Administrator Guide
4 Click Finish.
5 When prompted, type the Administrator credentials and click OK.
6 Right-click the mapped SMB share (folder) and select Properties. The Properties dialog box opens.
7 Click the Security tab and then click Advanced. The Advanced Security Settings dialog box opens.
8 Click the Owner tab and then click Edit. The Advanced Security Settings dialog box opens.
9 Click Other users or groups. The Select User or Group dialog box opens.
10 Select the domain admin user account that is used to set ACLs for this SMB share or select the Domain Admins group. Alternatively,
the FluidFS cluster Administrator account can be used. Click OK.
11 Ensure that Replace owner on subcontainers and objects is selected and click OK.
12 After the owner is set, unmap the network drive.
13 Remap the network drive as the account that has ownership of it, as set previously.
14 Click the Permissions tab of the Advanced Security Settings dialog box and follow Microsoft’s best practices to assign ACL
permissions for users and groups to the SMB share.
Managing ACLs or SLPs on an SMB Share
The FluidFS cluster supports two levels of access control to SMB shares, les, and folders:
• Access control lists (ACLs): Govern access to specic les and folders. The administrator can control a wide range of operations that
users and groups can perform.
• Share-level permissions (SLPs): Govern access to entire shares. The administrator controls only read, change, or full access to an
entire share.
SLPs are limited because they only address full control, modify, and read rights for any given user or group at the SMB share level. ACLs
control many more operations than only read/change/full access. Use the default setting for SLP (authenticated users has full control) and
use ACLs to control access to the SMB share, unless a specic requirement for SLPs cannot be accomplished using ACLs.
A Windows administrator should follow the best practices dened by Microsoft for ACLs and SLPs.
NOTE
: Do not attempt to create an SMB share using MMC. Use MMC only to set SLPs.
Automatic ACL to UNIX Word 777 Mapping
When les with Windows ACLs are displayed from NFS clients, the FluidFS mapping algorithm shows a translated UNIX access mode.
Perfect translation is not possible, so a heuristic is used to translate from the rich Windows ACL to the 9 bits of the UNIX word. However,
when some special SIDs are used inside ACL (for example, creator-owner ACE), the mapping can be inaccurate. For some applications,
NFS clients must see the exact mapping or a mapping for more permissive access. Otherwise, the NFS applications might not perform
denied operations.
FluidFS versions 5 or later provide an option that causes all objects with SMB ACLs to be presented with UNIX Word 777 from NFS clients
(for display only). This option, which is disabled by default, can be congured under NAS Volume settings.
1 In the Storage view, select a FluidFS cluster.
2 Click the File System tab.
3 In the File System view, select a NAS volume.
4 Click Edit Settings.
5 In the Edit NAS Volume Settings panel, click Interoperability.
6 Select the Display ACL to UNIX 777 to NFS Clients Enabled checkbox.
NOTE
: Actual data-access checks in FluidFS are still made against the original security ACLs.
This feature applies only to NAS volumes with Windows or mixed security style (for les with Windows ACLs).
FluidFS Administration
429