Sun Microsystems, Inc.  Sun System Handbook - ISO 3.4 June 2011 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-1011364.1
Update Date:2009-03-02
Keywords:
Solution Type  Technical Instruction Sure

Solution  1011364.1 :   Sun StorageTek[TM] 5000 Series NAS: Using the cacls CLI Command to Troubleshoot File and Directory Security  

Related Items 
    

  • Sun Storage 5210 NAS Appliance
    •  
  • Sun Storage 5220 NAS Appliance
    •  
  • Sun Storage 5310 NAS Appliance
    •  
  • Sun Storage 5320 NAS Gateway/Cluster System
    •  
  • Sun Storage 5320 NAS Appliance
    •  
  • Sun Storage 5310 NAS Gateway System
    •  
Related Categories 
    

  • GCS>Sun Microsystems>Storage - Disk>Network Attached Storage
    •  

PreviouslyPublishedAs
215590 


Description
This document describes: Using the cacls CLI(Command Line Interface) to Troubleshoot File and Directory Security.
The cacls command is a useful tool for troubleshooting security issues. This command is available at the NAS (Network-attached Storage) CLI. It reports NFS (Network File System) and CIFS (Common Internet File System) owner and security data, and any extended file attributes.


Steps to Follow
For issues with access to a file or directory, collect the output of the cacls

command.
 This command is available from the CLI by typing the following:


 cacls <full pathname>


The full pathname should begin with the volume name, as in this example:


 cacls /vol1/directory/testfile.txt


Cacls output contains the following information:


Mode security information and UID/GID of the owner. Here is an example:


 drwxr-x--- 34 22 /vol1/data


In this case, we can see that the item is a directory with 750 permissions:

read/write/execute (7) for the owner (UID 34), read/execute (5) for members of the owner's group (GID 22), and no permissions (0) for everyone else.


Next is the Windows security descriptor. In its simplest form, it reads "No security descriptor." This means that no Windows security is present, and that Windows simulates security based on the above NFS permissions. Here is a sample Security Descriptor:


NT Security Descriptor: (0x800F)
Owner: Administrators
Primary Group: S-1-5-21-1638885083-2197052636-4232115574-513
Discretionary Access Control List (DACL):
Domain Users:(IA) 1200A9
Administrators:(IA) 1F01FF


2 ACE(s)


Time stamps:
CIFS Created: (1173099181.686257) Mon Mar  5 07:53:01 2007
FS Modified : (1173099181) Mon Mar  5 07:53:01 2007


The content of the Security Descriptor is as follows:


    

  • Security Descriptor - The type of security descriptor. This is not useful for troubleshooting.
    • 

  • Owner - The user name or SID of the owner.
    • 

  • Primary Group - The group name or SID of the group owner.
    • 

  • Discretionary Access Control List (DACL) - A list of users and groups who have access to the file, by user name, group name, or SID, and the access they have to this object. The access is represented as a hexidecimal number, and there are many thousands of possible combinations of permissions. In the example above, the permissions for the "Administrators" group is Full Control, and the "Domain Users" group has standard Read/Execute permission. For more complex permissions, check security from a Windows client connected as a Domain Administrator.
    • 

  • Timestamps - Listed next are CIFS Creation time, and Filesystem Modification time. The timestamps are generally not useful in troubleshooting security issues.
    • 



NOTE: A SID is a number that uniquely identifies a user or group. The data to the right of the final dash identifies the user within the domain. This user information is known as the RID (relative ID). The RID is the number used for user or group mapping. It can be cross referenced with the NAS user or group mapping data to determine the user/group name and NFS UID/GID.


To troubleshoot problems connecting to a file or directory or share (check directory permissions for the share), compare the NFS or CIFS user ID to the permissions for the file, and determine whether the operation being attempted should be allowed.


Product
Sun StorageTek 5320 NAS Gateway/Cluster System

Sun StorageTek 5320 NAS Appliance

Sun StorageTek 5320

Sun StorageTek 5310 NAS Gateway/Cluster System

Sun StorageTek 5310 NAS Gateway System

Sun StorageTek 5310 NAS Appliance

Sun StorageTek 5220 NAS Appliance

Sun StorageTek 5220

Sun StorageTek 5210 NAS Appliance


 Internal Comments

 This document contains normalized content and is managed by the the Domain Lead(s) of the respective domains. To notify content owners of a knowledge gap contained in this document, and/or prior to updating this document, please contact the domain engineers that are managing this document via the “Document Feedback” alias(es) listed below:



 [email protected]





 NAS, normalized, CIFS, security, cacls

 Previously Published As

 90701



 Change History

 Date: 2007-10-03

 User Name: 31620

 Action: Approved

 Comment: Verified Metadata - ok

 Verified Keywords - ok (normalized)

 Although content is normalized, there were no dependent articles identified

 Verified still correct for audience - currently set to contract

 Audience left at contract as per FvF at

 Checked review date - currently set to 2008-09-21

 Checked for TM - added appropriate for STK product 

 Publishing under the current pu

 Date: 2007-10-01

 User Name: 31620

 Action: Accept

 Comment: 

 Version: 0

 Date: 2007-10-01

 User Name: 102104

 Action: Approved

 Comment: Good document explaining the security descriptors.

 Version: 0





Attachments

This solution has no attachment


















       

Copyright © 2011 Sun Microsystems, Inc.  All rights reserved.

 Feedback