CIFS Share Permissions

[scott]

I have a few CIFS shares on v6.5.5.11 that are not behaving as I expect them to and the OneFS User Guide doesn't provide the detail I'm looking for. 

I want to create a share and grant full access to 2 users - including the right to clobber one another's files.  It appears the default settings in the GUI allow me to present a share to 2 users, but neither can delete the other user's files. 

When I create a new share (permtest) using the Isilon GUI (allowing it to create the filesystem directory) and grand full permissions to user1 and user2 - the permissions look like:

drwxrwxr-x +  4 root  wheel  79 Dec 13 13:35 permtest

 OWNER: user:root

 GROUP: group:wheel

 CONTROL:dacl_auto_inherited,sacl_auto_inherited,dacl_protected

 0: group:Administrators allow dir_gen_all,object_inherit,container_inherit

 1: creator_owner allow dir_gen_all,object_inherit,container_inherit,inherit_only

 2: everyone allow dir_gen_read,dir_gen_execute

 3: group:Users allow dir_gen_read,dir_gen_execute,object_inherit,container_inherit

 4: group:Users allow std_synchronize,add_file,add_subdir,container_inherit

If USER1 creates a directory inside, it looks like:

drwxrwx--- +  2 MYDOM\user1  MYDOM\domain users  0 Dec 13 13:35 TestDir

 OWNER: user:MYDOM\user1

 GROUP: group:MYDOM\domain users

 CONTROL:dacl_auto_inherited,sacl_auto_inherited

 0: group:Administrators allow inherited dir_gen_all,object_inherit,container_inherit,inherited_ace

 1: user:DOM1\user1 allow inherited dir_gen_all,inherited_ace

 2: creator_owner allow inherited dir_gen_all,object_inherit,container_inherit,inherit_only,inherited_ace

 3: group:Users allow inherited dir_gen_read,dir_gen_execute,object_inherit,container_inherit,inherited_ace

 4: group:Users allow inherited std_synchronize,add_file,add_subdir,container_inherit,inherited_ace

What permission do I have to add to allow user2 to delete user1's files and where should this be added?  

Other than 'man chmod', does Isilon Windows ACLs for Unix administrators documented somewhere?

Thanks

-Scott

[scott]

I want to create a share and grant full access to 2 users - including the right to clobber one another's files.  It appears the default settings in the GUI allow me to present a share to 2 users, but neither can delete the other user's files. 

What permission do I have to add to allow user2 to delete user1's files and where should this be added?  

Solved:  I only needed to insert the following Windows ACL for the second user at the shared directory level.

chmod +a# 2 user DOM1\\user2 allow dir_gen_all,object_inherit,container_inherit /ifs/direcotry

  

[Alistair Stewart]

That'll do it, but I'd be wary of specifying the ACE location with +a# as you might end up with a non-canonical ACL which doesn't quite do what you're expecting. For example, you might grant a permission that is explicitly denied later down the list of ACEs so that the user has access that you didn't want him to have. I'd recommend that you just use +a and don't specify the position.

Al...

[Jerry Uanino]

I tend to copy the ACL I have, from ls -lde on the file, then modify it to what I want, document it somewhere and load it like this:

chmod -E $i <<INPUT_BELOW

user yyyyy allow dir_gen_all,generic_exec,container_inherit

...etc etc

...etc

group everyone allow dir_gen_read,object_inherit,container_inherit

...etc etc

...etc

INPUT_BELOW

That way I'm sure I got what I wanted in the specific spots. Hope this helps.

Jerry

[Alistair Stewart]

Just so long as you realize that the ACEs are evaluated in turn and once the requested permission has been granted no more ACEs are evaluated. Because of this, you need to ensure that any "deny" ACEs come before any "allow" ACEs.

I hope that's clear.

Regards

Al...

> --
>  
>  
>

--
Regards

Al…