Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition | |||
|
|
Solution Type Technical Instruction Sure Solution 1011364.1 : Sun StorageTek[TM] 5000 Series NAS: Using the cacls CLI Command to Troubleshoot File and Directory Security
PreviouslyPublishedAs 215590 Description This document describes: Using the cacls CLI(Command Line Interface) to Troubleshoot File and Directory Security. The cacls command is a useful tool for troubleshooting security issues. This command is available at the NAS (Network-attached Storage) CLI. It reports NFS (Network File System) and CIFS (Common Internet File System) owner and security data, and any extended file attributes. Steps to Follow For issues with access to a file or directory, collect the output of the cacls command. This command is available from the CLI by typing the following: cacls <full pathname> The full pathname should begin with the volume name, as in this example: cacls /vol1/directory/testfile.txt Cacls output contains the following information: Mode security information and UID/GID of the owner. Here is an example: drwxr-x--- 34 22 /vol1/data In this case, we can see that the item is a directory with 750 permissions: Next is the Windows security descriptor. In its simplest form, it reads "No security descriptor." This means that no Windows security is present, and that Windows simulates security based on the above NFS permissions. Here is a sample Security Descriptor: NT Security Descriptor: (0x800F) Owner: Administrators Primary Group: S-1-5-21-1638885083-2197052636-4232115574-513 Discretionary Access Control List (DACL): Domain Users:(IA) 1200A9 Administrators:(IA) 1F01FF 2 ACE(s) Time stamps: CIFS Created: (1173099181.686257) Mon Mar 5 07:53:01 2007 FS Modified : (1173099181) Mon Mar 5 07:53:01 2007 The content of the Security Descriptor is as follows:
NOTE: A SID is a number that uniquely identifies a user or group. The data to the right of the final dash identifies the user within the domain. This user information is known as the RID (relative ID). The RID is the number used for user or group mapping. It can be cross referenced with the NAS user or group mapping data to determine the user/group name and NFS UID/GID. To troubleshoot problems connecting to a file or directory or share (check directory permissions for the share), compare the NFS or CIFS user ID to the permissions for the file, and determine whether the operation being attempted should be allowed. Product Sun StorageTek 5320 NAS Gateway/Cluster System Sun StorageTek 5320 NAS Appliance Sun StorageTek 5320 Sun StorageTek 5310 NAS Gateway/Cluster System Sun StorageTek 5310 NAS Gateway System Sun StorageTek 5310 NAS Appliance Sun StorageTek 5220 NAS Appliance Sun StorageTek 5220 Sun StorageTek 5210 NAS Appliance Internal Comments This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below: storage-nas-domain@sun.com NAS, normalized, CIFS, security, cacls Previously Published As 90701 Change History Date: 2007-10-03 User Name: 31620 Action: Approved Comment: Verified Metadata - ok Verified Keywords - ok (normalized) Although content is normalized, there were no dependent articles identified Verified still correct for audience - currently set to contract Audience left at contract as per FvF at Checked review date - currently set to 2008-09-21 Checked for TM - added appropriate for STK product Publishing under the current pu Date: 2007-10-01 User Name: 31620 Action: Accept Comment: Version: 0 Date: 2007-10-01 User Name: 102104 Action: Approved Comment: Good document explaining the security descriptors. Version: 0 Attachments This solution has no attachment |
||||||||||||
|