[gpfsug-discuss] Samba mapping of "special" SID entries

Jez Tucker Jez.Tucker at rushes.co.uk
Mon Jul 2 14:59:34 BST 2012 

Now I've located my GPFSUG from within Outlook...

I'm presuming you're creating an ACL with the equivalent of 2775 permissions and the owner file system being 'nfsv4', rather than 'all'?
Your nfsv3 clients have nfsv4 acl support installed?

Jez


> -----Original Message-----
> From: gpfsug-discuss-bounces at gpfsug.org [mailto:gpfsug-discuss-
> bounces at gpfsug.org] On Behalf Of Luke Raimbach
> Sent: 22 June 2012 17:33
> To: gpfsug main discussion list
> Subject: Re: [gpfsug-discuss] Samba mapping of "special" SID entries
> 
> Hi Orlando,
> 
> I've been having success using Centrify to manage UID/GID mappings for our
> very small mixed cluster (7 x Linux, 1 x Windows 2008R2).
> 
> I've created a map for "CREATOR / OWNER", "SYSTEM", "Domain Admins",
> etc. group SIDs and use the Windows node to manage ACLs. When the
> windows node applies the ACLs, these seem to translate successfully in to
> GPFS ACLs and work nicely for the mixed environment allowing users on
> both Linux and Windows systems to manipulate each other's files.
> 
> People are mounting the FS via NFS (exported via the NSD Linux servers)
> and CIFS (shared from Win2k8R2). The permissions don't look friendly when
> you run ls -l on a Linux system over NFS but the ACLs do their job in
> preserving inheritable permissions, etc. If people want to see the 'real' ACL,
> they need to use mmgetacl on a GPFS attached node (or windows users
> simply click on the security tab under properties of a file).
> 
> Drop me a line off-list if you want to take a look at what we've got remotely.
> I can run a webex session from the Windows node if you want to have a
> good poke around.
> 
> Luke.
> 
> --
> 
> Luke Raimbach
> IT Manager
> Oxford e-Research Centre
> 7 Keble Road,
> Oxford,
> OX1 3QG
> 
> +44(0)1865 610639
> 
> 
> 
> 
> > -----Original Message-----
> > From: gpfsug-discuss-bounces at gpfsug.org [mailto:gpfsug-discuss-
> > bounces at gpfsug.org] On Behalf Of Orlando Richards
> > Sent: 22 June 2012 15:53
> > To: gpfsug-discuss at gpfsug.org
> > Subject: [gpfsug-discuss] Samba mapping of "special" SID entries
> >
> > Hi all,
> >
> > Has anyone bumped up against the "nfs4: special" option in GPFS/Samba
> > deployments which manipulates how the "owner" and "group owner"
> (and
> > "everybody") behaviour is mapped to ACLs when accessed via the samba
> > stack?
> >
> > In particular, with the "default" setting (if one blindly follows the
> > worked examples on this) of nfs4: special, if a user adds themselves
> > specifically to an ACL, this creates an entry:
> >
> > special:@owner
> >
> > rather than:
> >
> > user:username
> >
> > which has the knock-on effect that if a file/folder is created under
> > this ACL by a different owner (or if ownership changes), the person
> > who put said ACL on to the file/folder no longer has access. Most
> > people find this confusing (which is putting it politely).
> >
> > To further complicate matters, the "special" windows SID's*[1] - such
> > as "CREATOR/OWNER" -  don't seem to work properly in the
> > ctdb/samba/gpfs stack (I don't know if they do in "normal" samba
> > though). IBM don't support CREATOR/OWNER in SONAS*[2] - so it's not
> just me!
> >
> > So my question is - has anyone else been looking into this at all, and
> > if so, do you have any sage words of wisdom to offer?
> >
> > Cheers,
> > Orlando.
> >
> >
> > *[1] http://support.microsoft.com/kb/163846
> > *[2]
> > http://pic.dhe.ibm.com/infocenter/sonasic/sonas1ic/index.jsp?topic=%2F
> > c om.ibm.sonas.doc%2Fadm_authorization_limitations.html
> >
> >
> > --
> >              --
> >     Dr Orlando Richards
> >    Information Services
> > IT Infrastructure Division
> >         Unix Section
> >      Tel: 0131 650 4994
> >
> > The University of Edinburgh is a charitable body, registered in
> > Scotland, with registration number SC005336.
> > _______________________________________________
> > gpfsug-discuss mailing list
> > gpfsug-discuss at gpfsug.org
> > http://gpfsug.org/mailman/listinfo/gpfsug-discuss
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss

More information about the gpfsug-discuss mailing list