File permissions

Newly created filesets are initially attached with a special dedicated user ID and group ID that lock out access to all clients. These are:
UNIX® platforms
File permissions 000, userID/groupID 1000000/1000000
Windows® platforms
Owner S-1-0-0
Note: For heterogeneous file sharing, the UNIX group ID is a fictitious number.

For clients to be able to access a fileset, a client must first take ownership of the fileset, by changing the fileset's owner to a valid user that can provide the required access. The take-ownership operation is only performed once for each fileset, and can only be done by a privileged client. A privileged client is a client on which root users in UNIX or users with administrator user in Windows are given those same privileges for the SAN File System global namespace. A root user logged in to a privileged client is granted full control over directories, files, and other file system objects created by clients in the SAN File System global namespace.

The concept of root squashing means that by default, when a root or Administrator user logs into a client that is not a privileged client, the user's privileges for the global namespace are reduced to that of "Other" in UNIX or "Everyone" in Windows. Therefore, in order to change the ownership and permissions on a fileset, one or more privileged clients must be created. You need at least one privileged Windows client if there are any Windows clients creating files, and at least one privileged UNIX client if there are any UNIX clients creating files.

In the current release of SAN File System, client files should be separated in filesets for each operating system — that is, a Windows client should create files only within filesets dedicated to Windows files, and a UNIX client should create files only within filesets dedicated to UNIX. This is referred to as the primary allegiance of a fileset — that is, either Windows or UNIX. There are several reasons for keeping the files separate:

The different client platforms can, however, share files in a common fileset if the permissions allow. Therefore, it is important to set up your access control lists (ACLs) on the clients and user maps in SAN File System to accomplish this goal.

To be able to take ownership and change permission on a new fileset, turn off root squashing for the client — that is, enable it as a privileged client to SAN File System.

Parent topic: File sharing

Related concepts
Privileged clients

Library | Support | Terms of use | Feedback
(C) Copyright IBM Corporation 2003, 2004. All Rights Reserved.
IBM TotalStorage SAN File System v2.2