Hi all.. I asked this a few weeks ago:
If a qtree is using NTFS style permissions, and that same qtree is exported via NFS to a unix client...Is there a way to see the NTFS acl's from that unix client? The usual "ls -l" just shows what looks like mode 777.
I got some good responses, but I'm not seeing what I want to see.
Qtree on filer is security style NTFS. Qtree is exported to linux box via export file on filer: /vol/secgroup_group -sec=sys,rw=mfanfs,root=x.x.x.x,nosuid
Qtree is mounted on linux box:
mount -o vers=4,acl secgroup:/vol/secgroup_group /secgroup grep secgroup /proc/mounts
secgroup:/vol/secgroup_group/ /secgroup nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,minorversion=0,local_lock=none,addr=x.x.x.x 0 0
NFS option on filer:
options nfs.ntacl
nfs.ntacl_display_permissive_perms on
From a windows box, using the CIFS share to that qtree, I can right click
on a file, select security, and then see/set the usual NTFS style ACLs.
When use getfacl from the unix box, I still only see the unix style (User,Group,Other) permissions.
What I'm hoping to see is the Windows style ACLs that are on the files.
I can see them from the filer:
secgroup@testfs1> fsecurity show /vol/secgroup_group/ccc/pit [/vol/secgroup_group/ccc/pit - File (inum 28476)] Security style: NTFS Effective style: NTFS
DOS attributes: 0x0020 (---A----)
Unix security: uid: xxxx(username) gid: 101 (groupname) mode: 0777 (rwxrwxrwx)
NTFS security descriptor: Owner: DOMAIN\username Group: DOMAIN\Domain Users DACL: Allow - DOMAIN\budget - 0x001f01ff (Full Control) Allow - Everyone - 0x001200a9 (Read and Execute) - (Inherited) Allow - DOMAIN\username - 0x001f01ff (Full Control) - (Inherited) Allow - DOMAIN\group - 0x001f01ff (Full Control) - (Inherited)
I am hoping to be able to see the above output, from the linux client. I'm looking for a way for users on linux clients to see the windows ACLs that are on this NTFS qtree.
Any suggestions?
Thanks.
No way to see the NTFS ACLs from a UNIX client without using SSH commands to the filer or smbcacls as mentioned previously (https://www.samba.org/samba/docs/man/manpages-3/smbcacls.1.html).
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of John Adams Sent: Wednesday, May 11, 2016 4:06 PM To: toasters@teaparty.net Subject: Listing NTFS style ACLs from unix client via NFS (Take 2...)
Hi all.. I asked this a few weeks ago:
If a qtree is using NTFS style permissions, and that same qtree is exported via NFS to a unix client...Is there a way to see the NTFS acl's from that unix client? The usual "ls -l" just shows what looks like mode 777. I got some good responses, but I'm not seeing what I want to see.
Qtree on filer is security style NTFS. Qtree is exported to linux box via export file on filer: /vol/secgroup_group -sec=sys,rw=mfanfs,root=x.x.x.x,nosuid Qtree is mounted on linux box:
mount -o vers=4,acl secgroup:/vol/secgroup_group /secgroup grep secgroup /proc/mounts
secgroup:/vol/secgroup_group/ /secgroup nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,minorversion=0,local_lock=none,addr=x.x.x.x 0 0 NFS option on filer:
options nfs.ntacl
nfs.ntacl_display_permissive_perms on
From a windows box, using the CIFS share to that qtree, I can right click on a file, select security, and then see/set the usual NTFS style ACLs. When use getfacl from the unix box, I still only see the unix style (User,Group,Other) permissions. What I'm hoping to see is the Windows style ACLs that are on the files. I can see them from the filer:
secgroup@testfs1> fsecurity show /vol/secgroup_group/ccc/pit [/vol/secgroup_group/ccc/pit - File (inum 28476)] Security style: NTFS Effective style: NTFS
DOS attributes: 0x0020 (---A----)
Unix security: uid: xxxx(username) gid: 101 (groupname) mode: 0777 (rwxrwxrwx)
NTFS security descriptor: Owner: DOMAIN\username Group: DOMAIN\Domain Users DACL: Allow - DOMAIN\budget - 0x001f01ff (Full Control) Allow - Everyone - 0x001200a9 (Read and Execute) - (Inherited) Allow - DOMAIN\username - 0x001f01ff (Full Control) - (Inherited) Allow - DOMAIN\group - 0x001f01ff (Full Control) - (Inherited) I am hoping to be able to see the above output, from the linux client. I'm looking for a way for users on linux clients to see the windows ACLs that are on this NTFS qtree. Any suggestions?
Thanks.
There is no way to see NTFS ACLs from an NFS client on any operating system because NFS simply does not pass that information through.
If you are using NFS v4 then you may be able to see something which looks like ACLs on the client, but they may not be accurate as the semantics of NFSv4 ACLs are different to NTFS ACLs.
NFSv3, which most people still use, does not support any form of ACLs.
This is a limitation of the protocol. It has nothing to do with the storage system or with the client operating system.
As others have said, in order to view NTFS ACLs you must either use an SMB client (e.g. Windows, Linux with a suitable Samba client, etc) or run filer commands.
HTH, Jeremy
On 12 May 2016, at 6:06 AM, John Adams intheyc@gmail.com wrote:
Hi all.. I asked this a few weeks ago:
If a qtree is using NTFS style permissions, and that same qtree is exported via NFS to a unix client...Is there a way to see the NTFS acl's from that unix client? The usual "ls -l" just shows what looks like mode 777.
I got some good responses, but I'm not seeing what I want to see.
Qtree on filer is security style NTFS. Qtree is exported to linux box via export file on filer: /vol/secgroup_group -sec=sys,rw=mfanfs,root=x.x.x.x,nosuid
Qtree is mounted on linux box:
mount -o vers=4,acl secgroup:/vol/secgroup_group /secgroup grep secgroup /proc/mounts
secgroup:/vol/secgroup_group/ /secgroup nfs4 rw,relatime,vers=4,rsize=65536,wsize=65536,namlen=255,hard,proto=tcp,port=0,timeo=600,retrans=2,sec=sys,clientaddr=x.x.x.x,minorversion=0,local_lock=none,addr=x.x.x.x 0 0
NFS option on filer:
options nfs.ntacl
nfs.ntacl_display_permissive_perms on
From a windows box, using the CIFS share to that qtree, I can right click on a file, select security, and then see/set the usual NTFS style ACLs.
When use getfacl from the unix box, I still only see the unix style (User,Group,Other) permissions.
What I'm hoping to see is the Windows style ACLs that are on the files.
I can see them from the filer:
secgroup@testfs1> fsecurity show /vol/secgroup_group/ccc/pit [/vol/secgroup_group/ccc/pit - File (inum 28476)] Security style: NTFS Effective style: NTFS
DOS attributes: 0x0020 (---A----)
Unix security: uid: xxxx(username) gid: 101 (groupname) mode: 0777 (rwxrwxrwx)
NTFS security descriptor: Owner: DOMAIN\username Group: DOMAIN\Domain Users DACL: Allow - DOMAIN\budget - 0x001f01ff (Full Control) Allow - Everyone - 0x001200a9 (Read and Execute) - (Inherited) Allow - DOMAIN\username - 0x001f01ff (Full Control) - (Inherited) Allow - DOMAIN\group - 0x001f01ff (Full Control) - (Inherited)
I am hoping to be able to see the above output, from the linux client. I'm looking for a way for users on linux clients to see the windows ACLs that are on this NTFS qtree.
Any suggestions?
Thanks.
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
-
Jeremy Webber -
John Adams -
Parisi, Justin