Listing NTFS style ACLs from unix client via NFS (Take 2...)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Listing NTFS style ACLs from unix client via NFS (Take 2...)

John Adams
Hi all..  I asked this a few weeks ago:

If a qtree is using NTFS style permissions, and that same qtree is exported via NFS to a unix client...Is there a way to see the NTFS acl's from that unix client?  The usual "ls -l" just shows what looks like mode 777.

I got some good responses, but I'm not seeing what I want to see.


Qtree on filer is security style NTFS.
Qtree is exported to linux box via export file on filer: 
     /vol/secgroup_group     -sec=sys,rw=mfanfs,root=x.x.x.x,nosuid

Qtree is mounted on linux box:
> mount -o vers=4,acl secgroup:/vol/secgroup_group /secgroup
> grep secgroup /proc/mounts
secgroup:/vol/secgroup_group/ /secgroup nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,minorversion=0,local_lock=none,addr=x.x.x.x 0 0

NFS option on filer:
> options nfs.ntacl
nfs.ntacl_display_permissive_perms on


From a windows box, using the CIFS share to that qtree, I can right click on a file, select security, and then see/set the usual NTFS style ACLs.

When use getfacl from the unix box, I still only see the unix style (User,Group,Other) permissions.

What I'm hoping to see is the Windows style ACLs that are on the files.

I can see them from the filer:

secgroup@testfs1>  fsecurity show /vol/secgroup_group/ccc/pit
[/vol/secgroup_group/ccc/pit - File (inum 28476)]
  Security style: NTFS
  Effective style: NTFS

  DOS attributes: 0x0020 (---A----)

  Unix security:
    uid: xxxx(username)
    gid: 101 (groupname)
    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:
    Owner: DOMAIN\username
    Group: DOMAIN\Domain Users
    DACL:
      Allow - DOMAIN\budget - 0x001f01ff (Full Control)
      Allow - Everyone - 0x001200a9 (Read and Execute) - (Inherited)
      Allow - DOMAIN\username - 0x001f01ff (Full Control) - (Inherited)
      Allow - DOMAIN\group - 0x001f01ff (Full Control) - (Inherited)

I am hoping to be able to see the above output, from the linux client.  I'm looking for a way for users on linux clients to see the windows ACLs that are on this NTFS qtree.

Any suggestions?

Thanks.


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Listing NTFS style ACLs from unix client via NFS (Take 2...)

Parisi, Justin

No way to see the NTFS ACLs from a UNIX client without using SSH commands to the filer or smbcacls as mentioned previously (https://www.samba.org/samba/docs/man/manpages-3/smbcacls.1.html).

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of John Adams
Sent: Wednesday, May 11, 2016 4:06 PM
To: [hidden email]
Subject: Listing NTFS style ACLs from unix client via NFS (Take 2...)

 

Hi all..  I asked this a few weeks ago:

If a qtree is using NTFS style permissions, and that same qtree is exported via NFS to a unix client...Is there a way to see the NTFS acl's from that unix client?  The usual "ls -l" just shows what looks like mode 777.

I got some good responses, but I'm not seeing what I want to see.

Qtree on filer is security style NTFS.

Qtree is exported to linux box via export file on filer: 

     /vol/secgroup_group     -sec=sys,rw=mfanfs,root=x.x.x.x,nosuid

Qtree is mounted on linux box:
> mount -o vers=4,acl secgroup:/vol/secgroup_group /secgroup
> grep secgroup /proc/mounts
secgroup:/vol/secgroup_group/ /secgroup nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,minorversion=0,local_lock=none,addr=x.x.x.x 0 0

NFS option on filer:
> options nfs.ntacl
nfs.ntacl_display_permissive_perms on

From a windows box, using the CIFS share to that qtree, I can right click on a file, select security, and then see/set the usual NTFS style ACLs.

When use getfacl from the unix box, I still only see the unix style (User,Group,Other) permissions.

What I'm hoping to see is the Windows style ACLs that are on the files.

