all and in GUI if i see same group added with full access as root
I used below command
chmod -R +a group "NA\000-it-information security" allow generic_all,object_inherit,container_inherit /ifs/CORP_DATA/Infosec/
drwxrwx--- + 20 root wheel 819 May 28 14:34 /ifs/CORP_DATA/Infosec/
Good to hear back from you on Sep 11, 2015 6:27 AM.
In the post it seems there were 4 directories that were having some issues. As the chmod command travels thru the folders it can throw a message and sometimes not make any changes to the directory acl.
The command used [# chmod -R +a# 3 everyone allow generic_all,object_inherit,container_inherit /ifs/CORP_DATA/Infosec/Evidence\ \(Shared\)/ ] instructs the system to insert the specified ace at acl position 3 as below:
+a# When a specific ordering is required, the exact location at which
an entry will be inserted is specified with the +a# mode.
The command was able to insert the ace at position 3 as seen below:
isi:/ifs/CORP_DATA/Infosec/Evidence (Shared) # ls -led /ifs/CORP_DATA/Infosec/Evidence\ \(Shared\)/
This occurred because only ace 0 and ace 1 existed in the acl -- so adding at position 3 was an error (it would require ace 2 and then this would have worked):
It seems the chmod command worked good for you as shown, 1: group:NA\000-it-information security allow dir_gen_all,object_inherit,container_inherit
Remember the chmod will not change SMB share permissions. They remain separate permissions.
You may not need the full access as root on the share shown below. If you have any issues removing this permission, just create a new share permission at the end using the "root" user, make this permission 'run as root' -- then you can remove the others.
EMC says we can not modify permissions for %U variable share, as isilon is designed such a way, once the share is accessed by a user it will create a home directory for him/her with full permissions to him/her, after then we cannot modify it unless we manually reapply the required permissions to the user SMB path. Is this true? Please find below email.
This is a follow-up to the call we had regarding SR
You have a share Infosec_Evidence that has the user directory variable enabled “/ifs/CORP_DATA/Infosec/Evidence (Shared)/%U”
The cluster creates home directories for each user who accesses it for the first time.
According to the 7.1.1 admin guide, by-design this allows only the user to access his/her own home directory.
“OneFS supports the following expansion variables. You can improve performance and reduce the number of shares to be managed when you configure shares with expansion variables. For example, you can include the %U variable for a share rather than create a share for each user. When a %U is included in the name so that each user's path is different, security is still ensured because each user can view and access only his or her home directory.” - Page 184
I have attached the 7.1.1 admin guide for your reference.
Anyone apart from the user, will not be given access and will have to be manually added to the NTFS permissions/File Permissions.
We did try creating another share for the same path so that only the Security Group will get permissions, however this did not work since the home directories themselves do not have the security group as a part of their permissions.
You can use a chmod command as given below to add the group all the existing home directories:
# chmod -R +a group NA\\000-it-information security dir_gen_all,object_inherit,container_inherit “/ifs/CORP_DATA/Infosec/Evidence (Shared)/”
Furthermore, all future communications regarding this issue will be handled through SR only and the all other SRs opened for this issue will be closed.
sjogrd
5 Posts
0
September 10th, 2015 08:00
Hello bhuvankumar
In summary of the issue, two shares are created as such:
1) inform -> share points to this folder /ifs/Crep/Inform giving domain\IT-Info full access
2) inform_access -> share points to this folder /ifs/Crep/Inform/Access/%U giving everyone read-write access
The issue is when a user TOM enters the share "inform_access" the TOM folder is created (the %U is working okay) with correct user permissions applied for TOM, but the permissions for domain\IT-Info user are not inherited as expected from the parent folders.
I was able to repro this with success. Here is how I set this up:
Create users dave and ituser to start with on a cluster running 7.2.
