Specifies whether to allow or deny creation of ACLs over SMB.
NOTE:Inheritable ACLs on the system take precedence over this setting. If inheritable ACLs are set on a folder, any new files and folders created in that folder will inherit the folder's ACL. Disabling this setting does not remove ACLs currently set on files. If you want to clear an existing ACL, run the
chmod -b <mode> <file>
command to remove the ACL and set the correct permissions.
Specifies how permissions are handled when a
chmod operation is initiated on a file with an ACL, either locally or over NFS. This setting controls any elements that affect UNIX permissions, including File System Explorer. Enabling this policy setting does not change how
chmod operations affect files that do not have ACLs. The following values are valid:
remove
For
chmod operations, removes any existing ACL and instead sets the
chmod permissions. Select this option only if you do not need permissions to be set from Windows.
replace
Removes the existing ACL and creates an ACL equivalent to the UNIX permissions. Select this option only if you want to remove Windows permissions but do not want files to have synthetic ACLs.
replace_users_and_groups
Removes the existing ACL and creates an ACL equivalent to the UNIX permissions for all users/groups referenced in old ACL. Select this option only if you want to remove Windows permissions but do not want files to have synthetic ACLs.
merge
Merges permissions that are applied by
chmod with existing ACLs. An ACE for each identity (owner, group, and everyone) is either modified or created, but all other ACEs are unmodified. Inheritable ACEs are also left unmodified to enable Windows users to continue to inherit appropriate permissions. UNIX users can set specific permissions for each of those three standard identities, however.
merge_with_ugo_priority
Merges the new permissions with the existing ACLs, marking any corresponding inherited and inheritable ACEs on the directory as inherit-only.
deny
Prevents users from making NFS and local
chmod operations. Enable this setting if you do not want to allow permission sets over NFS.
ignore
Ignores the
chmod operation if file has an existing ACL, which prevents an NFS client from making changes to the ACL. Select this option if you defined an inheritable ACL on a directory and want to use that ACL for permissions.
CAUTION:If you attempt to run the
chmod command on the same permissions that are currently set on a file with an ACL, you may cause the operation to silently fail. The operation appears to be successful, but if you were to examine the permissions on the cluster, you would notice that the
chmod command had no effect. As an alternative, you can run the
chmod command away from the current permissions and then perform a second
chmod command to revert to the original permissions. For example, if your file shows 755 UNIX permissions and you want to confirm this number, you could run
chmod 700 file; chmod 755 file.
--chmod-inheritable {yes |
no}
On Windows systems, the ACEs for directories can define detailed inheritance rules. On a UNIX system, the mode bits are not inherited. Making ACLs that are created on directories by the
chmod command inheritable is more secure for tightly controlled environments but may deny access to some Windows users who would otherwise expect access.
Changes the user or group that has ownership of a file or folder. The following values are valid:
ownder_group_and_acl
Modifies only the owner or group, which enables the
chown or
chgrp operation to perform as it does in UNIX. Enabling this setting modifies any ACEs in the ACL associated with the old and new owner or group.
owner_group_only
Modifies the owner or group and ACL permissions, which enables the NFS
chown or
chgrp operation to function as it does in Windows. When a file owner is changed over Windows, no permissions in the ACL are changed.
ignore
Ignores the
chown and
chgrp operations if file has an existing ACL, which prevents an NFS client from making changes to the owner or group.
NOTE:Over NFS, the
chown or
chgrp operation changes the permissions and user or group that has ownership. For example, a file owned by user Joe with rwx------ (700) permissions indicates rwx permissions for the owner, but no permissions for anyone else. If you run the
chown command to change ownership of the file to user Bob, the owner permissions are still rwx but they now represent the permissions for Bob, rather than for Joe, who lost all of his permissions. This setting does not affect UNIX
chown or
chgrp operations performed on files with UNIX permissions, and it does not affect Windows
chown or
chgrp operations, which do not change any permissions.
--access {unix |
windows}
In UNIX environments, only the file owner or superuser has the right to run a
chmod or
chown operation on a file. In Windows environments, you can implement this policy setting to give users the right to perform
chmod operations that change permissions, or the right to perform
chown operations that take ownership, but do not give ownership away. The following values are valid:
unix
Allows only the file owner to change the mode or owner of the file, which enable
chmod and
chown access checks to operate with UNIX-like behavior.
windows
Allow the file owner and users with WRITE_DAC and WRITE_OWNER permissions to change the mode or owner of the file, which enables
chmod and
chown access checks to operate with Windows-like behavior.
--rwx {retain |
full_control}
Specifies how to handle rwx permissions mapped to windows rights. In UNIX environments, rwx permissions indicate that a user or group has read, write, and execute permissions and that a user or group has the maximum level of permissions.