I can see them from the filer:

secgroup@testfs1>  fsecurity show /vol/secgroup_group/ccc/pit
[/vol/secgroup_group/ccc/pit - File (inum 28476)]
  Security style: NTFS
  Effective style: NTFS

  DOS attributes: 0x0020 (---A----)

  Unix security:
    uid: xxxx(username)
    gid: 101 (groupname)
    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:
    Owner: DOMAIN\username
    Group: DOMAIN\Domain Users
    DACL:
      Allow - DOMAIN\budget - 0x001f01ff (Full Control)
      Allow - Everyone - 0x001200a9 (Read and Execute) - (Inherited)
      Allow - DOMAIN\username - 0x001f01ff (Full Control) - (Inherited)
      Allow - DOMAIN\group - 0x001f01ff (Full Control) - (Inherited)

I am hoping to be able to see the above output, from the linux client.  I'm looking for a way for users on linux clients to see the windows ACLs that are on this NTFS qtree.

Any suggestions?

 

Thanks.


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Listing NTFS style ACLs from unix client via NFS (Take 2...)

Jeremy Webber-2
In reply to this post by John Adams
There is no way to see NTFS ACLs from an NFS client on any operating system because NFS simply does not pass that information through.

If you are using NFS v4 then you may be able to see something which looks like ACLs on the client, but they may not be accurate as the semantics of NFSv4 ACLs are different to NTFS ACLs.

NFSv3, which most people still use, does not support any form of ACLs.

This is a limitation of the protocol. It has nothing to do with the storage system or with the client operating system.

As others have said, in order to view NTFS ACLs you must either use an SMB client (e.g. Windows, Linux with a suitable Samba client, etc) or run filer commands.

HTH,
  Jeremy

> On 12 May 2016, at 6:06 AM, John Adams <[hidden email]> wrote:
>
> Hi all..  I asked this a few weeks ago:
>
> If a qtree is using NTFS style permissions, and that same qtree is exported via NFS to a unix client...Is there a way to see the NTFS acl's from that unix client?  The usual "ls -l" just shows what looks like mode 777.
>
> I got some good responses, but I'm not seeing what I want to see.
>
>
> Qtree on filer is security style NTFS.
> Qtree is exported to linux box via export file on filer:  
>      /vol/secgroup_group     -sec=sys,rw=mfanfs,root=x.x.x.x,nosuid
>
> Qtree is mounted on linux box:
> > mount -o vers=4,acl secgroup:/vol/secgroup_group /secgroup
> > grep secgroup /proc/mounts
> secgroup:/vol/secgroup_group/ /secgroup nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,minorversion=0,local_lock=none,addr=x.x.x.x 0 0
>
> NFS option on filer:
> > options nfs.ntacl
> nfs.ntacl_display_permissive_perms on
>
>
> From a windows box, using the CIFS share to that qtree, I can right click on a file, select security, and then see/set the usual NTFS style ACLs.
>
> When use getfacl from the unix box, I still only see the unix style (User,Group,Other) permissions.
>
> What I'm hoping to see is the Windows style ACLs that are on the files.
>
> I can see them from the filer:
>
> secgroup@testfs1>  fsecurity show /vol/secgroup_group/ccc/pit
> [/vol/secgroup_group/ccc/pit - File (inum 28476)]
>   Security style: NTFS
>   Effective style: NTFS
>
>   DOS attributes: 0x0020 (---A----)
>
>   Unix security:
>     uid: xxxx(username)
>     gid: 101 (groupname)
>     mode: 0777 (rwxrwxrwx)
>
>   NTFS security descriptor:
>     Owner: DOMAIN\username
>     Group: DOMAIN\Domain Users
>     DACL:
>       Allow - DOMAIN\budget - 0x001f01ff (Full Control)
>       Allow - Everyone - 0x001200a9 (Read and Execute) - (Inherited)
>       Allow - DOMAIN\username - 0x001f01ff (Full Control) - (Inherited)
>       Allow - DOMAIN\group - 0x001f01ff (Full Control) - (Inherited)
>
> I am hoping to be able to see the above output, from the linux client.  I'm looking for a way for users on linux clients to see the windows ACLs that are on this NTFS qtree.
>
> Any suggestions?
>
> Thanks.
>
> _______________________________________________
> Toasters mailing list
> [hidden email]
> http://www.teaparty.net/mailman/listinfo/toasters


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Loading...