[gpfsug-discuss] Samba mapping of "special" SID entries

Fri Jun 22 17:33:10 BST 2012

Hi Orlando,

I've been having success using Centrify to manage UID/GID mappings for our very small mixed cluster (7 x Linux, 1 x Windows 2008R2).

I've created a map for "CREATOR / OWNER", "SYSTEM", "Domain Admins", etc. group SIDs and use the Windows node to manage ACLs. When the windows node applies the ACLs, these seem to translate successfully in to GPFS ACLs and work nicely for the mixed environment allowing users on both Linux and Windows systems to manipulate each other's files.

People are mounting the FS via NFS (exported via the NSD Linux servers) and CIFS (shared from Win2k8R2). The permissions don't look friendly when you run ls -l on a Linux system over NFS but the ACLs do their job in preserving inheritable permissions, etc. If people want to see the 'real' ACL, they need to use mmgetacl on a GPFS attached node (or windows users simply click on the security tab under properties of a file).

Drop me a line off-list if you want to take a look at what we've got remotely. I can run a webex session from the Windows node if you want to have a good poke around.

Luke.

--

Luke Raimbach
IT Manager
Oxford e-Research Centre
7 Keble Road,
Oxford,
OX1 3QG

+44(0)1865 610639

> -----Original Message-----
> From: gpfsug-discuss-bounces at gpfsug.org [mailto:gpfsug-discuss-
> bounces at gpfsug.org] On Behalf Of Orlando Richards
> Sent: 22 June 2012 15:53
> To: gpfsug-discuss at gpfsug.org
> Subject: [gpfsug-discuss] Samba mapping of "special" SID entries
> 
> Hi all,
> 
> Has anyone bumped up against the "nfs4: special" option in GPFS/Samba
> deployments which manipulates how the "owner" and "group owner" (and
> "everybody") behaviour is mapped to ACLs when accessed via the samba
> stack?
> 
> In particular, with the "default" setting (if one blindly follows the worked
> examples on this) of nfs4: special, if a user adds themselves specifically to
> an ACL, this creates an entry:
> 
> special:@owner
> 
> rather than:
> 
> user:username
> 
> which has the knock-on effect that if a file/folder is created under this ACL
> by a different owner (or if ownership changes), the person who put said ACL
> on to the file/folder no longer has access. Most people find this confusing
> (which is putting it politely).
> 
> To further complicate matters, the "special" windows SID's*[1] - such as
> "CREATOR/OWNER" -  don't seem to work properly in the ctdb/samba/gpfs
> stack (I don't know if they do in "normal" samba though). IBM don't support
> CREATOR/OWNER in SONAS*[2] - so it's not just me!
> 
> So my question is - has anyone else been looking into this at all, and if so,
> do you have any sage words of wisdom to offer?
> 
> Cheers,
> Orlando.
> 
> 
> *[1] http://support.microsoft.com/kb/163846
> *[2]
> http://pic.dhe.ibm.com/infocenter/sonasic/sonas1ic/index.jsp?topic=%2Fc
> om.ibm.sonas.doc%2Fadm_authorization_limitations.html
> 
> 
> --
>              --
>     Dr Orlando Richards
>    Information Services
> IT Infrastructure Division
>         Unix Section
>      Tel: 0131 650 4994
> 
> The University of Edinburgh is a charitable body, registered in
> Scotland, with registration number SC005336.
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at gpfsug.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss