By default in OS X, you will see that that each folder you create on the FC client will result with permissions in correlation with the umask 022 when you create a directory [777 – 22 = 755].
[Creating folder on the A-Class with Squash_All]:iPhilBendeck:iPhilClass philbendeck$ mkdir Test_Phil
iPhilBendeck:iPhilClass philbendeck$ ls -la | grep Test_Phil
drwxr-xr-x 2 philbendeck staff 4096 Apr 28 17:02 Test_Phil
In the first column, you will see the file permissions. A “d” in front denotes that the name on that line is a directory (folder) and a dash (-) in front denotes that it’s a file. There are 9 other characters after that. Break up those 9 characters into 3 groups, and you'll get the permissions for each user group (user, group, and world).
A “r” denotes read permissions, a “w” denotes write permissions, and a “x” denotes execute permissions. If there is a dash where a character should be, then that denotes that a particular file permission doesn’t exist.
Let’s take this for example:
1. Created a folder on the A-Class = Test_Phil and re-shared the folder via SMB (NASGW)
- Permissions from FC Directory Creation
drwxr-xr-x 2 philbendeck staff 4096 Apr 28 17:02 Test_Phil
2. Since the NASGW doesn’t support extendedACLs, the NASGW can only inherit and respect POSIX Permissions. When you execute permissions via Folder Share on the NASGW, it’s parsing and writing the allowed users to access the SMB share via the smb.conf file stored on the NASGW. These permissions in the smb.conf only grant access to the SMB share(s). Once you have established a connection to the SMB share, there is no permission or ACL that defines the LDAP user you used to authenticate; hence, establishes its permissions rights with the World user group permissions [R/W] to allow the user to read and write data.
Therefore, when you create a folder on the SAN via FC, it's automatically going to write folders/files with the umask that the machine is configured with.
I created two folders one on FC client and one from the SMB client.
[FC = FC_DIR]
[SMB = SMB_DIR]
drwxr-xr-x 2 philbendeck 1000 4096 Apr 28 18:36 FC_DIR
drwxrwxrwx 2 2002 3000 4096 Apr 28 18:35 SMB_DIR
If you notice that when I created the folder on the SAN Volume, it gave the folder drwxr-xr-x meaning that when the SMB user wants to write to that folder, they will not be able to since the POSIX UID/GID are completely different and the NAS user will rely on the the R/W properties of the World user group. If you notice, that only the character x for the World user group is enabled for the FC_DIR directory.
When I created the folder on the SMB share, it created the folder [SMB_DIR] with drwxrwxrwx allowing everyone to R/W when they access the SAN volume via FC. NASGW is designed to always write files to the FS with 777 permissions. Keep in mind that the NASGW is also a FC Linux client.
What’s the solution?
- Changing the umask of the OS X FC clients with 000 umask
Apple published a well written document that should illustrate on how to change this with each specific OS X build.
https://support.apple.com/en-us/HT201684
https://en.wikipedia.org/wiki/Umask
There are several customers that have found this as a feasible workaround. Once you change the umask on the OS X client, you will be able to R/W simultaneously across SMB and FC.
If you have any questions or concerns, please open a support request via https://support.promise.com
