The access control list (ACL) feature of an Apsara File Storage NAS Server Message Block (SMB) file system is designed for enterprise users. If a NAS SMB file system is not connected to an Active Directory (AD) domain, the ACLs of the SMB file system are read-only. You can access the SMB file system as a member of the Everyone group. You can connect an SMB file system to a self-managed AD domain. Then, you can mount the SMB file system and configure ACLs for the files and the directories as an AD user or a member of the Everyone group. This topic describes the features and design challenges of the default ACL of an SMB file system.

Default ACL

The following figure shows the default ACL of the root directory in an SMB file system.SMB_ACL_default_value
  • Challenges
    • To align with Windows NTFS permissions, the SYSTEM and Administrators access control entries (ACEs) are used. The ACEs ensure that the applications with administrator permissions run as expected. After you integrate NAS with Resource Access Management (RAM), you can grant administrator permissions to a super admin.
    • To implement inheritance and benchmark with Windows NTFS permissions, the CREATOR OWNER ACE is also used.
    • You can modify the ACL feature of an SMB file system. For example, you can set the Allow Anonymous Access parameter to No. This way, only AD users can access the SMB file system and the identity of the Everyone group cannot access the SMB file system.
  • Compatibility with user habits
    • To eliminate the impact on on-premises users, the Everyone group is granted full access to the files or directories that are created in an SMB file system before you connect the SMB file system to AD. All on-premises users can mount an SMB file system as the identity of the Everyone group over NT LAN Manager (NTLM), and access the resources of the Everyone group.
    • The files or subdirectories that are created by AD users do not inherit the permissions of the Everyone group. On-premises users cannot access the files or directories. Only the members of the CREATOR OWNER and Administrators groups can access the files or directories.
    • An AD user can access files or directories that are created by on-premises users, which use the identity of the Everyone group.

You cannot mount an SMB file system as multiple identities.

You can mount an SMB file system as only one identity. If you attempt to mount an SMB file system as a different identity, the following error occurs.Connect_existed_network

Ensure data security

You may be unable to access a file or directory when an unauthorized user revokes the permissions of the Administrators and Everyone groups from the file or directory. In this case, you must remount the SMB file system in which the file or directory reside and grant the permissions on the file or directory as an administrator.

SMB file systems support the super admin feature. In the NAS console, you can specify a user or group as a super admin. You can view files, modify files, or modify the permissions of files as a super admin regardless of which permissions are granted on the files. For example, if an unauthorized user assumes the ownership of a directory and revokes the access permissions on the directory from the Everyone group, you can restore the permissions to the previous permissions as a super admin.
Notice After you enable the super admin feature for an SMB file system, you must remount the SMB file system.

Use Cygwin

Cygwin is a POSIX-compatible programming and runtime environment that runs on Windows. You can run POSIX-based applications in the Cygwin environment. After you enable the SMB ACL feature, the Security Identifiers (SIDs) of files, SIDs of groups, and Windows discretionary ACLs (DACLs) are converted to POSIX user IDs (UIDs), group IDs (GIDs), and ACLs. For more information, see Cygwin ntsec.html.

  • Add the noacl option to the /etc/fstab file, as shown in the following figure. nacal
    This way, Cygwin can be used to simplify the complex process of ACL conversion and enables the default file mode creation mask for new files and directories. UIDs and GIDs indicate Windows users and groups. Take note of the following basic rules:
    • The default file mode creation mask for directories is 755.
      drwxr-xr-x 1 cat Domain Users 0 Jul 25 06:18 dir
    • The default file mode creation mask for files is 644.
      -rw-r--r-- 1 cat Domain Users 0 Jul 25 06:42 file
    • The file mode creation mask for files can be 644 or 444.

      If you set the file mode creation mask to 444, the DOS read-only attribute is specified. The noacl option allows you to convert the DOS read-only attribute only for files.

    • You cannot run the chmod command to change the permissions on directories. You can run the chmod command to set the file mode creation mask for files to 644 or 444.
    • The chown or chgrp command is not supported.
    • The getfacl or setfacl command is not supported.
    • The file mode creation mask for directories that reside on an SMB client is 755. The file mode creation mask for files is 644 or 444. In specific cases, access to an object is denied by NAS even if the command output on a client shows that you can access the object.
  • Add the acl option to the /etc/fstab file.

    By default, the identity of the Everyone group is used to mount an SMB file system. The Everyone group corresponds to the other class in the Cygwin environment. After you create files or directories in the Cygwin environment, Cygwin automatically runs the chmod command to specify the default file mode creation mask for new files or directories. Linux also performs similar operations on files or directories. Based on the preceding rules, Linux grants the other class the read and execute permissions on directories and read permissions on files. This way, the Everyone group is granted only the read and execute permissions on new directories and read permissions on new files. The identity of the Everyone group cannot be used to create files in a new directory.

    We recommend that you enable the noacl option instead of the acl option in the Cygwin environment.

Use ACLs on a Linux client that resides in an AD domain

  • If you run the mount -t cifs command to mount an SMB file system on Linux, you can specify an AD user and configure the parameters. The parameters include the GID, UID, default file mode creation mask for new files, and default file mode creation mask for new directories.
  • When you access an SMB file system, the Linux client checks POSIX permissions based on your UID, GID, and real identity.
  • Regardless of which Linux user you use to access an SMB file system, all your operations are performed on the NAS side as the AD user. A root user is granted only the permissions of the AD user instead of the administrator permissions. Permission-related commands are unavailable in Linux. These commands include chmod, chown, chgrp, getfacl, and setfacl.

For more information, see Mount and use an SMB file system on a Linux client as an AD domain user.