Apply "Authenticated Users" ACE with chmod on Isilon?
2,748 views
Skip to first unread message
John Beranek - PA
Mar 4, 2016, 10:08:46 AM3/4/16
to Isilon Technical User Group
Hi all,
Does anyone know how to persuade the Isilon chmod command to add an ACE (Access Control Entry) for the "well known" principal "Authenticated User"?
You may ask: Why would you want to do that?
The reason is that we've ended up with a backups directory which has both Windows backup directories in it, and large/deep Linux backup directories.
I want to sort out permissions at the top level, but don't want to do it from Windows, as changes at the top-level will propagate all the way down the tree, into the Linux backups, which mustn't have ACLs on them.
A few things I've tried:
$ chmod +a group "Authenticated Users" traverse,list .
chmod: Authenticated Users: illegal group name: Invalid argument
$ chmod +a group "NT AUTHORITY\\Authenticated Users" traverse,list .
chmod: NT AUTHORITY\Authenticated Users: illegal group name: Invalid argument
$ chmod +a "Authenticated Users" traverse,list .
chmod: ACE must begin with 'user', 'group', 'everyone', 'creator_owner', or 'creator_group': Invalid argument
Is there some variant that will work?
Cheers,
John
John Beranek - PA
Mar 4, 2016, 10:11:11 AM3/4/16
to Isilon Technical User Group
Apologies, cut and paste the wrong chmod commands which miss the required "allow" parameter, but it doesn't change the result:
$ chmod +a group "Authenticated Users" allow traverse,list .
chmod: Authenticated Users: illegal group name: Invalid argument
$ chmod +a group "NT AUTHORITY\\Authenticated Users" allow traverse,list .
chmod: NT AUTHORITY\Authenticated Users: illegal group name: Invalid argument
$ chmod +a "Authenticated Users" allow traverse,list .
chmod: ACE must begin with 'user', 'group', 'everyone', 'creator_owner', or 'creator_group': Invalid argument
John
Peter Serocka
Mar 4, 2016, 10:41:57 AM3/4/16
to isilon-u...@googlegroups.com
John
use well-known SIDs: # chmod +a sid S-1-5-11 allow traverse,list .
OneFS chmod syntax with SIDs:
EMC KB 000424982, https://emcservice.force.com/CustomersPartners/kA2j0000000QuzZCAS
Windows well-known SIDs:
MS KB Q243330, https://support.microsoft.com/en-us/kb/243330
hth and hanw
— Peter
> --
> You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
use well-known SIDs: # chmod +a sid S-1-5-11 allow traverse,list .
OneFS chmod syntax with SIDs:
EMC KB 000424982, https://emcservice.force.com/CustomersPartners/kA2j0000000QuzZCAS
Windows well-known SIDs:
MS KB Q243330, https://support.microsoft.com/en-us/kb/243330
hth and hanw
— Peter
> You received this message because you are subscribed to the Google Groups "Isilon Technical User Group" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isilon-user-gr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
John Beranek - PA
Mar 9, 2016, 2:24:08 PM3/9/16
to Isilon Technical User Group
Thank you Peter, works like a charm!
Cheers,
John
John Beranek - PA
Mar 9, 2016, 5:33:20 PM3/9/16
to Isilon Technical User Group
It'd be useful if EMC would put these sort of gems in the actual man page, or the CLI guide. ;)
I guess I/we can hope that it's better in OneFS 8...
John
On Friday, 4 March 2016 15:41:57 UTC, Pete wrote:
Peter Serocka
Mar 10, 2016, 6:10:17 AM3/10/16
to isilon-u...@googlegroups.com
Not seeing it in OneFS 8, not even in the OneFS CLI doc (the big pdf).
Hope Isilon guys are still listening...
Glad though it works for you John.
-- Peter
Hope Isilon guys are still listening...
Glad though it works for you John.
-- Peter
saurabh chaudhary
Jul 3, 2016, 3:03:05 PM7/3/16
to Isilon Technical User Group
Hope this may help, as in my environment I always prefer CLI while granting access:
++++++++++++++++++++++++
dir_gen_all Read,write and execute access(dir_gen_read,dir_gen_write,dir_gen_execute,delete_child and std_write_owner)
object_inherit Only files in this directory and its descendants inherit the ACE
container_inherit Only directories in this directory and its descendants inherit the ACE
delete_child The right to delete children, including read-only files
file_gen_all file_gen_read, file_gen_write, file_gen_execute,delete, std_write_dac, and std_write_owner
add_file The right to create a file in the directory
add_subdir The right to create a sub-directory
========================
chmod -R +a group "<Domain Name>\<Group Name>" allow dir_gen_all,delete_child,object_inherit,container_inherit,file_gen_all,add_file,add_subdir <file absolute path>
chmod -R +a user "<Domain Name>\<User Name>" allow dir_gen_all,delete_child,object_inherit,container_inherit,file_gen_all,add_file,add_subdir <file absolute path>
++++++++++++++++++++++++
Full Control : dir_gen_all,delete_child,object_inherit,container_inherit,file_gen_all,add_file,add_subdir
Read\Execude : dir_gen_read,dir_gen_execute,file_gen_read,file_gen_execute,object_inherit,container_inherit
----- Saurabh ----
Reply all
Reply to author
Forward
0 new messages