How NFS access works over NTFS permissions
Recently we faced a scenario where a NFS share is created on a windows machine and UNIX client are trying to access it. (The behavior may be different based on the NTFS permission.)
Though UNIX showed full permission for the user; we were getting access denied while deleting the file in the NFS share! The investigation revealed a complex scenario.
Let’s discuss it.
This is based on our testing on our Lab machines:
On the Windows box; we created user user1 and a group grp1. Now, user1 was made a member of grp1 and set as primary group for user1. On the UNIX end; we created a user called user1 and a group grp1.
We configured User Name Mapping and Group Mapping.
A NFS share was created in windows box.
The NTFS permission for the share looks like this
C:\NTFS-NFS <machine_name>\grp1:(OI)(CI)(special access:)
The effective permission for the grp1 is as below. It has all permission except the one highlighted.
+ So user1 will inherit the permission based on the permission given to grp1.
From UNIX side:
Mounted the NFS share as root.
The logged in as user1 (this user is mapped to user1 on Windows box).
Created a folder under the share "user1_unix".
For “user1_unix” observed the following
NTFS "inherit" permission is not set (though if we create a folder from Windows box in the same location; it gets NTFS "inherit" permission set).
The user1 is the owner of "user1_unix".
Permission for user1 on the "user1_unix" is RWX.
grp1 has the permission that was given to parent directory.
From UNIX though user1 has full rights on the folder which he created and is also the owner but still would not be able to delete it. Take a Netmon trace and you will see that rmdir call is being send over the wire with correct UID and GID. The consecutive reply shows the ‘err_access’ (permission denied).
Below is the input from the access calls
Below is the input from the access reply call
Below is the inputs from the delete call (RMDIR)
Now from the windows box if you create a folder under the NFS share logged in as User1 then you would see that user1 is the owner and has full NTFS permission and is also able to delete the folder.
When can we delete files /folder from UNIX client?
1. If we grant "delete subfolder and files" permission to the parent folder (nfstest) for grp1
2. If we grant "delete" permission to the parent folder (nfstest) for user1
And the above two conditions are true whether or not we are inheriting the properties from parent folder.
· If we remove the "delete subfolder" permission on NFS share for a user / group ; even if that user / group has explicit permission in some child folder in that NFS share; from UNIX side (even if we see RWX permission for that user) as that user we will not be able to delete the folder.
· From windows side when the users create a folder under the NFS share; he would be the owner and have full control in NTFS permission. Hence he would be able to delete the same.
BTW, NFS will ignore NTFS inheritance to comply with standard UNIX behavior.
Enabling KeepInheritance is recommended when files on NFS shares are meant to be accessed by both UNIX and Windows users and should be done on all the nodes in the cluster.
Ø HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Server for NFS\CurrentVersion\Mapping\KeepInheritance
By default, the value of the KeepInheritance entry is 0, which means that newly created files and directories on NFS shares will not inherit ACEs from their parent directory. However, if an administrator wants to be able to read and write every file and directory created in a hierarchy, the administrator should set this value to 1 and set an inheritable read/write ACE at the root of the hierarchy.
You can refer to the TechNet article for the details on KeepInheritance.