displayed unix permissions on ntfs qtree

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

displayed unix permissions on ntfs qtree

Fred Grieco
I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.

This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.

Fred


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: displayed unix permissions on ntfs qtree

andrei.borzenkov@ts.fujitsu.com

Well, permissions bits for ntfs security style qtree are for display purposes anyway and shouldshow the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?

 

---

With best regards

 

Andrei Borzenkov

Senior system engineer

FTS WEMEAI RUC RU SC TMS FOS

cid:image001.gif@01CBF835.B3FEDA90

FUJITSU

Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation

Tel.: +7 495 730 62 20 ( reception)

Mob.: +7 916 678 7208

Fax: +7 495 730 62 14

E-mail: [hidden email]

Web: ru.fujitsu.com

Company details: ts.fujitsu.com/imprint

This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.

Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree

 

I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.

 

This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.

 

Fred

 


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: displayed unix permissions on ntfs qtree

Fred Grieco
The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.  

The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.

I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).  

Fred



From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree

Well, permissions bits for ntfs security style qtree are for display purposes anyway and shouldshow the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
cid:image001.gif@01CBF835.B3FEDA90
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: [hidden email] [mailto:[hidden email]] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree
 
I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.
 
This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.
 
Fred
 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: displayed unix permissions on ntfs qtree

andrei.borzenkov@ts.fujitsu.com

Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.

 

---

With best regards

 

Andrei Borzenkov

Senior system engineer

FTS WEMEAI RUC RU SC TMS FOS

cid:image001.gif@01CBF835.B3FEDA90

FUJITSU

Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation

Tel.: +7 495 730 62 20 ( reception)

Mob.: +7 916 678 7208

Fax: +7 495 730 62 14

E-mail: [hidden email]

Web: ru.fujitsu.com

Company details: ts.fujitsu.com/imprint

This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.

Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

 

From: Fred Grieco [mailto:[hidden email]]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree

 

The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.  

 

The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.

 

I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).  

 

Fred

 


From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree

 

Well, permissions bits for ntfs security style qtree are for display purposes anyway and shouldshow the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?

 

---

With best regards

 

Andrei Borzenkov

Senior system engineer

FTS WEMEAI RUC RU SC TMS FOS

cid:image001.gif@01CBF835.B3FEDA90

FUJITSU

Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation

Tel.: +7 495 730 62 20 ( reception)

Mob.: +7 916 678 7208

Fax: +7 495 730 62 14

E-mail: [hidden email]

Company details: ts.fujitsu.com/imprint

This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.

Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

 

From: [hidden email] [[hidden email]] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree

 

I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.

 

This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.

 

Fred

 

 


_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: displayed unix permissions on ntfs qtree

Fred Grieco
The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well.  And yet the 7-mode side returns 0700 for these.  Quite odd.



From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 3:04 PM
Subject: RE: displayed unix permissions on ntfs qtree

Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
cid:image001.gif@01CBF835.B3FEDA90
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: Fred Grieco [mailto:[hidden email]]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree
 
The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.  
 
The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.
 
I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).  
 
Fred
 

From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree
 
Well, permissions bits for ntfs security style qtree are for display purposes anyway and shouldshow the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
cid:image001.gif@01CBF835.B3FEDA90
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: [hidden email] [[hidden email]] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree
 
I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.
 
This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.
 
Fred
 
 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: displayed unix permissions on ntfs qtree

Tim McCarthy
never tried this before but how about this:

from a windows host, as that user, modify the ACL until all that is left is 
owner = user
full = user

From the cDot system, you can verify with:

vserver security file-directory show -vserver <vserver> -path </absolute/path/to/file-or-directory>

It will spit out something like this:

                Vserver: myvserver
              File Path: /obdfile
      File Inode Number: 64
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 16
 DOS Attributes in Text: ----DSH-
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:NT AUTHORITY\SYSTEM
                         Group:NT AUTHORITY\SYSTEM
                         DACL - ACEs
                           ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI
                           ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI
                           ALLOW-CREATOR OWNER-0x10000000-OI|CI|IO
                           ALLOW-BUILTIN\Users-0x1200a9-OI|CI
                           ALLOW-BUILTIN\Users-0x4-CI
                           ALLOW-BUILTIN\Users-0x2-CI|IO
                           ALLOW-Everyone-0x1200a9

--tmac

Tim McCarthy, Principal Consultant

Proud Member of the #NetAppATeam

I Blog at TMACsRack



On Sun, Jul 17, 2016 at 5:36 PM, Fred Grieco <[hidden email]> wrote:
The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well.  And yet the 7-mode side returns 0700 for these.  Quite odd.



From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 3:04 PM

Subject: RE: displayed unix permissions on ntfs qtree

Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
cid:image001.gif@01CBF835.B3FEDA90
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: <a href="tel:%2B7%20495%20730%2062%2020" value="+74957306220" target="_blank">+7 495 730 62 20 ( reception)
Mob.: <a href="tel:%2B7%20916%20678%207208" value="+79166787208" target="_blank">+7 916 678 7208
Fax: <a href="tel:%2B7%20495%20730%2062%2014" value="+74957306214" target="_blank">+7 495 730 62 14
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: Fred Grieco [mailto:[hidden email]]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree
 
The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.  
 
The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.
 
I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).  
 
Fred
 

From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree
 
Well, permissions bits for ntfs security style qtree are for display purposes anyway and shouldshow the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
cid:image001.gif@01CBF835.B3FEDA90
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: <a href="tel:%2B7%20495%20730%2062%2020" value="+74957306220" target="_blank">+7 495 730 62 20 ( reception)
Mob.: <a href="tel:%2B7%20916%20678%207208" value="+79166787208" target="_blank">+7 916 678 7208
Fax: <a href="tel:%2B7%20495%20730%2062%2014" value="+74957306214" target="_blank">+7 495 730 62 14
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: [hidden email] [[hidden email]] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree
 
I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.
 
This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.
 
Fred
 
 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: displayed unix permissions on ntfs qtree

Fred Grieco
Thanks everyone for the help.   The answer here was that that in 7mode, there was a setting called "options nfs.ntacl_display_permissive_perms."   When set to disabled, like it is on my source, all ACLs but "everyone-full control" will translate to 700 for linux hosts.

This option was not available in cDOT until version 8.3.1.   It's a vserver-wide setting:  vserver nfs modify -vserver vservername -ntacl-display-permissive-perms disabled  (set -priv advanced).   In 8.2.3, it's stuck at enabled.

I'm a little stuck because I'm doing a tdp transition from 32 bit aggregates, so can't upgrade to 8.3.1+ until that's done.   The interim solution is to set the required areas to owner-full control *only* in the nt acl to get the 700 perm in linux.

Sorry if this was a repeat.   This was covered in https://whyistheinternetbroken.wordpress.com/ and NOW.



From: tmac <[hidden email]>
To: Fred Grieco <[hidden email]>
Cc: "[hidden email]" <[hidden email]>; Toasters <[hidden email]>
Sent: Monday, July 18, 2016 8:28 AM
Subject: Re: displayed unix permissions on ntfs qtree

never tried this before but how about this:

from a windows host, as that user, modify the ACL until all that is left is 
owner = user
full = user

From the cDot system, you can verify with:

vserver security file-directory show -vserver <vserver> -path </absolute/path/to/file-or-directory>

It will spit out something like this:

                Vserver: myvserver
              File Path: /obdfile
      File Inode Number: 64
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 16
 DOS Attributes in Text: ----DSH-
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:NT AUTHORITY\SYSTEM
                         Group:NT AUTHORITY\SYSTEM
                         DACL - ACEs
                           ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI
                           ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI
                           ALLOW-CREATOR OWNER-0x10000000-OI|CI|IO
                           ALLOW-BUILTIN\Users-0x1200a9-OI|CI
                           ALLOW-BUILTIN\Users-0x4-CI
                           ALLOW-BUILTIN\Users-0x2-CI|IO
                           ALLOW-Everyone-0x1200a9

--tmac

Tim McCarthy, Principal Consultant
Proud Member of the #NetAppATeam
I Blog at TMACsRack


On Sun, Jul 17, 2016 at 5:36 PM, Fred Grieco <[hidden email]> wrote:
The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well.  And yet the 7-mode side returns 0700 for these.  Quite odd.



From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 3:04 PM

Subject: RE: displayed unix permissions on ntfs qtree

Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
cid:image001.gif@01CBF835.B3FEDA90
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: Fred Grieco [mailto:[hidden email]]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree
 
The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.  
 
The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.
 
I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).  
 
Fred
 

From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree
 
Well, permissions bits for ntfs security style qtree are for display purposes anyway and shouldshow the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
cid:image001.gif@01CBF835.B3FEDA90
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: [hidden email] [[hidden email]] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree
 
I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.
 
This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.
 
Fred
 
 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters





_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: displayed unix permissions on ntfs qtree

andrei.borzenkov@ts.fujitsu.com
Thank you for coming back on it!

Отправлено с iPhone

22 июля 2016 г., в 4:27, Fred Grieco <[hidden email]> написал(а):

Thanks everyone for the help.   The answer here was that that in 7mode, there was a setting called "options nfs.ntacl_display_permissive_perms."   When set to disabled, like it is on my source, all ACLs but "everyone-full control" will translate to 700 for linux hosts.

This option was not available in cDOT until version 8.3.1.   It's a vserver-wide setting:  vserver nfs modify -vserver vservername -ntacl-display-permissive-perms disabled  (set -priv advanced).   In 8.2.3, it's stuck at enabled.

I'm a little stuck because I'm doing a tdp transition from 32 bit aggregates, so can't upgrade to 8.3.1+ until that's done.   The interim solution is to set the required areas to owner-full control *only* in the nt acl to get the 700 perm in linux.

Sorry if this was a repeat.   This was covered in https://whyistheinternetbroken.wordpress.com/ and NOW.



From: tmac <[hidden email]>
To: Fred Grieco <[hidden email]>
Cc: "[hidden email]" <[hidden email]>; Toasters <[hidden email]>
Sent: Monday, July 18, 2016 8:28 AM
Subject: Re: displayed unix permissions on ntfs qtree

never tried this before but how about this:

from a windows host, as that user, modify the ACL until all that is left is 
owner = user
full = user

From the cDot system, you can verify with:

vserver security file-directory show -vserver <vserver> -path </absolute/path/to/file-or-directory>

It will spit out something like this:

                Vserver: myvserver
              File Path: /obdfile
      File Inode Number: 64
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 16
 DOS Attributes in Text: ----DSH-
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:NT AUTHORITY\SYSTEM
                         Group:NT AUTHORITY\SYSTEM
                         DACL - ACEs
                           ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI
                           ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI
                           ALLOW-CREATOR OWNER-0x10000000-OI|CI|IO
                           ALLOW-BUILTIN\Users-0x1200a9-OI|CI
                           ALLOW-BUILTIN\Users-0x4-CI
                           ALLOW-BUILTIN\Users-0x2-CI|IO
                           ALLOW-Everyone-0x1200a9

--tmac

Tim McCarthy, Principal Consultant
Proud Member of the #NetAppATeam
I Blog at TMACsRack


On Sun, Jul 17, 2016 at 5:36 PM, Fred Grieco <[hidden email]> wrote:
The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well.  And yet the 7-mode side returns 0700 for these.  Quite odd.



From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 3:04 PM

Subject: RE: displayed unix permissions on ntfs qtree

Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
<image001.gif>
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: Fred Grieco [mailto:[hidden email]]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree
 
The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.  
 
The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.
 
I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).  
 
Fred
 

From: "[hidden email]" <[hidden email]>
To: Fred Grieco <[hidden email]>; Toasters <[hidden email]>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree
 
Well, permissions bits for ntfs security style qtree are for display purposes anyway and shouldshow the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?
 
---
With best regards
 
Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
<image001.gif>
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Company details: ts.fujitsu.com/imprint
This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
 
From: [hidden email] [[hidden email]] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree
 
I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.
 
This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.
 
Fred
 
 



_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters




<image001.gif>

_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters

image001.gif (3K) Download Attachment
Loading...