When you assign UNIX permissions to a file, no ACLs are stored for that file. Because a Windows system processes only ACLs, the Isilon cluster must translate the UNIX permissions into an ACL when you view a file's permissions on a Windows system. This type of ACL is called a synthetic ACL. Synthetic ACLs are not stored anywhere; instead, they are dynamically generated and discarded as needed. If a file has UNIX permissions, you may notice synthetic ACLs when you run the
ls file command to view a file’s ACLs.
When you generate a synthetic ACL, the Isilon cluster maps UNIX permissions to Windows rights. Windows supports a more granular permissions model than UNIX does, and it specifies rights that cannot easily be mapped from UNIX permissions. The following values are valid:
retain
Retains rwx permissions and generates an ACE that provides only read, write, and execute permissions.
full_control
Treats rwx permissions as full control and generates an ACE that provides the maximum Windows permissions for a user or a group by adding the change permissions right, the take ownership right, and the delete right.
Specifies how to handle inheritance of group ownership and permissions. If you enable a setting that causes the group owner to be inherited from the creator's primary group, you can override it on a per-folder basis by running the
chmod command to set the set-gid bit. This inheritance applies only when the file is created. The following values are valid:
native
Specifies that if an ACL exists on a file, the group owner will be inherited from the file creator's primary group. If there is no ACL, the group owner is inherited from the parent folder.
parent
Specifies that the group owner be inherited from the file's parent folder.
creator
Specifies that the group owner be inherited from the file creator's primary group.
--chmod-007 {default |
remove}
Specifies whether to remove ACLs when running the
chmod (007) command. The following values are valid:
default
Sets 007 UNIX permissions without removing an existing ACL.
remove
Removes ACLs from files over UNIX file sharing (NFS) and locally on the cluster through the
chmod (007) command. If you enable this setting, be sure to run the
chmod command on the file immediately after using
chmod (007) to clear an ACL. In most cases, you do not want to leave 007 permissions on the file.
--calcmode-owner {owner_aces |
owner_only}
Specifies how to approximate owner mode bits. The following values are valid:
owner_aces
Approximates owner mode bits using all possible group ACEs. This causes the owner permissions to appear more permissive than the actual permissions on the file.
owner_only
Approximates owner mode bits using only the ACE with the owner ID. This causes the owner permissions to appear more accurate, in that you see only the permissions for a particular owner and not the more permissive set. This may cause access-denied problems for UNIX clients, however.
--calcmode-group {group_aces |
group_only}
Specifies how to approximage group mode bits. The following values are valid:
group_aces
Approximates group mode bits using all possible group ACEs. This causes the group permissions to appear more permissive than the actual permissions on the file.
group_only
Approximates group mode bits using only the ACE with the owner ID. This causes the group permissions to appear more accurate, in that you see only the permissions for a particular group and not the more permissive set. This may cause access-denied problems for UNIX clients, however.
--synthetic-denies {none |
remove}
Specifies how to handle synthetic ACLs. The Windows ACL user interface cannot display an ACL if any deny ACEs are out of canonical ACL order. To correctly represent UNIX permissions, deny ACEs may be required to be out of canonical ACL order. The following values are valid:
none
Does not modify synthetic ACLs and mode bit approximations, which prevents modifications to synthetic ACL generation and allows “deny” ACEs to be generated when necessary.
CAUTION:This option can lead to permissions being reordered, permanently denying access if a Windows user or an application performs an ACL get, an ACL modification, and an ACL set to and from Windows.
remove
Removes deny ACEs when generating synthetic ACLs. This setting can cause ACLs to be more permissive than the equivalent mode bits.
--utimes {only_owner |
owner_and_write}
Specifies who can change utimes, which are the access and modification times of a file.
only_owner
Allows only owners to change utimes to client-specific times, which complies with the POSIX standard.
owner_and_write
Allows owners as well as users with write access to modify utimes to client-specific times, which is less restrictive.
--dos-attr {deny_smb |
deny_smb_and_nfs}
Specifies how to handle the read-only DOS attribute for NFS and SMB. The following values are valid:
deny_smb
Denies permission to modify files with DOS read-only attribute over SMB only.
deny_smb_nfs
Denies permission to modify files with DOS read-only attribute through both NFS and SMB.
--calcmode {approx |
777}
Specifies how to display mode bits. The following values are valid:
approx
Specifies to use ACL to approximate mode bits. Displays the approximation of the NFS mode bits that are based on ACL permissions.
777
Specifies to always display 777 if an ACL exists. If the approximated NFS permissions are less permissive than those in the ACL, you may want to use this setting so the NFS client does not stop at the access check before performing its operation. Use this setting when a third-party application may be blocked if the ACL does not provide the proper access.
--calcmode-traverse {ignore |
require}
Specifies whether or not traverse rights are required in order to traverse directories with existing ACLs. The following values are valid:
ignore
Specifies that traverse rights are not required.
require
Specifies that traverse rights are required.
{--verbose |
-v}
Displays more detailed information.
Data is not available for the Topic
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please provide ratings (1-5 stars).
Please select whether the article was helpful or not.
Comments cannot contain these special characters: <>()\