Mailing List Archive

Cifs administrative access push to the entire qtree
Greetings,

I inherited a group of filer that are heavily cifs. There are multiple
clusters of different hardware and different OS levels. All are 7-mode.

What the managers found is that people have changed directory permissions
and excluded administrators or people with full control. When a problem
pops up they have to find one of the directory owners to get added in order
to fix an issue.

We don't really want to push the permissions to all sub-directories in an
overwrite mode because we could break tool access, or grant access people
may not have had before, etc.

Is there a way to add administrators to a tree from the NetApp or a way to
do this that doesn't remove previous access control? The managers already
have full control at the share level.

Thanks,

Jeff

--
Jeff Cleverley
IT Engineer
4380 Ziegler Road
Building 1, Dock 1
Fort Collins, Colorado 80525
970-288-4611
RE: Cifs administrative access push to the entire qtree [ In reply to ]
Good question.

You could try setting inheritable ACE on top-level directory. As long as users did not add explicit Deny entries or did not block inheritance it should suffice. Note that explicit denials always override explicit grants, so just adding ACE may not be sufficient anyway.

I could not find explicit statement, but fsecurity appears to replace existing DACL. I suppose one possibility would be


- Dump existing DACLs using somesing like “icacl /save”

- Convert result into valid fsecurity job definition

- Add necessary ACEs

- Apply

But it may not work if access to folders/files is blocked. In this case it is possible to create task that runs as e.g. SYSTEM to do it.

C-Mode looks better as it allows editing individual ACEs.


---
With best regards

Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
[cid:image001.gif@01D0EF99.264ED640]
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com<mailto:Andrei.Borzenkov@ts.fujitsu.com>
Web: ru.fujitsu.com<http://ts.fujitsu.com/>
Company details: ts.fujitsu.com/imprint<http://ts.fujitsu.com/imprint.html>
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Jeff Cleverley
Sent: Tuesday, September 15, 2015 2:10 AM
To: <Toasters@teaparty.net>
Subject: Cifs administrative access push to the entire qtree

Greetings,

I inherited a group of filer that are heavily cifs. There are multiple clusters of different hardware and different OS levels. All are 7-mode.

What the managers found is that people have changed directory permissions and excluded administrators or people with full control. When a problem pops up they have to find one of the directory owners to get added in order to fix an issue.

We don't really want to push the permissions to all sub-directories in an overwrite mode because we could break tool access, or grant access people may not have had before, etc.

Is there a way to add administrators to a tree from the NetApp or a way to do this that doesn't remove previous access control? The managers already have full control at the share level.

Thanks,

Jeff

--
Jeff Cleverley
IT Engineer
4380 Ziegler Road
Building 1, Dock 1
Fort Collins, Colorado 80525
970-288-4611
Re: Cifs administrative access push to the entire qtree [ In reply to ]
I typically make the domain account for the administrators a local
administrator on the NAS.

On Tue, Sep 15, 2015 at 3:49 AM, Borzenkov, Andrei <
andrei.borzenkov@ts.fujitsu.com> wrote:

> Good question.
>
>
>
> You could try setting inheritable ACE on top-level directory. As long as
> users did not add explicit Deny entries or did not block inheritance it
> should suffice. Note that explicit denials always override explicit grants,
> so just *adding* ACE may not be sufficient anyway.
>
>
>
> I could not find explicit statement, but fsecurity appears to replace
> existing DACL. I suppose one possibility would be
>
>
>
> - Dump existing DACLs using somesing like “icacl /save”
>
> - Convert result into valid fsecurity job definition
>
> - Add necessary ACEs
>
> - Apply
>
>
>
> But it may not work if access to folders/files is blocked. In this case it
> is possible to create task that runs as e.g. SYSTEM to do it.
>
>
>
> C-Mode looks better as it allows editing individual ACEs.
>
>
>
>
>
> ---
>
> With best regards
>
>
>
> *Andre**i** Borzenkov*
>
> Senior system engineer
>
> FTS WEMEAI RUC RU SC TMS FOS
>
> [image: cid:image001.gif@01CBF835.B3FEDA90]
>
> *FUJITSU*
>
> Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
>
> Tel.: +7 495 730 62 20 ( reception)
>
> Mob.: +7 916 678 7208
>
> Fax: +7 495 730 62 14
>
> E-mail: Andrei.Borzenkov@ts.fujitsu.com
>
> Web: ru.fujitsu.com <http://ts.fujitsu.com/>
>
> Company details: ts.fujitsu.com/imprint
> <http://ts.fujitsu.com/imprint.html>
>
> This communication contains information that is confidential, proprietary
> in nature and/or privileged. It is for the exclusive use of the intended
> recipient(s). If you are not the intended recipient(s) or the person
> responsible for delivering it to the intended recipient(s), please note
> that any form of dissemination, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> and delete the original communication. Thank you for your cooperation.
>
> Please be advised that neither Fujitsu, its affiliates, its employees or
> agents accept liability for any errors, omissions or damages caused by
> delays of receipt or by any virus infection in this message or its
> attachments, or which may otherwise arise as a result of this e-mail
> transmission.
>
>
>
> *From:* toasters-bounces@teaparty.net [mailto:
> toasters-bounces@teaparty.net] *On Behalf Of *Jeff Cleverley
> *Sent:* Tuesday, September 15, 2015 2:10 AM
> *To:* <Toasters@teaparty.net>
> *Subject:* Cifs administrative access push to the entire qtree
>
>
>
> Greetings,
>
>
>
> I inherited a group of filer that are heavily cifs. There are multiple
> clusters of different hardware and different OS levels. All are 7-mode.
>
>
>
> What the managers found is that people have changed directory permissions
> and excluded administrators or people with full control. When a problem
> pops up they have to find one of the directory owners to get added in order
> to fix an issue.
>
>
>
> We don't really want to push the permissions to all sub-directories in an
> overwrite mode because we could break tool access, or grant access people
> may not have had before, etc.
>
>
>
> Is there a way to add administrators to a tree from the NetApp or a way to
> do this that doesn't remove previous access control? The managers already
> have full control at the share level.
>
>
>
> Thanks,
>
>
>
> Jeff
>
>
>
> --
>
> Jeff Cleverley
> IT Engineer
>
> 4380 Ziegler Road
>
> Building 1, Dock 1
> Fort Collins, Colorado 80525
> 970-288-4611
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
>
Re: Cifs administrative access push to the entire qtree [ In reply to ]
> You could try setting inheritable ACE on top-level directory. As long as
> users did not add explicit Deny entries or did not block inheritance it
> should suffice. Note that explicit denials always override explicit grants,
> so just *adding* ACE may not be sufficient anyway.
>

I don't know whether they did anything explicitly. Unfortunately it
doesn't let us see any permissions or settings. My account is a domain
admin and I'm also in the administrators group on the filers.

>
>
> I could not find explicit statement, but fsecurity appears to replace
> existing DACL. I suppose one possibility would be
>
>
>
> - Dump existing DACLs using somesing like “icacl /save”
>
> - Convert result into valid fsecurity job definition
>
> - Add necessary ACEs
>
> - Apply
>
We looked into this, but not having permissions to a variety of
sub-directories the icacl command doesn't see into these directories. We
could try to force permissions down the trees, but even if it works, we're
potentially adding or removing access to groups currently being hidden.
We're reluctant to blindly do this.

>
>
> But it may not work if access to folders/files is blocked. In this case it
> is possible to create task that runs as e.g. SYSTEM to do it.
>

Would you elaborate on this? Where would this job run from and how would
it end up with access?

