Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

DHCSTI

1 Rookie

 • 

48 Posts

6081

March 22nd, 2018 13:00

Set SMB share permissions using SID

Hello -


Does anyone the syntax or an example to modify or set the share permission on an Isilon using a SID when there are multiple AD domains?


In my example, the provider is ADS:FOOINC.ORG with two active directory domains: fooinc.org and fooroot.org. In this case, all my SIDs are from the "fooinc.org" active directory domain.


Leveraging commands from https://community.emc.com/docs/DOC-7112 I am able to list permissions for a share with the SIDs. 


Here an example output:

ACL DUMP REPORT


Share        : \\FOO-ISFIL1\ServerTechs

UID          : 32772

GID          : 32776

Rights       : rwxr-xr-x

owner SID    : S-1-5-15-70cd0fe5-61e22ca0-17c15952-1e2a

group SID    : S-1-5-15-70cd0fe5-61e22ca0-17c15952-201


DACL


GROUP 33028 S-1-5-15-70cd0fe5-61e22ca0-17c15952-1d58d

ALLOWED 0x0 0x1f01ff RWXPDO


GROUP 32780 S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3a

ALLOWED 0x0 0x1f01ff RWXPDO


While that same document also includes a method to map the SID back to a friendlier FOOCORP\USER1 account, I am looking to bypass that step if possible.


nasadmin@FOO-VNX-CS0 ~]$ server_cifssupport FOO-vdm1 -secmap -list -sid  S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3a -acl -share "ServerTechs"


FOO-vdm1 : done


SECMAP GROUP MAPPING TABLE


GID         Origin      Date of creation         Name                            SID

32780       usermapper  Wed Nov 16 10:56:12 2011 FOOCORP\USER1         S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3a


Due to internal regulations, the shares are configured with share-level permissions in addition to the NTFS permissions on the folders and files themselves. 


Here are the results of my attempt to set the permissions using the SID>

ISILON-1# isi smb shares permission create testshare1 --zone=System --permission-type allow --permission change --sid S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3a

Failed to create persona 'SID:S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3a'

ISLION-1#


There are 300 shares to recreate and configure with share-level permissions. 


Many thanks in advance for any help or ideas.

crklosterman

450 Posts

March 23rd, 2018 07:00

I assume that the 2 domains are trusted, correct?

isilon5-1# mkdir /ifs/test

isilon5-1# isi smb share create testshare /ifs/test

isilon5-1# isi smb share permission create testshare chris@datadobi.net -d allow -p change

The cluster in my case belongs to a child domain, demo.datadobi.net.  The user I added is my account from the parent domain, so of course it's a 2-way trust.

Your failed syntax from above should be more like this:

isi smb share permission create testshare1 --sid S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3a -d allow -p change --zone System


But then again that's a problem, because your SID is in HEX, the cluster and the generally accepted standard is to use SIDs that are in decimal, so you need to convert those values, or assuming there is a trust, just use their username as I did in my example.


For troubleshooting purposes, you can verify the username to SID mapping on the cluster directly.

Note the syntax is domain\\username. The first slash is an escape character.

--Edit for some reason the image didn't insert correctly--


isilon5-1# isi auth mapping token datadobi\\chris | head

                   User

                       Name: DATADOBI\chris

                        UID: 10012

                        SID: S-1-5-21-XXXXXX-YYYYYYY-1146100301-1121

                    On Disk: 10012


Hope that helps.

~Chris

Principal Pre-Sales Engineer, Datadobi

chris.klosterman@datadobi.com


DHCSTI

1 Rookie

 • 

48 Posts

March 23rd, 2018 08:00

Thank you for your response. Yes the 2 domains are trusted. The cluster is joined to the child domain, and the user accounts are in the child domain.

I was hoping to use the SID as spit out from the VNX to save the step of translating through a sidmapper or using –secmap on the VNX to get the domain\username. With the sheer number of shares, and granular share permissions, this is a daunting task.

Unless there is some other super-secret tool or method to copy/translate share permissions from a VNX (file) to Isilon?

Dawn

DHCSTI

1 Rookie

 • 

48 Posts

March 23rd, 2018 09:00

Thank you for your response.  Yes the 2 domains are trusted.  The cluster is joined to the child domain, and the user accounts are in the child domain.  I have successfully modified shares to add permissions using the username.

I was hoping to use the SID as spit out from the VNX to save the step of translating through a sidmapper or using –secmap on the VNX to get the domain\username.  With the sheer number of shares (~299), and granular share permissions, this is a daunting task.

Unless there is some other super-secret tool or method to copy/translate share permissions from a VNX (file) to Isilon?

crklosterman

450 Posts

March 26th, 2018 07:00

Well, 3 options:

1. Translate those SIDs to hex to decimal.  Do it in bulk in excel or something.  I figured when you listed SIDs with hex values that it probably came from a VNX.  It's the only platform I've ever seen that stores them that way.  Then s script out the share modifications.

2. Use a commerical tool to do this for you.  How are you moving the data?  My company's software DobiMigrate (formerly known as DobiMiner), handles all the share creation and copying over the security from source to target as part of a comprehensive migration.

3. You can try using sharedup.exe which is part of the cifstools pack that always shipped with Celerra and VNX, and is likely still available on support.emc.com. But if even a single one of your shares contains a local user or group, the tool will be unable to create that local user or group on the target, and will crash with no indication of why or where it was in the process.

Just a suggestion; hope it helps, if you want to talk about option #2, drop me an email.

~Chris Klosterman

Principal Pre-Sales Engineer, Datadobi

chris.klosterman@datadobi.com

SKT2

2 Intern

 • 

1.3K Posts

March 26th, 2018 07:00

In 8.0.0.4 I used --sid=SID:S-1-1-0

--permission=change

--permission-type=allow

Just to be sure it is not a typo

DHCSTI

1 Rookie

 • 

48 Posts

March 26th, 2018 08:00

Hi SKT-

Thank you for clarifying the syntax.  Unfortunately, I still have seem to have an issue with adding in the user SIDs.

NAS-1# isi smb shares permission create testshare1 --zone=System --permission-type allow --permission change --sid S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3d

Failed to create persona 'SID:S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3d'

It does seem to accept Well Known SID's, though.  The following command did not show any errors, and added an account "This Organization" with read-write access to the share.

NAS-1# isi smb shares permission create testshare1 --zone=System --permission-type=allow --permission=change --sid=S-1-5-15

NAS-1#

Thanks!

SKT2

2 Intern

 • 

1.3K Posts

March 27th, 2018 05:00

you are still missing "SID:"

DHCSTI

1 Rookie

 • 

48 Posts

March 27th, 2018 06:00

Here is the command with "SID:"

NAS-4# isi smb shares permission create testshare1 --zone=System --permission-type=allow --permission change --sid=SID:S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3d

Failed to create persona 'SID:S-1-5-15-70cd0fe5-61e22ca0-17c15952-4b3d'

NAS-4#

Thanks!

Peter_Sero

6 Operator

 • 

1.2K Posts

March 27th, 2018 10:00

It's not the "SID:" prefix.

As Chris said, the numeric fields have to be in decimal, like 1892487141 for 70cd0fe5.

I suspect even the 15 was given in hex, so in decimal it would be 21 (= 1 * 16 + 5)

-- Peter

Was this post helpful?

View All

0 events found

No Events found!

Top