We actually do this via smbcacls. The trick is setting all the acl's. I work for a K-12 school district and we automatically create home directories for our students directly from data located in the student records database. A typically student ACL (as a perl hash) is:
In order to use emcsetsd you need to set bit 5 of CIFS param acl.extacl (CLI command "server_param server_2 -f cifs -m acl.extacl -v 32")
If you mount the FS with "accesspolicy=UNIX" then on CIFS access both permission bits and ACLs will be checked
Some customers do that because they have both Unix and Windows users accessing same data and want to manage access rights from one worls only (or they have limited access to AD because AD management is outsourced)
Note that with accesspolicy=UNIX you can also just ignore ACL by setting the following param to 0
Rainer_EMC
4 Operator
•
8.6K Posts
0
May 17th, 2012 10:00
Hi
Please read the CIFS multi-protocol and user mapping manuals to understand what options you have in terms of user and permission mapping.
For changing CIFS ACLs you need Windows style tools – I don’t think setacl can do that.
You might be able to do that with smbclient – I haven kept up with smbfs.
Or emcsetsd
If you want to modify NFS ACLs you need NFSv4
Either way designing and setting up multi-protocol is major work and needs to be thought through properly.
If its just for the management station I wouldn’t do that.
Rainer
ski98033
9 Posts
0
May 17th, 2012 13:00
We actually do this via smbcacls. The trick is setting all the acl's. I work for a K-12 school district and we automatically create home directories for our students directly from data located in the student records database. A typically student ACL (as a perl hash) is:
student => {
INHERIT => 1,
OWNER => "S-1-5-21-1783249549-2444593722-3659405576-1117",
#PROXYDOMAIN\exaauth
ACL => [
# :ALLOWED/OI|CI/READ
[" ","0","0x3","0x001200a9"],
#STAFF\Domain Users:ALLOWED/OI|CI|I/CHANGE
["S-1-5-21-726097961-1067268171-466030964-513",
"0","0x13","0x001301bf"],
#STAFF\Domain Admins:ALLOWED/OI|CI|I/FULL
["S-1-5-21-726097961-1067268171-466030964-512",
"0","0x13","0x001f01ff"],
#PROXYDOMAIN\exaauth:ALLOWED/OI|CI|I/FULL
["S-1-5-21-1783249549-2444593722-3659405576-1117",
"0","0x13","0x001f01ff"],
#Unix Group\root:ALLOWED/OI|CI|I/READ
["S-1-22-2-0","0","0x13","0x001200a9"]
]
},
There is a perl module that makes using smbcacls a bit easier.
cheers,
ski
jordiFIB
30 Posts
0
May 18th, 2012 04:00
We are trying all combinations.
We are mounting partition with NFS, and using emcgetsd, emcsetsd, but it does't work because the system doesn't accepted new acls.
We also are trying with nfs4_getacl, without luck.
We've also tried mounting with cifs, and trying with smbcacls, but we are receiving error:
failed session setup with NT_STATUS_LOGON_FAILURE
cli_full_connection failed! (NT_STATUS_LOGON_FAILURE)
Perhaps, it's time to summarize:
1. I have EMC VNX5300, with file system that i would like use as profiles for windows, and another file system, as User volume.
2. We have a windows xp client, and we would like mounting User volume as F: unit, and profiles.
3. We have joined EMC array to SAMBA PDC domain.
4. I would like create user volumes and profiles folders from linux management station.
5. For this, I need mount User file system and profile file system, in management station, with NFS or CIFS.
6. I create folder within User volume, and folder on Profiles volume.
7. Here, it comes the problem. I need to make available this folders to user. How ?
8. In general, i execute:
cd /mounted_user_volume
mkdir
chown
On samba server, before, I execute: setfacl
but in Windows XP Client, when i mount user volume, there is ACL, Everyone with FUll control.
At the moment, we are trying all combinations.
At last, we have found next solution:
To create file system with access policy : UNIX. With this, and from linux station, execute:
chown
chmod 700
Now, from Windows XP client, we can mount \\nas_array\user_volumes\ but we can access only on my folder \\nas_array\user_volumes\ .
My question is if it's right define access policy as UNIX to ignoring ACL's, and using only chown and chmod on LINUX station management.
Thanks in advanced, for your aswers.
Jordi Renye
inLAB FIB
bergec
275 Posts
0
May 18th, 2012 04:00
In order to use emcsetsd you need to set bit 5 of CIFS param acl.extacl (CLI command "server_param server_2 -f cifs -m acl.extacl -v 32")
If you mount the FS with "accesspolicy=UNIX" then on CIFS access both permission bits and ACLs will be checked
Some customers do that because they have both Unix and Windows users accessing same data and want to manage access rights from one worls only (or they have limited access to AD because AD management is outsourced)
Note that with accesspolicy=UNIX you can also just ignore ACL by setting the following param to 0
server_param server_2 -facility cifs -modify acl.unixCheckAcl -value 0
If you go that route I strongly suggest you go through the "Managing a Multiprotocol Environment on VNX" documentation
Claude