Mailing List Archive

displayed unix permissions on ntfs qtree
I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.
This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.
Fred
RE: displayed unix permissions on ntfs qtree [ In reply to ]
Well, permissions bits for ntfs security style qtree are for display purposes anyway and should “show the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?

---
With best regards

Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
[cid:image001.gif@01CBF835.B3FEDA90]
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com<mailto:Andrei.Borzenkov@ts.fujitsu.com>
Web: ru.fujitsu.com<http://ts.fujitsu.com/>
Company details: ts.fujitsu.com/imprint<http://ts.fujitsu.com/imprint.html>
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree

I'm having an issue on the displayed permissions in linux, on an ntfs qtree. This is in cDOT 8.2.3. I have a vserver that's joined to an AD domain and NIS-enabled. Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these. The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.

This is a snapmirrored volume/qtree from a 7-mode filer. It's user directories The linux permissions from the 7-mode filer are almost exclusively rwx------. The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same. I"m not sure why it's not displaying the same permissions from linux on the source and destination.

Fred
Re: displayed unix permissions on ntfs qtree [ In reply to ]
The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.  

The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.
I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).  

Fred


From: "andrei.borzenkov@ts.fujitsu.com" <andrei.borzenkov@ts.fujitsu.com>
To: Fred Grieco <fredgrieco@yahoo.com>; Toasters <toasters@teaparty.net>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree

#yiv1771716802 #yiv1771716802 -- _filtered #yiv1771716802 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv1771716802 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv1771716802 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv1771716802 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv1771716802 {panose-1:2 11 4 4 6 2 2 2 2 4;}#yiv1771716802 #yiv1771716802 p.yiv1771716802MsoNormal, #yiv1771716802 li.yiv1771716802MsoNormal, #yiv1771716802 div.yiv1771716802MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv1771716802 a:link, #yiv1771716802 span.yiv1771716802MsoHyperlink {color:blue;text-decoration:underline;}#yiv1771716802 a:visited, #yiv1771716802 span.yiv1771716802MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv1771716802 p.yiv1771716802MsoAcetate, #yiv1771716802 li.yiv1771716802MsoAcetate, #yiv1771716802 div.yiv1771716802MsoAcetate {margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;}#yiv1771716802 span.yiv1771716802EmailStyle17 {color:#1F497D;}#yiv1771716802 span.yiv1771716802BalloonTextChar {}#yiv1771716802 .yiv1771716802MsoChpDefault {font-size:10.0pt;} _filtered #yiv1771716802 {margin:2.0cm 42.5pt 2.0cm 3.0cm;}#yiv1771716802 div.yiv1771716802WordSection1 {}#yiv1771716802 Well, permissions bits for ntfs security style qtree are for display purposes anyway andshould “show the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net]On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree   I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.   This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.   Fred  
RE: displayed unix permissions on ntfs qtree [ In reply to ]
Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.

---
With best regards

Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
[cid:image001.gif@01CBF835.B3FEDA90]
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com<mailto:Andrei.Borzenkov@ts.fujitsu.com>
Web: ru.fujitsu.com<http://ts.fujitsu.com/>
Company details: ts.fujitsu.com/imprint<http://ts.fujitsu.com/imprint.html>
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

From: Fred Grieco [mailto:fredgrieco@yahoo.com]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree

The ntfs acl on 7-mode and cDOT are the same. And they are obeyed with respect to access.

The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly. So i'm trying to get the displayed permissions to match what they were in 7-mode.

I've created a test folder and it looks like if i add any other user to the ACL, it will display 777. I even tried an user that doesn't share any groups (like Domain Users).

