Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1011364.1
Update Date:2009-03-02
Keywords:

Solution Type  Technical Instruction Sure

Solution  1011364.1 :   Sun StorageTek[TM] 5000 Series NAS: Using the cacls CLI Command to Troubleshoot File and Directory Security  


Related Items
  • Sun Storage 5210 NAS Appliance
  •  
  • Sun Storage 5220 NAS Appliance
  •  
  • Sun Storage 5310 NAS Appliance
  •  
  • Sun Storage 5320 NAS Gateway/Cluster System
  •  
  • Sun Storage 5320 NAS Appliance
  •  
  • Sun Storage 5310 NAS Gateway System
  •  
Related Categories
  • GCS>Sun Microsystems>Storage - Disk>Network Attached Storage
  •  

PreviouslyPublishedAs
215590


Description
This document describes: Using the cacls CLI(Command Line Interface) to Troubleshoot File and Directory Security.

The cacls command is a useful tool for troubleshooting security issues. This command is available at the NAS (Network-attached Storage) CLI. It reports NFS (Network File System) and CIFS (Common Internet File System) owner and security data, and any extended file attributes.



Steps to Follow
For issues with access to a file or directory, collect the output of the cacls
command.

This command is available from the CLI by typing the following:

 cacls <full pathname>

The full pathname should begin with the volume name, as in this example:

 cacls /vol1/directory/testfile.txt

Cacls output contains the following information:

Mode security information and UID/GID of the owner. Here is an example:

 drwxr-x--- 34 22 /vol1/data

In this case, we can see that the item is a directory with 750 permissions:
read/write/execute (7) for the owner (UID 34), read/execute (5) for members of the owner's group (GID 22), and no permissions (0) for everyone else.

Next is the Windows security descriptor. In its simplest form, it reads "No security descriptor." This means that no Windows security is present, and that Windows simulates security based on the above NFS permissions. Here is a sample Security Descriptor:

NT Security Descriptor: (0x800F)
Owner: Administrators
Primary Group: S-1-5-21-1638885083-2197052636-4232115574-513
Discretionary Access Control List (DACL):
Domain Users:(IA) 1200A9
Administrators:(IA) 1F01FF
2 ACE(s)
Time stamps:
CIFS Created: (1173099181.686257) Mon Mar  5 07:53:01 2007
FS Modified : (1173099181) Mon Mar  5 07:53:01 2007

The content of the Security Descriptor is as follows:

  • Security Descriptor - The type of security descriptor. This is not useful for troubleshooting.
  • Owner - The user name or SID of the owner.
  • Primary Group - The group name or SID of the group owner.
  • Discretionary Access Control List (DACL) - A list of users and groups who have access to the file, by user name, group name, or SID, and the access they have to this object. The access is represented as a hexidecimal number, and there are many thousands of possible combinations of permissions. In the example above, the permissions for the "Administrators" group is Full Control, and the "Domain Users" group has standard Read/Execute permission. For more complex permissions, check security from a Windows client connected as a Domain Administrator.
  • Timestamps - Listed next are CIFS Creation time, and Filesystem Modification time. The timestamps are generally not useful in troubleshooting security issues.

NOTE: A SID is a number that uniquely identifies a user or group. The data to the right of the final dash identifies the user within the domain. This user information is known as the RID (relative ID). The RID is the number used for user or group mapping. It can be cross referenced with the NAS user or group mapping data to determine the user/group name and NFS UID/GID.

To troubleshoot problems connecting to a file or directory or share (check directory permissions for the share), compare the NFS or CIFS user ID to the permissions for the file, and determine whether the operation being attempted should be allowed.



Product
Sun StorageTek 5320 NAS Gateway/Cluster System
Sun StorageTek 5320 NAS Appliance
Sun StorageTek 5320
Sun StorageTek 5310 NAS Gateway/Cluster System
Sun StorageTek 5310 NAS Gateway System
Sun StorageTek 5310 NAS Appliance
Sun StorageTek 5220 NAS Appliance
Sun StorageTek 5220
Sun StorageTek 5210 NAS Appliance

Internal Comments
This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below:

storage-nas-domain@sun.com


NAS, normalized, CIFS, security, cacls
Previously Published As
90701

Change History
Date: 2007-10-03
User Name: 31620
Action: Approved
Comment: Verified Metadata - ok
Verified Keywords - ok (normalized)
Although content is normalized, there were no dependent articles identified
Verified still correct for audience - currently set to contract
Audience left at contract as per FvF at
Checked review date - currently set to 2008-09-21
Checked for TM - added appropriate for STK product
Publishing under the current pu
Date: 2007-10-01
User Name: 31620
Action: Accept
Comment:
Version: 0
Date: 2007-10-01
User Name: 102104
Action: Approved
Comment: Good document explaining the security descriptors.
Version: 0


Attachments
This solution has no attachment
  Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.
 Feedback