| View previous topic :: View next topic |
| Author |
Message |
dom_b
partially protected
Joined: 29 Mar 2012
Posts: 5
|
 Posted: Thu Mar 29, 2012 12:10 pm Post subject: Stornext, Active Directory & Xsan clients (Lion) Permiss |
 |
|
Hi all,
Just wondering if anybody could help with our setup. We are running the following:
Windows SBS 2003 DC
Stornext 4.2.1 MDC on Windows 2008 server
Mac OS X 10.7 Xsan clients - bound to AD
I can mount the file systems fine on the Xsan clients but I am having an issue with permissions.
I have setup a security group in AD with 3 users assigned to it. I only allow these 3 users to logon to the Mac OS X clients. There are some folders I need them all to have read/write permissions on and the rest I need to be denied. As deny permissions take precedence over others I thought I would just go to the directories I need to deny permissions on, add the security group and deny access. That works fine from the windows end, however I cannot work out how Mac OS X authenticates with Xsan/Stornext.
Once I have mounted the volume the users can only read/write in the root. If I browse deeper into the filesystem I have to authenticate as the local root user on the Mac, then I can read/write anywhere.
It seems to ignore the fact I'm logged on via AD. Any ideas? |
|
| Back to top |
|
 |
dom_b
partially protected
Joined: 29 Mar 2012
Posts: 5
|
| Posted: Mon Apr 02, 2012 6:31 am Post subject: |
|
|
| Nobody? |
|
| Back to top |
|
|
Pablitus
Knows DNS is the answer
Joined: 05 Feb 2008
Posts: 37
|
| Posted: Wed Apr 11, 2012 6:40 am Post subject: |
|
|
Basically XSAN uses POSIX permissions to access the filesystem and overides any AD config you are doing. It's not like NTFS.
That's why your idea is not working properly.
One way that comes to my mind is that you assign the permission of the AD group at POSIX level from MAC. Using the option of reshare in a OS X Server you can modify in POSIX the permissions. |
|
| Back to top |
|
|
dom_b
partially protected
Joined: 29 Mar 2012
Posts: 5
|
| Posted: Wed Apr 11, 2012 7:12 am Post subject: |
|
|
| Pablitus wrote: | Basically XSAN uses POSIX permissions to access the filesystem and overides any AD config you are doing. It's not like NTFS.
That's why your idea is not working properly.
One way that comes to my mind is that you assign the permission of the AD group at POSIX level from MAC. Using the option of reshare in a OS X Server you can modify in POSIX the permissions. |
Hi, thanks for the reply. We're not actually using any Xsan server or OS X servers at all.
There are not any POSIX permissions explicitly set. All the permissions are set on the Windows 2008 StorNext MDC. This is why I want to OS X clients to log in via Active Directory, and the permissions should work depending on what user logs on. |
|
| Back to top |
|
|
ogminlo
Xsan Master
Joined: 29 May 2008
Posts: 149
|
| Posted: Wed Apr 11, 2012 1:40 pm Post subject: |
|
|
| dom_b wrote: | | There are not any POSIX permissions explicitly set. All the permissions are set on the Windows 2008 StorNext MDC. This is why I want to OS X clients to log in via Active Directory, and the permissions should work depending on what user logs on. |
Did you enable StorNext's Enforce ACLs option in Configuration> File Systems > Edit > [YourFS] > Advanced Parameters > Features tab (or via enforceACLs in your filesystem's .cfgx file)?
When you have a Windows MDC with Xsan clients, the AD-bound Xsan clients give ACLs precedence over POSIX as long as an ACE is found for a given user on a given directory or file. If no deny or allow entry exists, you'll revert to POSIX and then the settings for Unix File Creation Mode on Windows, Unix Directory Creation Mode on Windows, Unix Nobody UID on Windows, Unix Nobody GID on Windows, Unix ID Fabrication on Windows come into play.
See Appendix F: StorNext Security of the StorNext User's Guide for more info. You can find the PDF for your version of SNFS here. |
|
| Back to top |
|
|
dom_b
partially protected
Joined: 29 Mar 2012
Posts: 5
|
| Posted: Thu Apr 12, 2012 3:58 am Post subject: |
|
|
Enforce ACL's is enabled. There is a security group assigned to the directory named 'edit' with full control on the directory. The users are part of this security group.
When you create a folder you just receive an administrator prompt in OS X. Unless you enter the local admin user you can't do anything in the directory.
It seems to completely ignore any of the ACL/Open Directory stuff. |
|
| Back to top |
|
|
dom_b
partially protected
Joined: 29 Mar 2012
Posts: 5
|
| Posted: Thu Apr 12, 2012 5:59 am Post subject: |
|
|
Think I may have solved my issue. Forgot to set ACLs on the actual root of the volume so they were not being inherited correctly. Now managed to hide folders from users entirely and can read/write as expected without being prompted for another user.
 |
|
| Back to top |
|
|
|
Xsanity Forum
Forum Search
Forum Help
Log in to check messages
Xsanity Articles