Fred

________________________________
From: "andrei.borzenkov@ts.fujitsu.com<mailto:andrei.borzenkov@ts.fujitsu.com>" <andrei.borzenkov@ts.fujitsu.com<mailto:andrei.borzenkov@ts.fujitsu.com>>
To: Fred Grieco <fredgrieco@yahoo.com<mailto:fredgrieco@yahoo.com>>; Toasters <toasters@teaparty.net<mailto:toasters@teaparty.net>>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree

Well, permissions bits for ntfs security style qtree are for display purposes anyway and should “show the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?

---
With best regards

Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
[cid:image001.gif@01CBF835.B3FEDA90]
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com<mailto:Andrei.Borzenkov@ts.fujitsu.com>
Web: ru.fujitsu.com<http://ts.fujitsu.com/>
Company details: ts.fujitsu.com/imprint<http://ts.fujitsu.com/imprint.html>
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

From: toasters-bounces@teaparty.net<mailto:toasters-bounces@teaparty.net> [mailto:toasters-bounces@teaparty.net] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree

I'm having an issue on the displayed permissions in linux, on an ntfs qtree. This is in cDOT 8.2.3. I have a vserver that's joined to an AD domain and NIS-enabled. Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these. The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.

This is a snapmirrored volume/qtree from a 7-mode filer. It's user directories The linux permissions from the 7-mode filer are almost exclusively rwx------. The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same. I"m not sure why it's not displaying the same permissions from linux on the source and destination.

Fred
Re: displayed unix permissions on ntfs qtree [ In reply to ]
The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well.  And yet the 7-mode side returns 0700 for these.  Quite odd.


From: "andrei.borzenkov@ts.fujitsu.com" <andrei.borzenkov@ts.fujitsu.com>
To: Fred Grieco <fredgrieco@yahoo.com>; Toasters <toasters@teaparty.net>
Sent: Sunday, July 17, 2016 3:04 PM
Subject: RE: displayed unix permissions on ntfs qtree

#yiv6741386553 #yiv6741386553 -- _filtered #yiv6741386553 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv6741386553 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv6741386553 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv6741386553 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv6741386553 {panose-1:2 11 4 4 6 2 2 2 2 4;}#yiv6741386553 #yiv6741386553 p.yiv6741386553MsoNormal, #yiv6741386553 li.yiv6741386553MsoNormal, #yiv6741386553 div.yiv6741386553MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv6741386553 a:link, #yiv6741386553 span.yiv6741386553MsoHyperlink {color:blue;text-decoration:underline;}#yiv6741386553 a:visited, #yiv6741386553 span.yiv6741386553MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv6741386553 p.yiv6741386553MsoAcetate, #yiv6741386553 li.yiv6741386553MsoAcetate, #yiv6741386553 div.yiv6741386553MsoAcetate {margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;}#yiv6741386553 p.yiv6741386553msoacetate, #yiv6741386553 li.yiv6741386553msoacetate, #yiv6741386553 div.yiv6741386553msoacetate {margin-right:0cm;margin-left:0cm;font-size:12.0pt;}#yiv6741386553 p.yiv6741386553msonormal, #yiv6741386553 li.yiv6741386553msonormal, #yiv6741386553 div.yiv6741386553msonormal {margin-right:0cm;margin-left:0cm;font-size:12.0pt;}#yiv6741386553 p.yiv6741386553msochpdefault, #yiv6741386553 li.yiv6741386553msochpdefault, #yiv6741386553 div.yiv6741386553msochpdefault {margin-right:0cm;margin-left:0cm;font-size:12.0pt;}#yiv6741386553 span.yiv6741386553msohyperlink {}#yiv6741386553 span.yiv6741386553msohyperlinkfollowed {}#yiv6741386553 span.yiv6741386553emailstyle17 {}#yiv6741386553 p.yiv6741386553msonormal1, #yiv6741386553 li.yiv6741386553msonormal1, #yiv6741386553 div.yiv6741386553msonormal1 {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv6741386553 span.yiv6741386553msohyperlink1 {color:blue;text-decoration:underline;}#yiv6741386553 span.yiv6741386553msohyperlinkfollowed1 {color:purple;text-decoration:underline;}#yiv6741386553 p.yiv6741386553msoacetate1, #yiv6741386553 li.yiv6741386553msoacetate1, #yiv6741386553 div.yiv6741386553msoacetate1 {margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;}#yiv6741386553 span.yiv6741386553emailstyle171 {color:#1F497D;}#yiv6741386553 p.yiv6741386553msochpdefault1, #yiv6741386553 li.yiv6741386553msochpdefault1, #yiv6741386553 div.yiv6741386553msochpdefault1 {margin-right:0cm;margin-left:0cm;font-size:10.0pt;}#yiv6741386553 span.yiv6741386553BalloonTextChar {}#yiv6741386553 span.yiv6741386553EmailStyle31 {color:#1F497D;}#yiv6741386553 .yiv6741386553MsoChpDefault {font-size:10.0pt;} _filtered #yiv6741386553 {margin:2.0cm 42.5pt 2.0cm 3.0cm;}#yiv6741386553 div.yiv6741386553WordSection1 {}#yiv6741386553 Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From: Fred Grieco [mailto:fredgrieco@yahoo.com]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree   The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.     The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.   I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).     Fred   From: "andrei.borzenkov@ts.fujitsu.com" <andrei.borzenkov@ts.fujitsu.com>
To: Fred Grieco <fredgrieco@yahoo.com>; Toasters <toasters@teaparty.net>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree   Well, permissions bits for ntfs security style qtree are for display purposes anyway andshould “show the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net]On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree   I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.   This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.   Fred    
Re: displayed unix permissions on ntfs qtree [ In reply to ]
never tried this before but how about this:

