Greetings,
I inherited a group of filer that are heavily cifs. There are multiple clusters of different hardware and different OS levels. All are 7-mode.
What the managers found is that people have changed directory permissions and excluded administrators or people with full control. When a problem pops up they have to find one of the directory owners to get added in order to fix an issue.
We don't really want to push the permissions to all sub-directories in an overwrite mode because we could break tool access, or grant access people may not have had before, etc.
Is there a way to add administrators to a tree from the NetApp or a way to do this that doesn't remove previous access control? The managers already have full control at the share level.
Thanks,
Jeff
Good question.
You could try setting inheritable ACE on top-level directory. As long as users did not add explicit Deny entries or did not block inheritance it should suffice. Note that explicit denials always override explicit grants, so just adding ACE may not be sufficient anyway.
I could not find explicit statement, but fsecurity appears to replace existing DACL. I suppose one possibility would be
- Dump existing DACLs using somesing like “icacl /save”
- Convert result into valid fsecurity job definition
- Add necessary ACEs
- Apply
But it may not work if access to folders/files is blocked. In this case it is possible to create task that runs as e.g. SYSTEM to do it.
C-Mode looks better as it allows editing individual ACEs.
--- With best regards
Andrei Borzenkov Senior system engineer FTS WEMEAI RUC RU SC TMS FOS [cid:image001.gif@01D0EF99.264ED640] FUJITSU Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation Tel.: +7 495 730 62 20 ( reception) Mob.: +7 916 678 7208 Fax: +7 495 730 62 14 E-mail: Andrei.Borzenkov@ts.fujitsu.commailto:Andrei.Borzenkov@ts.fujitsu.com Web: ru.fujitsu.comhttp://ts.fujitsu.com/ Company details: ts.fujitsu.com/imprinthttp://ts.fujitsu.com/imprint.html This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation. Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of Jeff Cleverley Sent: Tuesday, September 15, 2015 2:10 AM To: Toasters@teaparty.net Subject: Cifs administrative access push to the entire qtree
Greetings,
I inherited a group of filer that are heavily cifs. There are multiple clusters of different hardware and different OS levels. All are 7-mode.
What the managers found is that people have changed directory permissions and excluded administrators or people with full control. When a problem pops up they have to find one of the directory owners to get added in order to fix an issue.
We don't really want to push the permissions to all sub-directories in an overwrite mode because we could break tool access, or grant access people may not have had before, etc.
Is there a way to add administrators to a tree from the NetApp or a way to do this that doesn't remove previous access control? The managers already have full control at the share level.
Thanks,
Jeff
-- Jeff Cleverley IT Engineer 4380 Ziegler Road Building 1, Dock 1 Fort Collins, Colorado 80525 970-288-4611
I typically make the domain account for the administrators a local administrator on the NAS.
On Tue, Sep 15, 2015 at 3:49 AM, Borzenkov, Andrei < andrei.borzenkov@ts.fujitsu.com> wrote:
Good question.
You could try setting inheritable ACE on top-level directory. As long as users did not add explicit Deny entries or did not block inheritance it should suffice. Note that explicit denials always override explicit grants, so just *adding* ACE may not be sufficient anyway.
I could not find explicit statement, but fsecurity appears to replace existing DACL. I suppose one possibility would be
Dump existing DACLs using somesing like “icacl /save”Convert result into valid fsecurity job definitionAdd necessary ACEsApplyBut it may not work if access to folders/files is blocked. In this case it is possible to create task that runs as e.g. SYSTEM to do it.
C-Mode looks better as it allows editing individual ACEs.
With best regards
*Andre**i** Borzenkov*
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
[image: cid:image001.gif@01CBF835.B3FEDA90]
*FUJITSU*
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com
Web: ru.fujitsu.com http://ts.fujitsu.com/
Company details: ts.fujitsu.com/imprint http://ts.fujitsu.com/imprint.html
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Jeff Cleverley *Sent:* Tuesday, September 15, 2015 2:10 AM *To:* Toasters@teaparty.net *Subject:* Cifs administrative access push to the entire qtree
Greetings,
I inherited a group of filer that are heavily cifs. There are multiple clusters of different hardware and different OS levels. All are 7-mode.
What the managers found is that people have changed directory permissions and excluded administrators or people with full control. When a problem pops up they have to find one of the directory owners to get added in order to fix an issue.
We don't really want to push the permissions to all sub-directories in an overwrite mode because we could break tool access, or grant access people may not have had before, etc.
Is there a way to add administrators to a tree from the NetApp or a way to do this that doesn't remove previous access control? The managers already have full control at the share level.
