Sun Microsystems, Inc.  Sun System Handbook - ISO 4.1 October 2012 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-72-1403050.1
Update Date:2012-06-28
Keywords:
Solution Type  Problem Resolution Sure

Solution  1403050.1 :   Sun Storage 7000 Unified Storage System: NFSv4 users cannot access files written by Windows clients  

Related Items 
    

  • Sun Storage 7410 Unified Storage System
    •  
  • Sun Storage 7310 Unified Storage System
    •  
  • Sun ZFS Storage 7120
    •  
  • Sun Storage 7110 Unified Storage System
    •  
  • Sun ZFS Storage 7320
    •  
  • Sun ZFS Storage 7420
    •  
  • Sun Storage 7210 Unified Storage System
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>NAS>SN-DK: 7xxx NAS
    •  
  • .Old GCS Categories>Sun Microsystems>Storage - Disk>Unified Storage
    •  






In this Document


Symptoms


Cause


Solution


References

 Created from <SR 3-3740498461>


Applies to: 

Sun Storage 7110 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7210 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun Storage 7410 Unified Storage System - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7120 - Version Not Applicable to Not Applicable [Release N/A]
Sun ZFS Storage 7320 - Version Not Applicable to Not Applicable [Release N/A]
7000 Appliance OS (Fishworks)



Symptoms


Files or directories written by Windows clients appear inaccessible to NFSv4 clients. When the access from the client fails, a message similar to this is displayed:


ls: can't read ACL on file.ext: Not owner


 


To discuss this information further with Oracle experts and industry peers, we encourage you to review, join or start a discussion in the My Oracle Support Community - 7000 Series ZFS Appliances


Cause


This issue is caused by an unresolvable entry in the ACL. The UNIX naming service on the appliance cannot resolve the ACL entry to a user name, and therefore access to read the ACL is denied by rule.

By far the most common cause of this is the "SYSTEM" group on the Windows system. This entry will be added to an ACL created by Windows when there is no inheritance set for the parent directory.


Solution


Note: This document assumes that the appliance is running software version 2010.8.17.4.0 or later. There are a number of important ACL and permission-related enhancements in this version and it is STRONGLY recommended to upgrade to at least this version in order to successfully share files between UNIX and Windows.




For affected files and directories, the only solution is to remove the unresolvable ACL entry. This is most easily done from a Windows client for obvious reasons.

If the unresolvable user is not the Windows SYSTEM group but is instead a normal Windows user or group, then resolve this by simply adding a mapping to a known UNIX user with the identity mapping utility.



Internal note:  To verify this issue, run ls -V (or -Vd for a directory) on the file at the system shell.


-rwx------+ 1 bob wheel 8192 Sep 22 08:27 file.ext

user:bob:rwxpdDaARWcCos:-------:allow

group:2147483648:rwxpdDaARWcCos:-------:allow


"group:214783648" is the mapping for the SYSTEM group. It is possible that the issue could be seen with another account. Verify the state of the mapping with this command:


nas1# idmap show -cv gid:2147483648

gid:2147483648 -> sid:S-1-5-18

Source: Hard Coded

Method: Well-Known mapping


In this case, because it's a hard-coded mapping, it is not possible to map it to a UNIX user, so the only resolution is to delete the entry. Given the above file.ext example, the command chmod A1- file.ext would remove the entry for the SYSTEM group.



It is important to note that the chmod command should not be used, especially recursively to a large dataset, unless the user is very comfortable with the chmod syntax and knows exactly what the result of the command will be. Also explicit permission from the customer should be gained before doing this. Proceed with extreme caution as customer data is being modified at this point.



To prevent the SYSTEM entry from being added to ACLs, it is generally sufficient to ensure that the system software is updated to at least 2010.08.17.4.0. This version added a feature that assumes that file and directory inheritance should be enabled for files and directories which exactly match a traditional UNIX permission set, such as 755.



If the SYSTEM entry was added while running with a previous version of the system software, manually remove the entry or rewrite the permissions from a Windows client.


 


Back to <Document 1428753.1> Sun Storage 7000 Unified Storage System: How to Troubleshoot Identity Mapping and cross-platform file sharing issues.
References
<NOTE:1428753.1> - Sun Storage 7000 Unified Storage System: How to Troubleshoot Identity Mapping and cross-platform file sharing issues



Attachments

This solution has no attachment


















       

Copyright © 2012 Sun Microsystems, Inc.  All rights reserved.

 Feedback