from a windows host, as that user, modify the ACL until all that is left is
owner = user
full = user

From the cDot system, you can verify with:

vserver security file-directory show -vserver <vserver> -path
</absolute/path/to/file-or-directory>

It will spit out something like this:

Vserver: myvserver

File Path: /obdfile

File Inode Number: 64

Security Style: ntfs

Effective Style: ntfs

DOS Attributes: 16

DOS Attributes in Text: ----DSH-

Expanded Dos Attributes: -

UNIX User Id: 0

UNIX Group Id: 0

UNIX Mode Bits: 777

UNIX Mode Bits in Text: rwxrwxrwx

ACLs: NTFS Security Descriptor

Control:0x8004

Owner:NT AUTHORITY\SYSTEM

Group:NT AUTHORITY\SYSTEM

DACL - ACEs

ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI

ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI

ALLOW-CREATOR OWNER-0x10000000-OI|CI|IO

ALLOW-BUILTIN\Users-0x1200a9-OI|CI

ALLOW-BUILTIN\Users-0x4-CI

ALLOW-BUILTIN\Users-0x2-CI|IO

ALLOW-Everyone-0x1200a9


--tmac

*Tim McCarthy, **Principal Consultant*

*Proud Member of the #NetAppATeam <https://twitter.com/NetAppATeam>*

*I Blog at TMACsRack <https://tmacsrack.wordpress.com/>*



On Sun, Jul 17, 2016 at 5:36 PM, Fred Grieco <fredgrieco@yahoo.com> wrote:

> The owner on both is the same, and there are about 5-6 groups that have
> permissions on both sides as well. And yet the 7-mode side returns 0700
> for these. Quite odd.
>
>
> ------------------------------
> *From:* "andrei.borzenkov@ts.fujitsu.com" <andrei.borzenkov@ts.fujitsu.com
> >
> *To:* Fred Grieco <fredgrieco@yahoo.com>; Toasters <toasters@teaparty.net>
>
> *Sent:* Sunday, July 17, 2016 3:04 PM
>
> *Subject:* RE: displayed unix permissions on ntfs qtree
>
> Who is the owner of files on 7-Mode and C-Mode? Note that while owner does
> not matter for access check (unless you have explicit ACL for OWNER) to get
> 0700 permissions you must have only ACL for actual file owner.
>
> ---
> With best regards
>
> *Andre**i** Borzenkov*
> Senior system engineer
> FTS WEMEAI RUC RU SC TMS FOS
> [image: cid:image001.gif@01CBF835.B3FEDA90]
> *FUJITSU*
> Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
> Tel.: +7 495 730 62 20 ( reception)
> Mob.: +7 916 678 7208
> Fax: +7 495 730 62 14
> E-mail: Andrei.Borzenkov@ts.fujitsu.com
> Web: ru.fujitsu.com <http://ts.fujitsu.com/>
> Company details: ts.fujitsu.com/imprint
> <http://ts.fujitsu.com/imprint.html>
> This communication contains information that is confidential, proprietary
> in nature and/or privileged. It is for the exclusive use of the intended
> recipient(s). If you are not the intended recipient(s) or the person
> responsible for delivering it to the intended recipient(s), please note
> that any form of dissemination, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> and delete the original communication. Thank you for your cooperation.
> Please be advised that neither Fujitsu, its affiliates, its employees or
> agents accept liability for any errors, omissions or damages caused by
> delays of receipt or by any virus infection in this message or its
> attachments, or which may otherwise arise as a result of this e-mail
> transmission.
>
> *From:* Fred Grieco [mailto:fredgrieco@yahoo.com]
> *Sent:* Sunday, July 17, 2016 8:54 PM
> *To:* Borzenkov, Andrei; Toasters
> *Subject:* Re: displayed unix permissions on ntfs qtree
>
> The ntfs acl on 7-mode and cDOT are the same. And they are obeyed with
> respect to access.
>
> The issue is with ssh keys -- the app needs to "see" 700 perms in order to
> function properly. So i'm trying to get the displayed permissions to match
> what they were in 7-mode.
>
> I've created a test folder and it looks like if i add any other user to
> the ACL, it will display 777. I even tried an user that doesn't share any
> groups (like Domain Users).
>
> Fred
>
> ------------------------------
> *From:* "andrei.borzenkov@ts.fujitsu.com" <andrei.borzenkov@ts.fujitsu.com
> >
> *To:* Fred Grieco <fredgrieco@yahoo.com>; Toasters <toasters@teaparty.net>
>
> *Sent:* Sunday, July 17, 2016 12:37 PM
> *Subject:* RE: displayed unix permissions on ntfs qtree
>
> Well, permissions bits for ntfs security style qtree are for display
> purposes anyway and *should* “show the maximum access allowed to any user
> in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you
> compare full ACL for a file in 7-Mode and C-Mode?
>
> ---
> With best regards
>
> *Andre**i** Borzenkov*
> Senior system engineer
> FTS WEMEAI RUC RU SC TMS FOS
> [image: cid:image001.gif@01CBF835.B3FEDA90]
> *FUJITSU*
> Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
> Tel.: +7 495 730 62 20 ( reception)
> Mob.: +7 916 678 7208
> Fax: +7 495 730 62 14
> E-mail: Andrei.Borzenkov@ts.fujitsu.com
> Web: ru.fujitsu.com <http://ts.fujitsu.com/>
> Company details: ts.fujitsu.com/imprint
> <http://ts.fujitsu.com/imprint.html>
> This communication contains information that is confidential, proprietary
> in nature and/or privileged. It is for the exclusive use of the intended
> recipient(s). If you are not the intended recipient(s) or the person
> responsible for delivering it to the intended recipient(s), please note
> that any form of dissemination, distribution or copying of this
> communication is strictly prohibited and may be unlawful. If you have
> received this communication in error, please immediately notify the sender
> and delete the original communication. Thank you for your cooperation.
> Please be advised that neither Fujitsu, its affiliates, its employees or
> agents accept liability for any errors, omissions or damages caused by
> delays of receipt or by any virus infection in this message or its
> attachments, or which may otherwise arise as a result of this e-mail
> transmission.
>
> *From:* toasters-bounces@teaparty.net [
> mailto:toasters-bounces@teaparty.net <toasters-bounces@teaparty.net>] *On
> Behalf Of *Fred Grieco
> *Sent:* Sunday, July 17, 2016 4:06 PM
> *To:* Toasters
> *Subject:* displayed unix permissions on ntfs qtree
>
> I'm having an issue on the displayed permissions in linux, on an ntfs
> qtree. This is in cDOT 8.2.3. I have a vserver that's joined to an AD
> domain and NIS-enabled. Basically, most of the permissions display
> rwxrwxrwx on the linux, and it's not clear where it's getting these. The
> NIS/nfs permission themselves are obeyed -- I can only get to where I have
> access, on the linux side.
>
> This is a snapmirrored volume/qtree from a 7-mode filer. It's user
> directories The linux permissions from the 7-mode filer are almost
> exclusively rwx------. The ntfs permissions on the source and
> destinations match, and the NIS/AD/namemapping configs are the same. I"m
> not sure why it's not displaying the same permissions from linux on the
> source and destination.
>
> Fred
>
>
>
>
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
>
Re: displayed unix permissions on ntfs qtree [ In reply to ]
Thanks everyone for the help.   The answer here was that that in 7mode, there was a setting called "options nfs.ntacl_display_permissive_perms."   When set to disabled, like it is on my source, all ACLs but "everyone-full control" will translate to 700 for linux hosts.
This option was not available in cDOT until version 8.3.1.   It's a vserver-wide setting:  vserver nfs modify -vserver vservername -ntacl-display-permissive-perms disabled  (set -priv advanced).   In 8.2.3, it's stuck at enabled.
I'm a little stuck because I'm doing a tdp transition from 32 bit aggregates, so can't upgrade to 8.3.1+ until that's done.   The interim solution is to set the required areas to owner-full control *only* in the nt acl to get the 700 perm in linux.

Sorry if this was a repeat.   This was covered in https://whyistheinternetbroken.wordpress.com/ and NOW.

From: tmac <tmacmd@gmail.com>
To: Fred Grieco <fredgrieco@yahoo.com>
Cc: "andrei.borzenkov@ts.fujitsu.com" <andrei.borzenkov@ts.fujitsu.com>; Toasters <toasters@teaparty.net>
Sent: Monday, July 18, 2016 8:28 AM
Subject: Re: displayed unix permissions on ntfs qtree

never tried this before but how about this:
from a windows host, as that user, modify the ACL until all that is left is owner = userfull = user
From the cDot system, you can verify with:
vserver security file-directory show -vserver <vserver> -path </absolute/path/to/file-or-directory>
It will spit out something like this:


                Vserver: myvserver

              File Path: /obdfile

      File Inode Number: 64

         Security Style: ntfs

        Effective Style: ntfs

         DOS Attributes: 16

 DOS Attributes in Text: ----DSH-

Expanded Dos Attributes: -

           UNIX User Id: 0

          UNIX Group Id: 0

         UNIX Mode Bits: 777

 UNIX Mode Bits in Text: rwxrwxrwx

                   ACLs: NTFS Security Descriptor

                         Control:0x8004

                         Owner:NT AUTHORITY\SYSTEM

                         Group:NT AUTHORITY\SYSTEM

                         DACL - ACEs

                           ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI

                           ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI

                           ALLOW-CREATOR OWNER-0x10000000-OI|CI|IO

                           ALLOW-BUILTIN\Users-0x1200a9-OI|CI

                           ALLOW-BUILTIN\Users-0x4-CI

                           ALLOW-BUILTIN\Users-0x2-CI|IO

                           ALLOW-Everyone-0x1200a9


--tmac
Tim McCarthy, Principal ConsultantProud Member of the #NetAppATeamI Blog at TMACsRack

On Sun, Jul 17, 2016 at 5:36 PM, Fred Grieco <fredgrieco@yahoo.com> wrote:

The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well.  And yet the 7-mode side returns 0700 for these.  Quite odd.


From: "andrei.borzenkov@ts.fujitsu.com" <andrei.borzenkov@ts.fujitsu.com>
To: Fred Grieco <fredgrieco@yahoo.com>; Toasters <toasters@teaparty.net>
Sent: Sunday, July 17, 2016 3:04 PM
Subject: RE: displayed unix permissions on ntfs qtree

Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From: Fred Grieco [mailto:fredgrieco@yahoo.com]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree   The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.     The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.   I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).     Fred   From: "andrei.borzenkov@ts.fujitsu.com" <andrei.borzenkov@ts.fujitsu.com>
To: Fred Grieco <fredgrieco@yahoo.com>; Toasters <toasters@teaparty.net>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree   Well, permissions bits for ntfs security style qtree are for display purposes anyway andshould “show the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net]On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree   I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.   This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.   Fred    


_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
Re: displayed unix permissions on ntfs qtree [ In reply to ]
Thank you for coming back on it!

ïÔÐÒÁ×ÌÅÎÏ Ó iPhone

22 ÉÀÌÑ 2016 Ç., × 4:27, Fred Grieco <fredgrieco@yahoo.com<mailto:fredgrieco@yahoo.com>> ÎÁÐÉÓÁÌ(Á):

Thanks everyone for the help. The answer here was that that in 7mode, there was a setting called "options nfs.ntacl_display_permissive_perms." When set to disabled, like it is on my source, all ACLs but "everyone-full control" will translate to 700 for linux hosts.

This option was not available in cDOT until version 8.3.1. It's a vserver-wide setting: vserver nfs modify -vserver vservername -ntacl-display-permissive-perms disabled (set -priv advanced). In 8.2.3, it's stuck at enabled.

I'm a little stuck because I'm doing a tdp transition from 32 bit aggregates, so can't upgrade to 8.3.1+ until that's done. The interim solution is to set the required areas to owner-full control *only* in the nt acl to get the 700 perm in linux.

Sorry if this was a repeat. This was covered in https://whyistheinternetbroken.wordpress.com/ and NOW.


________________________________
From: tmac <tmacmd@gmail.com<mailto:tmacmd@gmail.com>>
To: Fred Grieco <fredgrieco@yahoo.com<mailto:fredgrieco@yahoo.com>>
Cc: "andrei.borzenkov@ts.fujitsu.com<mailto:andrei.borzenkov@ts.fujitsu.com>" <andrei.borzenkov@ts.fujitsu.com<mailto:andrei.borzenkov@ts.fujitsu.com>>; Toasters <toasters@teaparty.net<mailto:toasters@teaparty.net>>
Sent: Monday, July 18, 2016 8:28 AM
Subject: Re: displayed unix permissions on ntfs qtree

never tried this before but how about this:

from a windows host, as that user, modify the ACL until all that is left is
owner = user
full = user

From the cDot system, you can verify with:

vserver security file-directory show -vserver <vserver> -path </absolute/path/to/file-or-directory>

It will spit out something like this:

Vserver: myvserver
File Path: /obdfile
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 16
DOS Attributes in Text: ----DSH-
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8004
Owner:NT AUTHORITY\SYSTEM
Group:NT AUTHORITY\SYSTEM
DACL - ACEs
ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI
ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI
ALLOW-CREATOR OWNER-0x10000000-OI|CI|IO
ALLOW-BUILTIN\Users-0x1200a9-OI|CI
ALLOW-BUILTIN\Users-0x4-CI
ALLOW-BUILTIN\Users-0x2-CI|IO
ALLOW-Everyone-0x1200a9

--tmac

Tim McCarthy, Principal Consultant
Proud Member of the #NetAppATeam<https://twitter.com/NetAppATeam>
I Blog at TMACsRack<https://tmacsrack.wordpress.com/>


On Sun, Jul 17, 2016 at 5:36 PM, Fred Grieco <fredgrieco@yahoo.com<mailto:fredgrieco@yahoo.com>> wrote:
The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well. And yet the 7-mode side returns 0700 for these. Quite odd.


________________________________
From: "andrei.borzenkov@ts.fujitsu.com<mailto:andrei.borzenkov@ts.fujitsu.com>" <andrei.borzenkov@ts.fujitsu.com<mailto:andrei.borzenkov@ts.fujitsu.com>>
To: Fred Grieco <fredgrieco@yahoo.com<mailto:fredgrieco@yahoo.com>>; Toasters <toasters@teaparty.net<mailto:toasters@teaparty.net>>
Sent: Sunday, July 17, 2016 3:04 PM

Subject: RE: displayed unix permissions on ntfs qtree

Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.

---
With best regards

Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
<image001.gif>
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com<mailto:Andrei.Borzenkov@ts.fujitsu.com>
Web: ru.fujitsu.com<http://ts.fujitsu.com/>
Company details: ts.fujitsu.com/imprint<http://ts.fujitsu.com/imprint.html>
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

From: Fred Grieco [mailto:fredgrieco@yahoo.com<mailto:fredgrieco@yahoo.com>]
Sent: Sunday, July 17, 2016 8:54 PM
To: Borzenkov, Andrei; Toasters
Subject: Re: displayed unix permissions on ntfs qtree

The ntfs acl on 7-mode and cDOT are the same. And they are obeyed with respect to access.

The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly. So i'm trying to get the displayed permissions to match what they were in 7-mode.

I've created a test folder and it looks like if i add any other user to the ACL, it will display 777. I even tried an user that doesn't share any groups (like Domain Users).

Fred

________________________________
From: "andrei.borzenkov@ts.fujitsu.com<mailto:andrei.borzenkov@ts.fujitsu.com>" <andrei.borzenkov@ts.fujitsu.com<mailto:andrei.borzenkov@ts.fujitsu.com>>
To: Fred Grieco <fredgrieco@yahoo.com<mailto:fredgrieco@yahoo.com>>; Toasters <toasters@teaparty.net<mailto:toasters@teaparty.net>>
Sent: Sunday, July 17, 2016 12:37 PM
Subject: RE: displayed unix permissions on ntfs qtree

Well, permissions bits for ntfs security style qtree are for display purposes anyway and should "show the maximum access allowed to any user in the ACL". May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?

---
With best regards

Andrei Borzenkov
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
<image001.gif>
FUJITSU
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com<mailto:Andrei.Borzenkov@ts.fujitsu.com>
Web: ru.fujitsu.com<http://ts.fujitsu.com/>
Company details: ts.fujitsu.com/imprint<http://ts.fujitsu.com/imprint.html>
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.

From: toasters-bounces@teaparty.net<mailto:toasters-bounces@teaparty.net> [mailto:toasters-bounces@teaparty.net] On Behalf Of Fred Grieco
Sent: Sunday, July 17, 2016 4:06 PM
To: Toasters
Subject: displayed unix permissions on ntfs qtree

I'm having an issue on the displayed permissions in linux, on an ntfs qtree. This is in cDOT 8.2.3. I have a vserver that's joined to an AD domain and NIS-enabled. Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these. The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.

This is a snapmirrored volume/qtree from a 7-mode filer. It's user directories The linux permissions from the 7-mode filer are almost exclusively rwx------. The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same. I"m not sure why it's not displaying the same permissions from linux on the source and destination.

Fred





_______________________________________________
Toasters mailing list
Toasters@teaparty.net<mailto:Toasters@teaparty.net>
http://www.teaparty.net/mailman/listinfo/toasters




<image001.gif>