Udostępnij za pośrednictwem


How NFS access works over NTFS permissions

Recently we faced a scenario where a NFS share is created on a windows machine and UNIX client are trying to access it. (The behavior may be different based on the NTFS permission.)

Though UNIX showed full permission for the user; we were getting access denied while deleting the file in the NFS share! The investigation revealed a complex scenario.

Let’s discuss it.

This is based on our testing on our Lab machines:

On the Windows box; we created user user1 and a group grp1. Now, user1 was made a member of grp1 and set as primary group for user1. On the UNIX end; we created a user called user1 and a group grp1.

We configured User Name Mapping and Group Mapping.

A NFS share was created in windows box.

The NTFS permission for the share looks like this

  C:\NTFS-NFS <machine_name>\grp1:(OI)(CI)(special access:)

                                                      READ_CONTROL

                                                      WRITE_DAC

                                                      WRITE_OWNER

                                                      SYNCHRONIZE

                                                      FILE_GENERIC_READ

                                                      FILE_GENERIC_WRITE

                                             FILE_GENERIC_EXECUTE

                                                      FILE_READ_DATA

                                                      FILE_WRITE_DATA

                                                      FILE_APPEND_DATA

                FILE_READ_EA

                                                      FILE_WRITE_EA

                                                      FILE_EXECUTE

                                                      FILE_READ_ATTRIBUTES

                     FILE_WRITE_ATTRIBUTES

                               NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F

                               BUILTIN\Administrators:(OI)(CI)(ID)F

                              

The effective permission for the grp1 is as below. It has all permission except the one highlighted.

NTFS permission

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

  

 

 

 

 + So user1 will inherit the permission based on the permission given to grp1.

From UNIX side:

 

Mounted the NFS share as root.

The logged in as user1 (this user is mapped to user1 on Windows box).

Created a folder under the share "user1_unix".

For “user1_unix” observed the following
NTFS "inherit" permission is not set (though if we create a folder from Windows box in the same location; it gets NTFS "inherit" permission set).

The user1 is the owner of "user1_unix".

Permission for user1 on the "user1_unix" is RWX.

grp1 has the permission that was given to parent directory.

ls -l Permissions 

 

 

 

From UNIX though user1 has full rights on the folder which he created and is also the owner but still would not be able to delete it. Take a Netmon trace and you will see that rmdir call is being send over the wire with correct UID and GID. The consecutive reply shows the ‘err_access’ (permission denied).

Below is the input from the access calls

err_access

 

 

 

 

 

 

Below is the input from the access reply call

access call reply

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Below is the inputs from the delete call (RMDIR)

rmdir

 

rmdir reply

 

 

 

 

 

 

Now from the windows box if you create a folder under the NFS share logged in as User1 then you would see that user1 is the owner and has full NTFS permission and is also able to delete the folder.

When can we delete files /folder from UNIX client?
1. If we grant "delete subfolder and files" permission to the parent folder (nfstest) for grp1
2. If we grant "delete" permission to the parent folder (nfstest) for user1

And the above two conditions are true whether or not we are inheriting the properties from parent folder.

Our findings:

· If we remove the "delete subfolder" permission on NFS share for a user / group ; even if that user / group has explicit permission in some child folder in that NFS share; from UNIX side (even if we see RWX permission for that user) as that user we will not be able to delete the folder.

· From windows side when the users create a folder under the NFS share; he would be the owner and have full control in NTFS permission. Hence he would be able to delete the same.

BTW, NFS will ignore NTFS inheritance to comply with standard UNIX behavior.

Enabling KeepInheritance is recommended when files on NFS shares are meant to be accessed by both UNIX and Windows users and should be done on all the nodes in the cluster.

Ø HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Server for NFS\CurrentVersion\Mapping\KeepInheritance

By default, the value of the KeepInheritance entry is 0, which means that newly created files and directories on NFS shares will not inherit ACEs from their parent directory. However, if an administrator wants to be able to read and write every file and directory created in a hierarchy, the administrator should set this value to 1 and set an inheritable read/write ACE at the root of the hierarchy.

You can refer to the TechNet article for the details on KeepInheritance.

Comments

  • Anonymous
    January 01, 2003
    We do get a lot of questions on multiple users mapping between Windows and Unix users. I have tried to