Thanks,
Jeff
--
Jeff Cleverley IT Engineer
4380 Ziegler Road
Building 1, Dock 1 Fort Collins, Colorado 80525 970-288-4611
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
You could try setting inheritable ACE on top-level directory. As long as users did not add explicit Deny entries or did not block inheritance it should suffice. Note that explicit denials always override explicit grants, so just *adding* ACE may not be sufficient anyway.
I don't know whether they did anything explicitly. Unfortunately it doesn't let us see any permissions or settings. My account is a domain admin and I'm also in the administrators group on the filers.
I could not find explicit statement, but fsecurity appears to replace existing DACL. I suppose one possibility would be
Dump existing DACLs using somesing like “icacl /save”Convert result into valid fsecurity job definitionAdd necessary ACEsApply
We looked into this, but not having permissions to a variety of sub-directories the icacl command doesn't see into these directories. We could try to force permissions down the trees, but even if it works, we're potentially adding or removing access to groups currently being hidden. We're reluctant to blindly do this.
But it may not work if access to folders/files is blocked. In this case it is possible to create task that runs as e.g. SYSTEM to do it.
Would you elaborate on this? Where would this job run from and how would it end up with access?
Thanks,
Jeff
C-Mode looks better as it allows editing individual ACEs.
With best regards
*Andre**i** Borzenkov*
Senior system engineer
FTS WEMEAI RUC RU SC TMS FOS
[image: cid:image001.gif@01CBF835.B3FEDA90]
*FUJITSU*
Zemlyanoy Val Street, 9, 105 064 Moscow, Russian Federation
Tel.: +7 495 730 62 20 ( reception)
Mob.: +7 916 678 7208
Fax: +7 495 730 62 14
E-mail: Andrei.Borzenkov@ts.fujitsu.com
Web: ru.fujitsu.com http://ts.fujitsu.com/
Company details: ts.fujitsu.com/imprint http://ts.fujitsu.com/imprint.html
This communication contains information that is confidential, proprietary in nature and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s) or the person responsible for delivering it to the intended recipient(s), please note that any form of dissemination, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender and delete the original communication. Thank you for your cooperation.
Please be advised that neither Fujitsu, its affiliates, its employees or agents accept liability for any errors, omissions or damages caused by delays of receipt or by any virus infection in this message or its attachments, or which may otherwise arise as a result of this e-mail transmission.
*From:* toasters-bounces@teaparty.net [mailto: toasters-bounces@teaparty.net] *On Behalf Of *Jeff Cleverley *Sent:* Tuesday, September 15, 2015 2:10 AM *To:* Toasters@teaparty.net *Subject:* Cifs administrative access push to the entire qtree
Greetings,
I inherited a group of filer that are heavily cifs. There are multiple clusters of different hardware and different OS levels. All are 7-mode.
What the managers found is that people have changed directory permissions and excluded administrators or people with full control. When a problem pops up they have to find one of the directory owners to get added in order to fix an issue.
We don't really want to push the permissions to all sub-directories in an overwrite mode because we could break tool access, or grant access people may not have had before, etc.
Is there a way to add administrators to a tree from the NetApp or a way to do this that doesn't remove previous access control? The managers already have full control at the share level.
Thanks,
Jeff
--
Jeff Cleverley IT Engineer
4380 Ziegler Road
Building 1, Dock 1 Fort Collins, Colorado 80525 970-288-4611
You could try setting inheritable ACE on top-level directory. As long as users did not add explicit Deny entries or did not block inheritance it should suffice. Note that explicit denials always override explicit grants, so just adding ACE may not be sufficient anyway.
I don't know whether they did anything explicitly. Unfortunately it doesn't let us see any permissions or settings. My account is a domain admin and I'm also in the administrators group on the filers.
You can use "fsecurity show" on filer to dump current ACL. Could you paste example for one of inaccessible files?
Did you try setting top-level inheritable ACE? It should not override any ACL on contained files.
We looked into this, but not having permissions to a variety of sub- directories the icacl command doesn't see into these directories. We could try to force permissions down the trees, but even if it works, we're potentially adding or removing access to groups currently being hidden. We're reluctant to blindly do this.
But it may not work if access to folders/files is blocked. In this case it is possible to create task that runs as e.g. SYSTEM to do it.
Would you elaborate on this? Where would this job run from and how would it end up with access?
Sorry, I was wrong here. It is possible to do it on Windows (running job as SYSTEM account) but of course it won't help when accessing something over network.
-
Basil -
Borzenkov, Andrei -
Jeff Cleverley