Strange behavior on samba shares ( rights related ). Any hint ?

[pierluigi...@gmail.com]

Hello all, 

 on an isilon cluster ( 8.2.2 ) I'm experiencing some strange behaviors with the rights on some shares/subfolders.

I'll try to explain: I create a new share by using gui, in an access-zone by also creating filesystem directory.

Whether I set "apply default ACL" or I set "don't change existint permission" don't change the behavior. 

I do add a member to members list that is a domain admin of some kind, with full control ( or either with "run as root" )

Then I go to the share from a windows machine as the previous domain admin, and "explorer" the newly created share. 

In this share I create ( as the same domain admin user ) a directory and add to this directory full permission to a "normal" user as I want this user to write, and modify files only on that dir.

After that I connect ( from another machine ) to the newly created share as the normal user. 

I can change directory to the newly create directory but I cannot write into.

Obviously I'm doing something wrong as I expect to write in this directory with this user, but can't understand what.

Con you help me shine some light on this ?

Thanks in advance

Pierluigi

[karim....@gmail.com]

That new user seems to have NTFS permissions, but no SMB share permissions. Is that normal user added to the SMB share members in OneFS?

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/9ddce50b-cc09-4b39-baad-2f3888b83891n%40googlegroups.com.

[Sitaram Kandulapati]

Hi Perluigi,

I understand that for some reason that when you create a share using GUI it creates a share in the isilon system. if it is AD integrated you need to check whether that user is having permissions or not. try to login using cli to check the permissions enabled or not on that particular share. when an user tries to connect to share, the isilon looks up the SID and UID either locally or with Active directory integrated permission inherited.

Thanks

RAM

[pierluigi...@gmail.com]

Hi all,

  the user that create the directory and the user that try to use are both in AD.

How can I check if the user has such rights, via cli ?

@Karim as I said both users ( domain and normal ) are on AD. 

The same identical steps ( on the windows machine )  done on a NetApp share works as expected ( no polemic intended :) )

Thanks in advance 

Pierluigi

[pierluigi...@gmail.com]

You mean Everyone from windows or from Isilon permission?
If from Isilon permission ( web ui/isi smb share)  is something I could try, from windows I don't have ( yet ) admin accounts.
It, from Isilon, I set Everyone is a root, I an access but the also other can access the same directories so is not what I want.

Pierluigi

Il giorno venerdì 26 marzo 2021 alle 23:57:56 UTC+1 karim....@gmail.com ha scritto:

For the sake of testing, can you give “Everyone” read-write access on the SMB share level in OneFS. 

On Fri, 26 Mar 2021 at 6:02 PM pierluigi...@gmail.com <pierluigi...@gmail.com> wrote:

[Sitaram Kandulapati]

Hi Pierluigi,

Please use these links for the reference to work around the permissions issues on the folders and subfolders access.

if you don't have server access make sure they give proper permissions provided with screenshots.

Solved: Regarding Isilon Sub-Folder share permission - Dell Community

Slide 1 (danneman.org)

Thanks 

RAM

--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/866fece2-0968-478d-bbfd-3377057b4692n%40googlegroups.com.

[Jeff]

This is an interesting discussion, we do not have ABE/ABSE enabled on our cluster or any shares and have stumbled around when access issues come up - which the often do.  We use Active Driectory for our auth.  Which makes me question the process we typically do to create a new share and I've noted some differences in permissions depending on how the root folder of the share os created.  If we manually create the folder then assign a share or if we let the WebUI create the folder.   Here, test1 was created using the WebUI, test2 using a folder created first via CLI, then a share created from it:

drwxrwxr-x +    2 root      wheel         0 Mar 29 10:34 test1

drwxrwx--- +    2 root      wheel         0 Mar 29 10:35 test2

We typically do the manual create, remove the "Everyone" R/O access, add the admin for the share's group with Full Control and Run as Root (Initially) and take the default settings for everything else.  Once they're set up, we remover the Run as Root.  What are the rest of you doing?  We're relatively new to the SMB shares have been doing NFS mostly, I'd be curious if any sees an error in how we're doing it.

[pierluigi...@gmail.com]

Hello RAM.

 I've tried the solution posted in your first link but didn't end up as expected.
More over, can't find such "Traverse" flag in Isilon web-ui ( neither in windows to be honest ):

I'm starting to think to a bug in the new 8.2.2 OneFS or a restrive way to handle permissions and rigths in new windows AD.

I will keep searching.

If anyone came out with other ideas I'll be happy to try as I've run out of them :(

Pierluigi

[Pierluigi Frullani]

Hello Jeff,

 do you mind if I ask you wich of the two procedure will work for you ?

First one rights seems to me ( which means almost nothing, due to the fact I'm having problems ) as you have the r-x rght meaning that all have access and can at least access while the second ( test2 ) won't be allowed to everyone.

Thx

Pierluigi

You received this message because you are subscribed to a topic in the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/isilon-user-group/-bATVn2htg8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to isilon-user-gr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/cfc3fc4a-3af5-4c8e-ad8d-3eec1defd00an%40googlegroups.com.

[Jeff]

Hi Pierluigi,

We use the manual method, that is to create the directory first, but I'm questioning the sanity in doing it that way, hence my post.