This topic describes the features of access control lists (ACLs) for Apsara File Storage NAS Server Message Block (SMB) file systems.

Background information

ACLs are one of the most important enterprise-level features. If an SMB client is not connected to an Active Directory (AD) domain, the ACLs of an SMB file system that resides on the SMB client are read-only. You can access the SMB file system as a user from the Everyone group. You can connect SMB clients to a self-created AD domain. Then, you can mount an SMB file system and configure ACLs for files and directories as an AD user or a user from the Everyone group.

For more information about how to configure AD, see Join the mount target of an SMB file system to an AD domain.

For more information about how to mount an SMB file system, see Use an AD account to mount an SMB file system on a Windows client.

Default ACL

The following figure shows the default ACL of the root directory for an SMB file systemSMB_ACL_default_value
  • Considerations
    • To be consistent with Windows NTFS permissions, the access control entries (ACEs) that include permissions for the SYSTEM and Administrators groups are used. These ACEs ensure smooth running for applications with administrator permissions. You can use Resource Access Management (RAM) to create a RAM user. Then, you can attach a policy that includes administration permissions to the RAM user. This user can be used as a superuser.
    • To implement inheritance and be consistent with Windows NTFS permissions, the ACE that includes permissions for the CREATOR OWNER group is used.
    • After you set the Owner parameter to Everyone, the Everyone group has full access to the root directory. This allows local users from the Everyone group to access an SMB file system and create files or directory.
    • You can set the Allow Anonymous Access parameter to No. This setting allows access only from AD users rather than users from the Everyone group.
  • Compatibility with user habits
    • To ensure business continuity, local users from the Everyone group have full access to files or directories that are created before you connect an SMB client to AD. All local users from the Everyone group have the same access to resources as the Everyone group. You can use NT LAN Manager (NTLM) to authenticate a local user from the Everyone group and use the local user to mount an SMB file system.
    • To allow access to the root directory of an SMB file system, the ACL of the root directory remains unchanged. If you want to deny access to specific objects from the users of the Everyone group, create subdirectories to store these objects.
    • New files or subdirectories that AD users create do not inherit the ACL from the root directory. Therefore, the users of the Everyone group cannot access these new files or directories. Users only from the CREATOR OWNER and Administrators groups can access these new files or directories.
    • An AD user can access files or directories that are created by the local users of the Everyone group.

You cannot mount an SMB file system by using users from different groups.

You can mount an SMB file system by users from the same group. If you attempt to mount an SMB file system as a user from a different group, the following error occurs.Connect_existed_network

Ensure data security

If you are denied access to files or directories, you must reset the access to these files or directories by using administrator permissions. This issue occurs when an unauthorized user denies access to these files or directories from the Administrators group or other users.

NAS applies data security rules to SMB file systems in a similar way that Windows Server applies to local file systems. For example, you log on to an SMB client where the error occurs by using a user from the Domain Admins or Built-in Administrators group. If an unauthorized user changes the owner of a directory and sets access to the Everyone group to deny, click OK in the error message and follow these steps:
  • Change the owner of the directory to an administrator or the Everyone group.
  • Clear all deny permissions and specify the required allow permissions for the Everyone group.
escape

Use Cygwin

Cygwin is a POSIX-compatible programming and runtime environment that runs on Windows. You can run POSIX-based applications in the Cygwin environment. After you enable the SMB ACL feature, the Security Identifiers (SIDs) of files, SIDs of groups, and Windows discretionary ACLs (DACLs) are converted to POSIX user IDs (UIDs), group IDs (GIDs), and ACLs. For more information, see Cygwin ntsec.html.

  • Add the noacl option to the /etc/fstab file.
    If you want to use SMB file systems in the Cygwin environment, we recommend that you add the noacl mount option to the /etc/fstab file. This option stops Cygwin from complicated ACL conversion and applies the default file mode creation mask to new files and directories. UIDs and GIDs represent Windows users and groups. Basic rules are listed as follows:
    • The default file mode creation mask for directories is 755.

      drwxr-xr-x 1 cat Domain Users 0 Jul 25 06:18 dir

    • The default file mode creation mask for files is 644.

      -rw-r--r-- 1 cat Domain Users 0 Jul 25 06:42 file

    • The file mode creation mask for files can be 644 or 444.

      If you set the file mode creation mask to 444, the DOS read-only attribute is applied. The noacl option allows you to convert the DOS read-only attribute only for files.

    • You cannot use the chmod command to change the permissions for directories. You can use the chmod command to set the file mode creation mask for files to 644 or 444.
    • The chown or chgrp command is not supported.
    • The getfacl or setfacl command is not supported.
    • The file mode creation mask for directories that reside on an SMB client is 755. The file mode creation mask for files is 644 or 444. Your access to an object may be denied by NAS even if you have allow permissions to the object.
  • Add the acl option to the /etc/fstab file

    A user from the Everyone group is used to mount an SMB file system by default. The Everyone group corresponds to the other class in the Cygwin environment. After you create files or directories in the Cygwin environment, Cygwin uses the chmod command to specify the default file mode creation for new files or directories. Linux also performs similar operations on files or directories. Based on the preceding rules, Linux grants the other class the read and execute access to directories and read access to files. Therefore, the Everyone group has only the read and execute access to new directories and read access to new files. The users of the Everyone group cannot create files in a new directory.

    We recommend that you enable the noacl option rather than the acl option in the Cygwin environment.

Use ACLs on a Linux client that resides in AD

If you use the mount -t cifs command to mount an SMB file system on Linux, you can specify an AD user and other parameters. These parameters include the GID, UID, default file mode creation mask for new files, and default file mode creation mask for new directories. When you access an SMB file system, the SMB client verifies POSIX permissions based on the specified UID, GID, and the ID of the logon user. Regardless of which Linux user you use to access an SMB file system, permissions that the Linux user has are mapped to DOS attributes. The specified AD user uses these DOS attributes to manage the SMB file system at the NAS side. A root user has only the permissions of the AD user rather than administrator permissions. Permission-related commands are unavailable in Linux. These commands include chmod, chown, chgrp, getfacl, and setfacl.

For more information, see User an AD user to mount an SMB file system.