Then created the base share named INFORM:
Next created the embedded share INFORM_ACCESS:
I gave the following rights on the inform folder:
V72-1# ls -led /ifs/data/zone1/inform
drwxrwx--- + 3 root wheel 24 Sep 8 14:44 /ifs/data/zone1/inform
OWNER: user:root
GROUP: group:wheel
0: creator_owner allow generic_all,object_inherit,container_inherit,inherit_only
1: user:ituser allow generic_all,object_inherit,container_inherit
2: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
3: group:wheel allow dir_gen_read,dir_gen_execute
Note: The following command will give rights to the current folder and to all folders after, so inform and access folders are both taken care of:
chmod -R +a user ituser allow generic_all,object_inherit,container_inherit /ifs/data/zone1/inform
Following that I gave these rights on the access folder:
V72-1# ls -led /ifs/data/zone1/inform/access
drwxrwxrwx + 4 root wheel 42 Sep 9 09:21 /ifs/data/zone1/inform/access
OWNER: user:root
GROUP: group:wheel
0: user:ituser allow generic_all,object_inherit,container_inherit
1: everyone allow generic_all,object_inherit,container_inherit
2: user:root allow dir_gen_read,dir_gen_write,dir_gen_execute,std_write_dac,delete_child
3: group:wheel allow dir_gen_read,dir_gen_execute
I now accessed the share as user “dave” using an Unix smbclient:
xxx@xxx-PowerEdge-T110 ~ $ smbclient //172.16.17.20/inform_access -U=dave
Enter dave's password:
This auto created the new folder named “dave” via the %U share option for variable expansion with the required ace for “ituser” inherited:
V72-1# ls -led /ifs/data/zone1/inform/access/dave
drwxrwxrwx + 3 dave Isilon Users 27 Sep 9 09:23 /ifs/data/zone1/inform/access/dave
OWNER: user:dave
GROUP: group:Isilon Users
CONTROL:dacl_auto_inherited,sacl_auto_inherited
0: user:dave allow generic_all
1: group:Isilon Users allow std_read_dac,std_synchronize,dir_read_attr
2: everyone allow generic_all
3: user:ituser allow inherited generic_all,object_inherit,container_inherit,inherited_ace
4: everyone allow inherited generic_all,object_inherit,container_inherit,inherited_ace
After I login as “ituser” and have access to all folders:
xxx@xxx-PowerEdge-T110 ~ $ smbclient //172.16.17.20/inform -U=ituser
Enter ituser's password:
Domain=[V72-1] OS=[Unix] Server=[Isilon OneFS]
smb: \> ls
access D 0 Wed Sep 9 10:52:02 2015
smb: \> cd access
smb: \access\> ls
dave D 0 Wed Sep 9 09:23:44 2015
smb: \access\> cd dave
smb: \access\dave\> ls
newfolder D 0 Wed Sep 9 09:25:13 2015
Here is the document used to set this up: MANAGING SMB SHARES AND USER HOME DIRECTORIES IN EMC ISILON ONEFS 6.5 AND LATER
https://support.emc.com/docu51121_Managing-SMB-Shares-Using-Isilon-OneFS.pdf?language=en_US
The major differences between the posted issue and the repro is -- I gave full permissions to everyone on the share inform_access and used generic_all for folder/file permissions.
I would also note the following red ace entries on the folders may not be required:
isi:# ls -led /ifs/Crep/Inform/
drwxrwxr-x + 20 root wheel 819 May 28 14:34 /ifs/Crep/Inform/
OWNER: user:root
GROUP: group:wheel
CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected
0: group:Users allow dir_gen_all,object_inherit,container_inherit
1: everyone allow dir_gen_read,dir_gen_execute
2: creator_owner allow dir_gen_all,object_inherit,container_inherit,inherit_only
3: group:domain\IT-Info allow dir_gen_all,object_inherit,container_inherit
4: group:Administrators allow dir_gen_all,object_inherit,container_inherit
isi:# ls -led /ifs/Crep/Inform/Access (shared)
drwxrwxr-x + 43 root wheel 1093 Sep 8 09:30 /ifs/Crep/Inform/Access (shared)
OWNER: user:root
GROUP: group:wheel
CONTROL:dacl_auto_inherited,sacl_auto_inherited
0: everyone allow dir_gen_read,dir_gen_execute
1: group:domain\IT-Info allow dir_gen_all,object_inherit,container_inherit
2: group:Users allow dir_gen_all,object_inherit,container_inherit
3: user:domain\dcon60 allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,object_inherit,container_inherit,inherited_ace
4: user:root allow inherited dir_gen_all,inherited_ace
5: creator_owner allow inherited dir_gen_all,object_inherit,container_inherit,inherit_only,inherited_ace
6: group:domain\IT-Info allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace
7: group:Administrators allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace
8: group:Users allow inherited std_synchronize,add_file,add_subdir,container_inherit,inherited_ace
9: group:Users allow inherited dir_gen_read,dir_gen_execute,object_inherit,container_inherit,inherited_ace
Note: this command would give everyone full access on the folder above:
Chmod +a everyone allow generic_all /ifs/Crep/Inform/Access
Use the command man chmod to read about the difference between the dir_gen_all and generic_all permissions.
bhuvankumar
1 Rookie
•
31 Posts
0
September 11th, 2015 06:00
Hi David,
Thank you for the detail in brief explanation, i tried the solution by adding generic_all to everyone by below options, but throws with error and adding as dir_gen_all
isi:/ifs/CORP_DATA/Infosec/Evidence (Shared) # chmod -R +a# 3 everyone allow generic_all,object_inherit,container_inherit /ifs/CORP_DATA/Infosec/Evidence\ \(Shared\)/
chmod: A new entry can't be created at position: 3: Invalid argument
chmod: acl_create_entry() failed: Invalid argument
chmod: A new entry can't be created at position: 3: Invalid argument
chmod: acl_create_entry() failed: Invalid argument
chmod: A new entry can't be created at position: 3: Invalid argument
chmod: acl_create_entry() failed: Invalid argument
chmod: A new entry can't be created at position: 3: Invalid argument
chmod: acl_create_entry() failed: Invalid argument
isi:/ifs/CORP_DATA/Infosec/Evidence (Shared) # ls -led /ifs/CORP_DATA/Infosec/Evidence\ \(Shared\)/
drwxrwxrwx + 47 NA\csan1928 NA\domain users 1204 Sep 11 08:08 /ifs/CORP_DATA/Infosec/Evidence (Shared)/
OWNER: user:NA\csan1928
GROUP: group:NA\domain users
CONTROL:dacl_auto_inherited,sacl_auto_inherited
0: group:Administrators allow dir_gen_all,object_inherit,container_inherit
1: group:NA\000-it-information security allow dir_gen_all,object_inherit,container_inherit
2: creator_owner allow inherited dir_gen_all,object_inherit,container_inherit,inherit_only,inherited_ace
3: everyone allow dir_gen_all,object_inherit,container_inherit
When i check the folders inside the path some became 775 and some in 770 permission where everyone is not inherited
Everyone not Inherited
drwxrwx--- + 2 NA\jjef8591 NA\domain users 0 Sep 10 17:58 /ifs/CORP_DATA/Infosec/Evidence (Shared)/jjef8591
OWNER: user:NA\jjef8591
GROUP: group:NA\domain users
CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected
0: group:NA\000-it-information security allow dir_gen_all,object_inherit,container_inherit
1: user:NA\jjef8591 allow dir_gen_all,object_inherit,container_inherit
Everyone Inherited
drwxrwxrwx + 2 NA\csan1928 NA\domain users 139 Aug 12 15:48 /ifs/CORP_DATA/Infosec/Evidence (Shared)/tgri0115
OWNER: user:NA\csan1928
GROUP: group:NA\domain users
CONTROL:dacl_auto_inherited,sacl_auto_inherited
0: group:Administrators allow dir_gen_all,object_inherit,container_inherit
1: group:NA\000-it-information security allow dir_gen_all,object_inherit,container_inherit
2: group:Administrators allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace
3: everyone allow dir_gen_all,object_inherit,container_inherit
4: group:NA\000-it-information security allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace
5: creator_owner allow inherited dir_gen_all,object_inherit,container_inherit,inherit_only,inherited_ace
bhuvankumar
1 Rookie
•
31 Posts
0
September 11th, 2015 06:00
I have modified the access as you said
Interestingly after modifying the security group "000-it-information security" to use generic_all it applied to dir_gen_all and in GUI if i see same group added with full access as root
I used below command
chmod -R +a group "NA\000-it-information security" allow generic_all,object_inherit,container_inherit /ifs/CORP_DATA/Infosec/
drwxrwx--- + 20 root wheel 819 May 28 14:34 /ifs/CORP_DATA/Infosec/
OWNER: user:root
GROUP: group:wheel
CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected
0: creator_owner allow dir_gen_all,object_inherit,container_inherit,inherit_only
1: group:NA\000-it-information security allow dir_gen_all,object_inherit,container_inherit
2: group:Administrators allow dir_gen_all,object_inherit,container_inherit
sjogrd
5 Posts
0
September 11th, 2015 12:00
Good to hear back from you on Sep 11, 2015 6:27 AM.
In the post it seems there were 4 directories that were having some issues. As the chmod command travels thru the folders it can throw a message and sometimes not make any changes to the directory acl.
The command used [# chmod -R +a# 3 everyone allow generic_all,object_inherit,container_inherit /ifs/CORP_DATA/Infosec/Evidence\ \(Shared\)/ ] instructs the system to insert the specified ace at acl position 3 as below:
+a# When a specific ordering is required, the exact location at which
an entry will be inserted is specified with the +a# mode.
The command was able to insert the ace at position 3 as seen below:
isi:/ifs/CORP_DATA/Infosec/Evidence (Shared) # ls -led /ifs/CORP_DATA/Infosec/Evidence\ \(Shared\)/
drwxrwxrwx + 47 NA\csan1928 NA\domain users 1204 Sep 11 08:08 /ifs/CORP_DATA/Infosec/Evidence (Shared)/
OWNER: user:NA\csan1928
GROUP: group:NA\domain users
CONTROL:dacl_auto_inherited,sacl_auto_inherited
0: group:Administrators allow dir_gen_all,object_inherit,container_inherit
1: group:NA\000-it-information security allow dir_gen_all,object_inherit,container_inherit
2: creator_owner allow inherited dir_gen_all,object_inherit,container_inherit,inherit_only,inherited_ace
3: everyone allow dir_gen_all,object_inherit,container_inherit
As the chmod command moved to the next folder, it raised the issue:
chmod: A new entry can't be created at position: 3: Invalid argument
chmod: acl_create_entry() failed: Invalid argument.
This occurred because only ace 0 and ace 1 existed in the acl -- so adding at position 3 was an error (it would require ace 2 and then this would have worked):
drwxrwx--- + 2 NA\jjef8591 NA\domain users 0 Sep 10 17:58 /ifs/CORP_DATA/Infosec/Evidence (Shared)/jjef8591
OWNER: user:NA\jjef8591
GROUP: group:NA\domain users
CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected
0: group:NA\000-it-information security allow dir_gen_all,object_inherit,container_inherit
1: user:NA\jjef8591 allow dir_gen_all,object_inherit,container_inherit
The other +a ACL manipulation options are as follows:
+a The +a mode parses a new ACL entry from the next argument on the
command line and inserts it into the canonical location in the
ACL. If the supplied entry refers to an identity already listed,
the two entries are combined.
+a# When a specific ordering is required, the exact location at which
an entry will be inserted is specified with the +a# mode.
The " man chmod" from the command line may provide a bit more help.
sjogrd
5 Posts
0
September 14th, 2015 16:00
Hello bhuvankumar (see post Sep 11, 2015 6:47 AM)
It seems the chmod command worked good for you as shown, 1: group:NA\000-it-information security allow dir_gen_all,object_inherit,container_inherit
Remember the chmod will not change SMB share permissions. They remain separate permissions.
You may not need the full access as root on the share shown below. If you have any issues removing this permission, just create a new share permission at the end using the "root" user, make this permission 'run as root' -- then you can remove the others.
bhuvankumar
1 Rookie
•
31 Posts
0
September 16th, 2015 08:00
Hi David,
EMC says we can not modify permissions for %U variable share, as isilon is designed such a way, once the share is accessed by a user it will create a home directory for him/her with full permissions to him/her, after then we cannot modify it unless we manually reapply the required permissions to the user SMB path. Is this true? Please find below email.
This is a follow-up to the call we had regarding SR
You have a share Infosec_Evidence that has the user directory variable enabled “/ifs/CORP_DATA/Infosec/Evidence (Shared)/%U”
The cluster creates home directories for each user who accesses it for the first time.
According to the 7.1.1 admin guide, by-design this allows only the user to access his/her own home directory.
“OneFS supports the following expansion variables. You can improve performance and reduce the number of shares to be managed when you configure shares with expansion variables. For example, you can include the %U variable for a share rather than create a share for each user. When a %U is included in the name so that each user's path is different, security is still ensured because each user can view and access only his or her home directory.” - Page 184
I have attached the 7.1.1 admin guide for your reference.
Anyone apart from the user, will not be given access and will have to be manually added to the NTFS permissions/File Permissions.
We did try creating another share for the same path so that only the Security Group will get permissions, however this did not work since the home directories themselves do not have the security group as a part of their permissions.
You can use a chmod command as given below to add the group all the existing home directories:
# chmod -R +a group NA\\000-it-information security dir_gen_all,object_inherit,container_inherit “/ifs/CORP_DATA/Infosec/Evidence (Shared)/”
Furthermore, all future communications regarding this issue will be handled through SR only and the all other SRs opened for this issue will be closed.
Please let us know if you have any questions.
Best Regards,
EMC
Technical Support Engineer
Customer Service, Isilon