Hi Paul, We use both Windows and Linux with our FS but only have NFSv4 ACLs enabled (we do also set “chmodAndSetAcl” on the fileset which makes chmod etc work whilst not breaking the ACL badly). We’ve only found 1 case where POSIX ACLs were needed, and really that was some other IBM software that didn’t understand ACLs (which is now fixed). The groups exist in both AD and our internal LDAP where they have gidNumbers assigned. For our research projects we set the following as the default on the directory:
$ mmgetacl some-project #NFSv4 ACL #owner:root #group:gITS_BEAR_2019- some-project special:owner@:rwxc:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED group:gITS_BEAR_2019- some-project:rwxc:allow:FileInherit:DirInherit (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (X)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:everyone@:----:allow (-)READ/LIST (-)WRITE/CREATE (-)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (-)DELETE_CHILD (-)CHOWN (-)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED special:owner@:rwxc:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (X)CHOWN (X)EXEC/SEARCH (X)WRITE_ACL (X)WRITE_ATTR (X)WRITE_NAMED special:group@:rwx-:allow (X)READ/LIST (X)WRITE/CREATE (X)APPEND/MKDIR (X)SYNCHRONIZE (X)READ_ACL (X)READ_ATTR (X)READ_NAMED (-)DELETE (X)DELETE_CHILD (-)CHOWN (X)EXEC/SEARCH (-)WRITE_ACL (-)WRITE_ATTR (-)WRITE_NAMED Simon From: <[email protected]> on behalf of Paul Ward <[email protected]> Reply to: "[email protected]" <[email protected]> Date: Tuesday, 15 October 2019 at 13:34 To: "[email protected]" <[email protected]> Subject: [gpfsug-discuss] default owner and group for POSIX ACLs We are in the process of changing the way GPFS assigns UID/GIDs from internal tdb to using AD RIDs with an offset that matches our linux systems. We, therefore, need to change the ACLs for all the files in GPFS (up to 80 million). We are running in mixed ACL mode, with some POSIX and some NFSv4 ACLs being applied. (This system was set up 14 years ago and has changed roles over time) We are running on linux, so need to have POSIX permissions enabled. What I want to know for those in a similar environment, what do you have as the POSIX owner and group, when NFSv4 ACLs are in use? root:root or do you have all files owned by a filesystem administrator account and group: <ad service account>:<ad fileserver admin group> on our samba shares we have : admin users = @<ad fileserver admin group> So don’t actually need the group defined in POSIX. Kindest regards, Paul Paul Ward TS Infrastructure Architect Natural History Museum T: 02079426450 E: [email protected]
_______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
