Skip to main content
Start a Conversation

This post is more than 5 years old

Solved!

Go to Solution

chjatwork

2 Intern

 • 

356 Posts

4392

March 18th, 2015 09:00

User Permissions and inheritance being automatically pushed

Isilon Community,

I know this is a long shot and this might not even be a Isilon issue, but I will see if anyone know what this could be.  I have a user that created a file within a folder fairly deep with in the /ifs/data directory.  This is nothing new, but what is... when I change the permissions to this .xlsx file that this user wants me to lock down the next day the inheritance permissions automatically get pushed down to it.  HUH?!  I have no clue what is going on.  So what I did as a test I created a copy of the same file in the same location but added "FILENAME-TestPermissions.xlsx" to the file name.  Wouldn't you know the next day the explicit permissions I set stayed the same for the "FILENAME-TestPermissions.xlsx" file.   Ok, this is great!  So the user thought that maybe they could just transfer their information to the "FILENAME-TestPermissions.xlsx" file and all would be well.  I thought the same until the user performed the task and saved the file, when they went to look at the permissions the very thing that kept happening to the original file happened to the "FILENAME-TestPermissions.xlsx" file.  the folder inheritance had gotten pushed down to the "FILENAME-TestPermissions.xlsx" file.  Weird, and I don't have an explanation.  Has anyone see this before?  If so where should I start looking for a fix?

FYI,  NO there is no permission repair job running... at least not one that I configured as the Storage Engineer/Administrator.

Thank you,

chjatwork

2 Intern

 • 

356 Posts

May 11th, 2015 05:00

RobChang,

What I had to do to solve this issue was disable inheritance on the child folder this file was placed in.  After doing so the permissions on this file stopped reverting back to the permissions of the child folder it was placed in after the user made changes to it.

Thank you,

RobChang-Isilon

136 Posts

March 19th, 2015 12:00

Hi chjatwork

Quick question -- how did you update the file permissions for that file?  Did you change it through the WebUI or through a UNIX command line or through a right-click on the file in Windows?

Thanks.

chjatwork

2 Intern

 • 

356 Posts

March 19th, 2015 14:00

I used windows so it could be tracked through Varonis.

RobChang-Isilon

136 Posts

March 19th, 2015 14:00

Hi, the symptom you are seeing is rather curious.  I have not heard a similar issue before.  I'd like to see about reproducing that here.

Could you provide the following so I can repro/ask around?

- OneFS version

- Any specific "folder" permissions

- Specific "file" permission that you are trying to customize

- Is your cluster configured for both SMB and NFS workloads?

Thanks.

chjatwork

2 Intern

 • 

356 Posts

March 20th, 2015 07:00

- OneFS version

7.1.0.5

- Any specific "folder" permissions

Nothing special:

[CLUSTERNAME]1-11% ls -lzed

drwxrwx--- +  6 [USERNAME]  [DOMAINNAME]\domain users  408 Mar 20 09:47 .

OWNER: user:[USERNAME]

GROUP: group:[DOMAINNAME]\domain users

CONTROL:dacl_auto_inherited,sacl_auto_inherited

0: user:[DOMAINNAME]\[USERNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

1: group:[DOMAINNAME]\[GROUPNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

2: [BROKENSID]

3: group:[DOMAINNAME]\oc_[DOMAINNAME]scientific allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

4: group:[DOMAINNAME]\[GROUPNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

5: group:[DOMAINNAME]\[GROUPNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

6: group:[DOMAINNAME]\[GROUPNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

7: group:[DOMAINNAME]\[GROUPNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

8: user:[DOMAINNAME]\[USERNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

9: [BROKENSID]

10: user:[DOMAINNAME]\[USERNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

11: user:[DOMAINNAME]\[USERNAME] allow inherited dir_gen_read,dir_gen_execute,object_inherit,container_inherit,inherited_ace

12: group:[DOMAINNAME]\[GROUPNAME] admins allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

13: group:[DOMAINNAME]\[GROUPNAME] monitors allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

14: user:[DOMAINNAME]\cfe0142439$ allow inherited dir_gen_read,dir_gen_execute,object_inherit,container_inherit,inherited_ace

15: user:[DOMAINNAME]\[USERNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

16: group:[DOMAINNAME]\[GROUPNAME] allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace

17: group:Administrators allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace

18: user:[DOMAINNAME]\[USERNAME] allow inherited dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit,inherited_ace

19: group:[DOMAINNAME]\[GROUPNAME] allow inherited dir_gen_read,object_inherit,container_inherit,inherited_ace

- Specific "file" permission that you are trying to customize

The Local administrators and a few other folks need Full control to this file.

- Is your cluster configured for both SMB and NFS workloads?

Yes, but it wasn't when we first discovered this issue.  Plus this user in question does not have a user account on the LDAP server on the AD.

RobChang-Isilon

136 Posts

March 27th, 2015 16:00

Hi chjatwork,

This takes a little research.  Let me see if I can reproduce this here in our simulator.  I'll keep you posted.  Thanks.

ryan_hayre

2 Posts

March 28th, 2015 02:00

Does this happen with files that aren't used by Microsoft Office (i.e., just a normal .txt file)? If this is only happening with Office files (Word/Excel), it maybe to related to how changes to these documents are saved.

IIRC, Excel/Word will save changes to a new temporary file (which inherits the permissions from the parent), deletes the original file and renames the temporary file to the original file name. Not sure if this behavior in Office has changed, but Microsoft KB 211632 describes this behavior.

An easy way to check if this is the case would be to check what the file LIN is prior to the user opening it, and what it is after the user edits and saves the file.

You can get the LIN of a file by using the following command from the cluster CLI:

# isi get -Dd " " | grep 'LIN:'

For example:

cluster-1# isi get -Dd "/ifs/data/example" | grep 'LIN:'

*  LIN:                1:0053:0003

Modifying a file should not change the LIN, so if the LIN after the user saves the file is different, it maybe due to the way Word/Excel saves files.

chjatwork

2 Intern

 • 

356 Posts

March 31st, 2015 15:00

RyanH,

I will try this, and get back to you.

RobChang-Isilon

136 Posts

April 10th, 2015 15:00

Hi chjatwork,

Has Ryan's suggestion worked for you?  I'm curious to see if the observed behavior is indeed due to how Office saves its documents.

Please keep us updated.

Thanks!

Was this post helpful?

View All

No Events found!

Top