Asset ID:	1-71-1011360.1
Update Date:	2009-04-26
Keywords:

---

Solution Type  Technical Instruction Sure

Solution  1011360.1 :   Sun StorageTek[TM] 5000 Series NAS: UNIX root user cannot change ownership or permissions on Windows created files  


PreviouslyPublishedAs
215586

Description
This problem occurs when a file or directory was created or modified by a CIFS (usually Windows) client. CIFS uses complex security descriptors, known as ACLs or Access Control Lists. These security descriptors cannot always be accurately represented using NFS 'mode' security attributes. Therefore, to prevent circumvention of these security descriptors, the NAS OS default setting does not permit NFS modification of security or ownership on files with ACLs.


Steps to Follow
To correct this issue, the ACL can be removed to allow ownership and security to be set from NFS. This behavior can either be modified as a system policy, deleting ACLs automatically when NFS ownership/security requests are received, or the ACLs can be individually deleted from files or volumes with NAS console commands. The instructions below assume you are running at least version 4.21 of the NAS operating system.
To modify this behavior as a system policy:

WARNING: Use caution with this setting, as this will allow the UNIX root user from trusted hosts to remove CIFS ACL security from files without any confirmation.

1. Connect to the Sun StorageTek 5000 Series NAS through Telnet or ssh and enter the administrator password.
2. At the prompt, enter fsctl acl protect off . This setting will take effect immediately, and a UNIX root user (from a trusted host) should be able to set security..

To remove ACL information from a single file or from an entire volume:

WARNING: CIFS (usually Windows) clients may behave unexpectedly when performing file operations on files that have had their ACLs removed in this way, particularly when ACLs are removed from the entire volume. If errors or other problems are experienced on CIFS client, the share should be disconnected and reconnected, or the user should log off the workstation and back on.

1. Connect to the Sun StorageTek 5000 Series NAS through Telnet or ssh and enter the administrator password.
2. At the CLI, type chsmb /path/filename or chsmb volumename. For /path/filename, use a full path, including volume. A directory is acceptable for filename, but only the directory itself will be affected, not the contents. chsmb can be run only on a single object or on the entire volume. A warning and confirmation displays only when the volumename argument is used.

Product
Sun StorageTek 5320 NAS Gateway/Cluster System
Sun StorageTek 5320 NAS Appliance
Sun StorageTek 5320
Sun StorageTek 5310 NAS Gateway/Cluster System
Sun StorageTek 5310 NAS Gateway System
Sun StorageTek 5310 NAS Appliance
Sun StorageTek 5220 NAS Appliance
Sun StorageTek 5210 NAS Appliance

Internal Comments
This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below:

storage-nas-domain@sun.com

The Knowledge Work Queue for this article is KNO-STO-NAS.

NAS, CIFS, UNIX, ACL, security, normalized, Audited
Previously Published As
90644

Change History
Date: 2007-09-21
User Name: 95826
Action: Approved
Comment: - verified metadata
- review date ok : 2008-09-18
- checked for TM - none added
- checked audience : contract
- no further edit required
Publishing
Version: 2
Date: 2007-09-21
User Name: 95826
Action: Accept
Comment:
Version: 0

Attachments

This solution has no attachment