Unsolved
1 Rookie
•
93 Posts
0
864
September 30th, 2021 11:00
Deny share permissions - trying to make AD group members read only
We have a home directory share using the homedir feature.
We have thousands of users and want to migrate certain groups to another system but have them retain read only permissions to their Isilon homedir. I need to have this apply right away without logging off.
In Windows I would create an AD group with these users in advance so that logged on users would already be in the group. Then I would apply this group to the share permissions and deny "change" and allow "read" and the deny should apply right away.
How can I do this in Isilon? WebUI doesn't allow it, so it's a CLI command. Current setup is "domain users" Change
Can I re-order permissions with the CLI? Would I need 2 entries? one for the deny on change and a 2nd for allow read?
0 events found
mjzraz
1 Rookie
•
93 Posts
0
September 30th, 2021 12:00
I tried adding the group via cli with deny change followed by allow read but it didn't work
xxnas-1# isi smb shares permission create HOME --group 'domain\hdrive-denytest1' --zone=fstest-zone --permission-type deny --permission change
xxnas-1# isi smb shares permission create HOME --group 'domain\hdrive-denytest1' --zone=fstest-zone --permission-type allow --permission read
GROUP:domain\hdrive-denytest1 already in permission list.
I was able to do to the webui and re-order the permission to put the deny first in the list and as soon as I applied it, the user in the test group was unable to access the share. I assume I could create 2 groups for each migration and have a read permission, deny permission and last domain users with change, but it seems clunky to have to do so much work.
mjzraz
1 Rookie
•
93 Posts
0
September 30th, 2021 14:00
Adding 2 groups for each migration seems to work, but it's kind of a pain. I added them via cli and then re-ordered them in the webui. allow read, deny change, original group. As soon as I apply they are read only.
isi smb shares permission create HOME --group 'domain\hdrive-readtest1' --zone=fstest-zone --permission-type allow --permission read
isi smb shares permission create HOME --group 'domain\hdrive-denytest1' --zone=fstest-zone --permission-type deny --permission change
Permissions:
Account Account Type Run as Root Permission Type Permission
----------------------------------------------------------------------------
domain\hdrive-readtest1 group 0 allow read
domain\hdrive-denytest1 group 0 deny change
domain\domain users group 0 allow full
----------------------------------------------------------------------------
Total: 3
Works after logoff/logonn also