How to prevent NTFS ACL's on files created via SMB share

344 views
Skip to first unread message

Paul Letta

unread,
Sep 10, 2020, 2:18:38 PM9/10/20
to Isilon Technical User Group

Hello,

I’m trying to replicate something we’ve done on NetApp for years.  I’ve got a top level directory that holds many subdirectories.   Some of those subdirs I want to allow windows style ACLs.. and some of them I don’t (i.e synthetic ACL only, Unix style).   In NetApp language: some NTFS security style qtrees, and some Unix security style qtrees.  And all of these accessible from SMB client via a single share that points at the single top level directory.

 

On our Isilon (8.2.2), the general ACL control settings are to allow ACLs from SMB clients.

 

The problem is with the directories that we want Unix style permissions.   Files created from NFS clients are fine.  But files created from windows clients always get NTFS ACLs.

Our goal is for files in the Unix directories to not have NTFS ACLs.. just Posix bits (even if created from either NFS or SMB clients).  This works fine with NetApp because these are the Unix security style qtrees.

If I could have separate shares, I could use the advanced options on the share on Isilon to “disable NTFS” and get what we want.  (i.e. files created from windows would not have NTFS ACLs, just Posix bits).   But I’m trying to move a file system that has been in use on the NetApp for many years, and with 2000 users…  I must have a transparent migration, so I must use a single share that sees all subdirs (both Unix style and NTFS style)

 

The file system that I want to move to Isilon is about 12TB and about 30M files.   When it moves, the Unix style subdirs will have the Posix bits, and the NTFS subdirs will have the NTFS ACLs.  The problem is with after the migration.. as the file system is used by windows users and they start creating new files in the Unix subdirs.

 

Anybody have any suggestions?

 

Things we’ve thought of:

- Separate out the Unix dirs from the NTFS dirs, and have 2 top level shares (one with NTFS disabled, one with it enabled).

- Create a SMB share for each Unix subdir and have NTFS disabled on them.

Both of the above would change the file system structure as viewed from the clients.. that’s a no go.

-  Run a script that does a chmod –b  or chmod –a to remove NTFS ACLs from every file+directory in the Unix subdirs.  That’s painful.. and there would be times between when a file is created and when the script ran that files would have NTFS ACLs… possibly causing issues from the NFS side.

Thanks.

 

Peter Serocka

unread,
Sep 11, 2020, 9:49:43 AM9/11/20
to 'Adam Fox' via Isilon Technical User Group
Paul:

you're right, ACL vs, UNIX permission handling cannot be configured
on a per-directory basis, only on cluster level.

For each file, OneFS stores either an ACL or the UNIX permission bits,
but never both of them in parallel, so there's always one single
source of truth for a given file.

A detailed plan would depend on how your AD and your UNIX account
realms interact with each other: are they synchronized, or do
users have two identities, or are the user sets disjoint for AD and UNIX?

But in general I'd say, with OneFS's many options to handle 
multiprotocol access, one might arrive at a solution where
creation of ACLs under UNIX folders simply won't have much unwanted impact.

Windows users see the ACLs they have created under UNIX folders; 
ok, that will be new compared to seeing "synthetic" ACLs (without
noticing that these are synthetic).

UNIX users will see synthetic UNIX permission bits on those files;
these can be exactly the expected bits for the default ACLs. 

With richer ACLs, the UNIX bits only approximate -- but might not 
fully reflect -- the actual permissions that are effective on access.

Can this lead to specific situations that would not be acceptable?

Another thought: with NFS4, the OneFS ACLs are visible and
controllable in "NFS4 ACL style" from UNIX clients...

-- Peter


--
You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/6ddaa718-6bdf-4216-9843-2c16b33031d6n%40googlegroups.com.

bob flynn

unread,
Sep 11, 2020, 1:57:19 PM9/11/20
to isilon-u...@googlegroups.com
in relation to

"NFS4, the OneFS ACLs are visible"

simply note NFS3 to NFS4 is not a simple step so plan accordingly.

To view this discussion on the web visit https://groups.google.com/d/msgid/isilon-user-group/57863B40-F6E2-4F97-8166-C143DF50183A%40gmail.com.

John Beranek - PA

unread,
Sep 12, 2020, 8:43:17 AM9/12/20
to Isilon Technical User Group
Also, from my most recent testing (which, admittedly, was a while ago) NFSv4 is (much) lower performance than NFSv3 on Isilon.

Cheers,

John

Reply all
Reply to author
Forward
0 new messages