Permissions in a cross-protocol smb environment, How the smb server handles uids and gids – HP StoreAll Storage User Manual

SMB shadow copy restore during node failover

If a node fails over while an SMB shadow copy restore is in progress, the user may see a disruption
in the restore operation.

After the failover is complete, the user must skip the file that could not be accessed. The restore
operation then proceeds. The file will not be restored and can be manually copied later, or the
user can cancel the restore operation and then restart it.

Permissions in a cross-protocol SMB environment

The manner in which the SMB server handles permissions affects the use of files by both Windows
and Linux clients. Following are some considerations.

How the SMB server handles UIDs and GIDs

The SMB server provides a true Windows experience for Windows users. Consequently, it must
be closely aligned with Windows in the way it handles permissions and ownership on files.
Windows uses ACLs to control permissions on files. The SMB server puts a bit-for-bit copy of the
ACLs on the Linux server (in the files on the StoreAll file system), and validates file access through
these permissions.

ACLs are tied to Security Identifiers (SIDs) that uniquely identify users in the Windows environment,
and which are also stored on the file in the Linux server as a part of the ACLs. SIDs are obtained
from the authenticating authority for the Windows client (in StoreAll software, an Active Directory
server). However, Linux does not understand Windows-style SIDs; instead, it has its own permissions
control scheme based on UID/GID and permissions bits (mode bits, sticky bits). Since this is the
native permissions scheme for Linux, the SMB server must make use of it to access files on behalf
of a Windows client; it does this by mapping the SID to a UID/GID and impersonating that UID/GID
when accessing files on the Linux file system.

From a Windows standpoint, all of the security for the StoreAll software-resident files is self-consistent;
Windows clients understand ACLs and SIDs, and understand how they work together to control
access to and security for Windows clients. The SMB server maintains the ACLs as requested by
the Windows clients, and emulates the inheritance of ACLs identically to the way Windows servers
maintain inheritance. This creates a true Windows experience around accessing files from a
Windows client.

This mechanism works well for pure Linux environments, but (like the SMB server) Linux applications
do not understand any permissions mechanisms other than their own. Note that a Linux application
can also use POSIX ACLs to control access to a file; POSIX ACLs are honored by the SMB server,

114

Using SMB