[gpfsug-discuss] Spectrum Scale CES adds only Domain Admin tolocal

Christof Schmitt christof.schmitt at us.ibm.com
Fri Mar 31 21:22:36 BST 2017


willi.engeli at id.ethz.ch wrote on 03/31/2017 04:46:02 AM:

> Hi Christoph,
> This solved my issues in most areas.
> Now I will probably add our Storage Management Group to local
> Administrators group, this way we are able to use all strong
> utilities like subinacl etc, and will be able to migrate to Spectrum
> Scale using robocopy with /ZB option working properly.
>  For our Share-responsible Administrator we probably will add their
> Management user to the 'admin Users' option of the specific share
> allowing them to do wat ever they need to do, knowing that some
> tools may work with limitations.
> 
> Do you know if we may also add a builtin group named BackupOperators?

Privileges are not supported in Spectrum Scale:

https://www.ibm.com/support/knowledgecenter/en/STXKQY_4.2.2/com.ibm.spectrum.scale.v4r22.doc/bl1adm_fileauthlimitations.htm

"Access privileges defined in Windows are not honored. Those
privileges are tied to administrator groups and allow access, where
the ACL alone does not grant it."

You can create a group and assign the BackupOperator privilege:

/usr/lpp/mmfs/bin/net sam createbuiltingroup 'Backup Operators'

/usr/lpp/mmfs/bin/net sam rights grant 'Backup Operators' 
SeBackupPrivilege

Without looking at all the details, i would suspect that this does not
work. Access for a member of this group would overwrite the internal
access check in Samba, but i would expect that it would fail as the
file system also enforces the permissions defined in the ACL, and
these are not overwritten by the additional privilege.

The current workaround is the 'admin users' option. You might want to
raise a RFE to request better support of the Backup privilege and the
"Backup Operators" group.

Regards,

Christof Schmitt || IBM || Spectrum Scale Development || Tucson, AZ
christof.schmitt at us.ibm.com  ||  +1-520-799-2469    (T/L: 321-2469)




More information about the gpfsug-discuss mailing list