Administrator Guide
8. Click the Permissions tab and follow Microsoft’s best practices to assign ACL permissions for users and groups to the SMB
share.
Change the Owner of an SMB Share Using the FluidFS Cluster Administrator Account
If the FluidFS cluster is not joined to Active Directory, use the Administrator account to change the owner of an SMB share. These
steps might vary slightly depending on which version of Windows you are using.
1. Start the Map network drive wizard.
2. In Folder type: \\client_vip_or_name\smb_share_name
3. Select Connect using dierent credentials.
4. Click Finish.
5. When prompted, type the Administrator credentials and click OK.
6. Right-click the mapped SMB share (folder) and select Properties. The Properties dialog box opens.
7. Click the Security tab and then click Advanced. The Advanced Security Settings dialog box opens.
8. Click the Owner tab and then click Edit. The Advanced Security Settings dialog box opens.
9. Click Other users or groups. The Select User or Group dialog box opens.
10. Select the domain admin user account that is used to set ACLs for this SMB share or select the Domain Admins group.
Alternatively, the
FluidFS cluster Administrator account can be used. Click OK.
11. Ensure that Replace owner on subcontainers and objects is selected and click OK.
12. After the owner is set, unmap the network drive.
13. Remap the network drive as the account that has ownership of it, as set previously.
14. Click the Permissions tab of the Advanced Security Settings dialog box and follow Microsoft’s best practices to assign ACL
permissions for users and groups to the SMB share.
Managing ACLs or SLPs on an SMB Share
The FluidFS cluster supports two levels of access control to SMB shares, les, and folders:
• Access control lists (ACLs): Govern access to specic les and folders. The administrator can control a wide range of
operations that users and groups can perform.
• Share-level permissions (SLPs): Govern access to entire shares. The administrator controls only read, change, or full access to
an entire share.
SLPs are limited because they only address full control, modify, and read rights for any given user or group at the SMB share level.
ACLs control many more operations than only read/change/full access. Use the default setting for SLP (authenticated users has full
control) and use ACLs to control access to the SMB share, unless a specic requirement for SLPs cannot be accomplished using
ACLs.
A Windows administrator should follow the best practices dened by Microsoft for ACLs and SLPs.
NOTE: Do not attempt to create an SMB share using MMC. Use MMC only to set SLPs.
Automatic ACL to UNIX Word 777 Mapping
When les with Windows ACLs are displayed from NFS clients, the FluidFS mapping algorithm shows a translated UNIX access
mode. Perfect translation is not possible, so a heuristic is used to translate from the rich Windows ACL to the 9 bits of the UNIX
word. However, when some special SIDs are used inside ACL (for example, creator-owner ACE), the mapping can be inaccurate. For
some applications, NFS clients must see the exact mapping or a mapping for more permissive access. Otherwise, the NFS
applications might not perform denied operations.
FluidFS versions 5 or later provide an option that causes all objects with SMB ACLs to be presented with UNIX Word 777 from NFS
clients (for display only). This option, which is disabled by default, can be congured under NAS Volume settings.
1. In the Storage view, select a FluidFS cluster.
2. Click the File System tab.
416
FluidFS NAS Volumes, Shares, and Exports