Thanks,

Jeff



>
>
> C-Mode looks better as it allows editing individual ACEs.
>
>
>
>
>
> ---
>
> With best regards
>
>
>
> *Andre**i** Borzenkov*
>
> Senior system engineer
>
> FTS WEMEAI RUC RU SC TMS FOS
>
> [image: cid:image001.gif@01CBF835.B3FEDA90]
>
> *FUJITSU*
>
> Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
>
> Tel.: +7 495 730 62 20 ( reception)
>
> Mob.: +7 916 678 7208
>
> Fax: +7 495 730 62 14
>
> E-mail: Andrei.Borzenkov@ts.fujitsu.com
>
> Web: ru.fujitsu.com <http://ts.fujitsu.com/>
>
> Company details: ts.fujitsu.com/imprint
> <http://ts.fujitsu.com/imprint.html>
>
> This communication contains information that is confidential, proprietary
> in nature and/or privileged. It is for the exclusive use of the intended
> recipient(s). If you are not the intended recipient(s) or the person
> responsible for delivering it to the intended recipient(s), please note
> that any form of dissemination, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> and delete the original communication. Thank you for your cooperation.
>
> Please be advised that neither Fujitsu, its affiliates, its employees or
> agents accept liability for any errors, omissions or damages caused by
> delays of receipt or by any virus infection in this message or its
> attachments, or which may otherwise arise as a result of this e-mail
> transmission.
>
>
>
> *From:* toasters-bounces@teaparty.net [mailto:
> toasters-bounces@teaparty.net] *On Behalf Of *Jeff Cleverley
> *Sent:* Tuesday, September 15, 2015 2:10 AM
> *To:* <Toasters@teaparty.net>
> *Subject:* Cifs administrative access push to the entire qtree
>
>
>
> Greetings,
>
>
>
> I inherited a group of filer that are heavily cifs. There are multiple
> clusters of different hardware and different OS levels. All are 7-mode.
>
>
>
> What the managers found is that people have changed directory permissions
> and excluded administrators or people with full control. When a problem
> pops up they have to find one of the directory owners to get added in order
> to fix an issue.
>
>
>
> We don't really want to push the permissions to all sub-directories in an
> overwrite mode because we could break tool access, or grant access people
> may not have had before, etc.
>
>
>
> Is there a way to add administrators to a tree from the NetApp or a way to
> do this that doesn't remove previous access control? The managers already
> have full control at the share level.
>
>
>
> Thanks,
>
>
>
> Jeff
>
>
>
> --
>
> Jeff Cleverley
> IT Engineer
>
> 4380 Ziegler Road
>
> Building 1, Dock 1
> Fort Collins, Colorado 80525
> 970-288-4611
>



--
Jeff Cleverley
IT Engineer
4380 Ziegler Road
Building 1, Dock 1
Fort Collins, Colorado 80525
970-288-4611
RE: Cifs administrative access push to the entire qtree [ In reply to ]
>>
>> You could try setting inheritable ACE on top-level directory. As
>> long as users did not add explicit Deny entries or did not block
>> inheritance it should suffice. Note that explicit denials always
>> override explicit grants, so just adding ACE may not be sufficient
>> anyway.
>>
>
> I don't know whether they did anything explicitly. Unfortunately it
> doesn't let us see any permissions or settings. My account is a domain
> admin and I'm also in the administrators group on the filers.
>

You can use "fsecurity show" on filer to dump current ACL. Could you paste example for one of inaccessible files?

Did you try setting top-level inheritable ACE? It should not override any ACL on contained files.

> We looked into this, but not having permissions to a variety of sub-
> directories the icacl command doesn't see into these directories. We
> could try to force permissions down the trees, but even if it works,
> we're potentially adding or removing access to groups currently being
> hidden. We're reluctant to blindly do this.
>
>
>
>
>
>> But it may not work if access to folders/files is blocked. In this
>> case it is possible to create task that runs as e.g. SYSTEM to do it.
>>
>
> Would you elaborate on this? Where would this job run from and how
> would it end up with access?
>

Sorry, I was wrong here. It is possible to do it on Windows (running job as SYSTEM account) but of course it won't help when accessing something over network.

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters