The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.

The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode. I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).

Fred

From: "andrei.borzenkov@ts.fujitsu.com" andrei.borzenkov@ts.fujitsu.com To: Fred Grieco fredgrieco@yahoo.com; Toasters toasters@teaparty.net Sent: Sunday, July 17, 2016 12:37 PM Subject: RE: displayed unix permissions on ntfs qtree

#yiv1771716802 #yiv1771716802 -- _filtered #yiv1771716802 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv1771716802 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv1771716802 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv1771716802 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv1771716802 {panose-1:2 11 4 4 6 2 2 2 2 4;}#yiv1771716802 #yiv1771716802 p.yiv1771716802MsoNormal, #yiv1771716802 li.yiv1771716802MsoNormal, #yiv1771716802 div.yiv1771716802MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv1771716802 a:link, #yiv1771716802 span.yiv1771716802MsoHyperlink {color:blue;text-decoration:underline;}#yiv1771716802 a:visited, #yiv1771716802 span.yiv1771716802MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv1771716802 p.yiv1771716802MsoAcetate, #yiv1771716802 li.yiv1771716802MsoAcetate, #yiv1771716802 div.yiv1771716802MsoAcetate {margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;}#yiv1771716802 span.yiv1771716802EmailStyle17 {color:#1F497D;}#yiv1771716802 span.yiv1771716802BalloonTextChar {}#yiv1771716802 .yiv1771716802MsoChpDefault {font-size:10.0pt;} _filtered #yiv1771716802 {margin:2.0cm 42.5pt 2.0cm 3.0cm;}#yiv1771716802 div.yiv1771716802WordSection1 {}#yiv1771716802 Well, permissions bits for ntfs security style qtree are for display purposes anyway andshould “show the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net]On Behalf Of Fred Grieco Sent: Sunday, July 17, 2016 4:06 PM To: Toasters Subject: displayed unix permissions on ntfs qtree   I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.   This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.   Fred

The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well.  And yet the 7-mode side returns 0700 for these.  Quite odd.

From: "andrei.borzenkov@ts.fujitsu.com" andrei.borzenkov@ts.fujitsu.com To: Fred Grieco fredgrieco@yahoo.com; Toasters toasters@teaparty.net Sent: Sunday, July 17, 2016 3:04 PM Subject: RE: displayed unix permissions on ntfs qtree

#yiv6741386553 #yiv6741386553 -- _filtered #yiv6741386553 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv6741386553 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered #yiv6741386553 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv6741386553 {font-family:Tahoma;panose-1:2 11 6 4 3 5 4 4 2 4;} _filtered #yiv6741386553 {panose-1:2 11 4 4 6 2 2 2 2 4;}#yiv6741386553 #yiv6741386553 p.yiv6741386553MsoNormal, #yiv6741386553 li.yiv6741386553MsoNormal, #yiv6741386553 div.yiv6741386553MsoNormal {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv6741386553 a:link, #yiv6741386553 span.yiv6741386553MsoHyperlink {color:blue;text-decoration:underline;}#yiv6741386553 a:visited, #yiv6741386553 span.yiv6741386553MsoHyperlinkFollowed {color:purple;text-decoration:underline;}#yiv6741386553 p.yiv6741386553MsoAcetate, #yiv6741386553 li.yiv6741386553MsoAcetate, #yiv6741386553 div.yiv6741386553MsoAcetate {margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;}#yiv6741386553 p.yiv6741386553msoacetate, #yiv6741386553 li.yiv6741386553msoacetate, #yiv6741386553 div.yiv6741386553msoacetate {margin-right:0cm;margin-left:0cm;font-size:12.0pt;}#yiv6741386553 p.yiv6741386553msonormal, #yiv6741386553 li.yiv6741386553msonormal, #yiv6741386553 div.yiv6741386553msonormal {margin-right:0cm;margin-left:0cm;font-size:12.0pt;}#yiv6741386553 p.yiv6741386553msochpdefault, #yiv6741386553 li.yiv6741386553msochpdefault, #yiv6741386553 div.yiv6741386553msochpdefault {margin-right:0cm;margin-left:0cm;font-size:12.0pt;}#yiv6741386553 span.yiv6741386553msohyperlink {}#yiv6741386553 span.yiv6741386553msohyperlinkfollowed {}#yiv6741386553 span.yiv6741386553emailstyle17 {}#yiv6741386553 p.yiv6741386553msonormal1, #yiv6741386553 li.yiv6741386553msonormal1, #yiv6741386553 div.yiv6741386553msonormal1 {margin:0cm;margin-bottom:.0001pt;font-size:12.0pt;}#yiv6741386553 span.yiv6741386553msohyperlink1 {color:blue;text-decoration:underline;}#yiv6741386553 span.yiv6741386553msohyperlinkfollowed1 {color:purple;text-decoration:underline;}#yiv6741386553 p.yiv6741386553msoacetate1, #yiv6741386553 li.yiv6741386553msoacetate1, #yiv6741386553 div.yiv6741386553msoacetate1 {margin:0cm;margin-bottom:.0001pt;font-size:8.0pt;}#yiv6741386553 span.yiv6741386553emailstyle171 {color:#1F497D;}#yiv6741386553 p.yiv6741386553msochpdefault1, #yiv6741386553 li.yiv6741386553msochpdefault1, #yiv6741386553 div.yiv6741386553msochpdefault1 {margin-right:0cm;margin-left:0cm;font-size:10.0pt;}#yiv6741386553 span.yiv6741386553BalloonTextChar {}#yiv6741386553 span.yiv6741386553EmailStyle31 {color:#1F497D;}#yiv6741386553 .yiv6741386553MsoChpDefault {font-size:10.0pt;} _filtered #yiv6741386553 {margin:2.0cm 42.5pt 2.0cm 3.0cm;}#yiv6741386553 div.yiv6741386553WordSection1 {}#yiv6741386553 Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From: Fred Grieco [mailto:fredgrieco@yahoo.com] Sent: Sunday, July 17, 2016 8:54 PM To: Borzenkov, Andrei; Toasters Subject: Re: displayed unix permissions on ntfs qtree   The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.     The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.   I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).     Fred   From: "andrei.borzenkov@ts.fujitsu.com" andrei.borzenkov@ts.fujitsu.com To: Fred Grieco fredgrieco@yahoo.com; Toasters toasters@teaparty.net Sent: Sunday, July 17, 2016 12:37 PM Subject: RE: displayed unix permissions on ntfs qtree   Well, permissions bits for ntfs security style qtree are for display purposes anyway andshould “show the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net]On Behalf Of Fred Grieco Sent: Sunday, July 17, 2016 4:06 PM To: Toasters Subject: displayed unix permissions on ntfs qtree   I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.   This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.   Fred

Thanks everyone for the help.   The answer here was that that in 7mode, there was a setting called "options nfs.ntacl_display_permissive_perms."   When set to disabled, like it is on my source, all ACLs but "everyone-full control" will translate to 700 for linux hosts. This option was not available in cDOT until version 8.3.1.   It's a vserver-wide setting:  vserver nfs modify -vserver vservername -ntacl-display-permissive-perms disabled  (set -priv advanced).   In 8.2.3, it's stuck at enabled. I'm a little stuck because I'm doing a tdp transition from 32 bit aggregates, so can't upgrade to 8.3.1+ until that's done.   The interim solution is to set the required areas to owner-full control *only* in the nt acl to get the 700 perm in linux.

Sorry if this was a repeat.   This was covered in https://whyistheinternetbroken.wordpress.com/ and NOW.

From: tmac tmacmd@gmail.com To: Fred Grieco fredgrieco@yahoo.com Cc: "andrei.borzenkov@ts.fujitsu.com" andrei.borzenkov@ts.fujitsu.com; Toasters toasters@teaparty.net Sent: Monday, July 18, 2016 8:28 AM Subject: Re: displayed unix permissions on ntfs qtree

never tried this before but how about this: from a windows host, as that user, modify the ACL until all that is left is owner = userfull = user

From the cDot system, you can verify with:

vserver security file-directory show -vserver <vserver> -path </absolute/path/to/file-or-directory> It will spit out something like this:

Vserver: myvserver

File Path: /obdfile

File Inode Number: 64

Security Style: ntfs

Effective Style: ntfs

DOS Attributes: 16

DOS Attributes in Text: ----DSH-

Expanded Dos Attributes: -

UNIX User Id: 0

UNIX Group Id: 0

UNIX Mode Bits: 777

UNIX Mode Bits in Text: rwxrwxrwx

ACLs: NTFS Security Descriptor

Control:0x8004

Owner:NT AUTHORITY\SYSTEM

Group:NT AUTHORITY\SYSTEM

DACL - ACEs

ALLOW-BUILTIN\Administrators-0x1f01ff-OI|CI

ALLOW-NT AUTHORITY\SYSTEM-0x1f01ff-OI|CI

ALLOW-CREATOR OWNER-0x10000000-OI|CI|IO

ALLOW-BUILTIN\Users-0x1200a9-OI|CI

ALLOW-BUILTIN\Users-0x4-CI

ALLOW-BUILTIN\Users-0x2-CI|IO

ALLOW-Everyone-0x1200a9

--tmac Tim McCarthy, Principal ConsultantProud Member of the #NetAppATeamI Blog at TMACsRack

On Sun, Jul 17, 2016 at 5:36 PM, Fred Grieco fredgrieco@yahoo.com wrote:

The owner on both is the same, and there are about 5-6 groups that have permissions on both sides as well.  And yet the 7-mode side returns 0700 for these.  Quite odd.

From: "andrei.borzenkov@ts.fujitsu.com" andrei.borzenkov@ts.fujitsu.com To: Fred Grieco fredgrieco@yahoo.com; Toasters toasters@teaparty.net Sent: Sunday, July 17, 2016 3:04 PM Subject: RE: displayed unix permissions on ntfs qtree

Who is the owner of files on 7-Mode and C-Mode? Note that while owner does not matter for access check (unless you have explicit ACL for OWNER) to get 0700 permissions you must have only ACL for actual file owner.   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From: Fred Grieco [mailto:fredgrieco@yahoo.com] Sent: Sunday, July 17, 2016 8:54 PM To: Borzenkov, Andrei; Toasters Subject: Re: displayed unix permissions on ntfs qtree   The ntfs acl on 7-mode and cDOT are the same.   And they are obeyed with respect to access.     The issue is with ssh keys -- the app needs to "see" 700 perms in order to function properly.  So i'm trying to get the displayed permissions to match what they were in 7-mode.   I've created a test folder and it looks like if i add any other user to the ACL, it will display 777.   I even tried an user that doesn't share any groups (like Domain Users).     Fred   From: "andrei.borzenkov@ts.fujitsu.com" andrei.borzenkov@ts.fujitsu.com To: Fred Grieco fredgrieco@yahoo.com; Toasters toasters@teaparty.net Sent: Sunday, July 17, 2016 12:37 PM Subject: RE: displayed unix permissions on ntfs qtree   Well, permissions bits for ntfs security style qtree are for display purposes anyway andshould “show the maximum access allowed to any user in the ACL”. May be C-Mode has some additional (inherited?) ACLs? Did you compare full ACL for a file in 7-Mode and C-Mode?   --- With best regards   Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail:Andrei.Borzenkov@ts.fujitsu.com Web:ru.fujitsu.com Company details:ts.fujitsu.com/imprint This communication contains information that is confidential, proprietary in nature and/or privileged.  It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.   From:toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net]On Behalf Of Fred Grieco Sent: Sunday, July 17, 2016 4:06 PM To: Toasters Subject: displayed unix permissions on ntfs qtree   I'm having an issue on the displayed permissions in linux, on an ntfs qtree.   This is in cDOT 8.2.3.  I have a vserver that's joined to an AD domain and NIS-enabled.   Basically, most of the permissions display rwxrwxrwx on the linux, and it's not clear where it's getting these.  The NIS/nfs permission themselves are obeyed -- I can only get to where I have access, on the linux side.   This is a snapmirrored volume/qtree from a 7-mode filer.  It's user directories   The linux permissions from the 7-mode filer are almost exclusively rwx------.   The ntfs permissions on the source and destinations match, and the NIS/AD/namemapping configs are the same.   I"m not sure why it's not displaying the same permissions from linux on the source and destination.   Fred

_______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters