Re: Ask the Expert: SMB Protocol on an Isilon Cluster
To get the ball rolling, have you ever wondered what the most common support case for SMB we get is?
Permission cases make up about 25% of our overall case work. I have found that we can split permission cases into two types of case:
1.) General Windows Permission
2.) Multi-Protocol Permission
With general windows permission cases, troubleshooting the issue should be the exact same way as you would troubleshoot a permission issue on a windows server. Therefor, it is important to understand how share permission and file system permission interact with each other.
For multi-protocol permission issues, it becomes more complex as Isilon OneFS has a very advanced ACL Policy that can be configured.
I will not get into the details of our AIMA (Authentication, Identity Management, Authorization) engine here as that will be covered in a future Ask The Expert event.
I will however provide some general pointers to troubleshooting a permission problem.
The first thing I like to do is connect to Start -> Run -> \\cluster (do not add a share to the end)
The reason I connect to just the root of the cluster is because it is a good way to test Authentication. If the connection fails, you should stop troubleshooting a permission problem and focus you efforts on authentication.
After you have proven that you can connect to the cluster without any issues, I collect the following data to determine why permission is being denied:
1.) Collect the Unix version of the Users Token (this may not return anything if multi-protocol is not in use:
isi auth mapping token --name=username
isi auth mapping token --user=username
2.) Collect the Windows version of the Users Token (Note the \\ between domain and username)
isi auth mapping token --name=domain\\username
isi auth mapping token --user=domain\\username
3.) Collect the share output
isi smb permission list --sharename=<problem share>
isi smb shares view --share=<problem share>
4.) Collect both ls -led and ls -lend output of the problem file and each directory above it
ls -led /ifs/data/file1.txt
ls -led /ifs/data
ls -led /ifs
ls -lend /ifs/data/file1.txt
ls -lend /ifs/data
ls -lend /ifs
Once you have collected the data above, the process to resolve the permission problem is as follows:
1.) Note the Group Memberships the user is a member of from Step 1 and 2
2.) Verify the user is either directly in or is a group member of an entry in the share permission in step 3
3.) Verify the user is either directly in or is a group member of an entry in files system permission in step 4
To provide an example, lets say that I have a user Pete who is unable to write to a share:
1.) Collect isi auth mapping output
isi-ess-east-1# isi auth mapping token --name=domain\\pete
Initial name: pete
Primary uid: pete (1502)
Primary user sid: pete (SID-1-5-21-321531391-2185564565-1823270536-1014)
Primary gid: pete (1502)
Primary group sid: SID-1-5-21-321531391-2185564565-1823270536-1000
On-disk user identity: pete (1502)
On-disk group identity: pete (1502)
2.) Collect the share permission output:
isi-ess-east-1# isi smb permission list --sharename=ITGroup
SMB Share Permissions:
Account Acct Type Perm Type Permission
Everyone Builtin Allow Read << Pete is a member of Everyone
staff Group Allow Full Control << Pete is not a member of staff
3.) Collect ls -led and ls -lend ouptput of the paths (I am truncating the otuput)
isi-ess-east-1# ls -led /ifs/data/itgroup
drwxrwxrwx + 2 root wheel 0 Jul 15 09:33 /ifs/data/itgroup
0: user:root allow dir_gen_all
1: creator_owner allow dir_gen_all,object_inherit,container_inherit,inherit_only
2: group:Administrators allow dir_gen_all,object_inherit,container_inherit
3: everyone allow dir_gen_read,dir_gen_write,dir_gen_execute,std_delete,object_inherit,container_inherit << Note this gives the Everyone Group Write Permission
4: group:Users allow dir_gen_all,object_inherit,container_inherit
Therefor, the problem in this scenario is at the share level. Pete is a member of Everyone and gets Read at the share which overrides the File System Permission of Everyone Read/Write. Thus, Pete can only read, not write.
I hope this helps; Happy Permission Troubleshooting!