Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
SMB ACL changes in Linux is raising more Fpolicy events than in Windows
2020-04-29
03:51 AM
2,794 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi:
SMB ACL changes in Linux is creating more Fpolicy events than in Windows.
- Steps to reproduce:
A SMB share is mounted in Linux and Windows.
If a permission is changed in Linux Centos 7.x version, fpolicy sends 4 message on giving permission to a new user in a folder.
If a permission is changed in Windows 2016 server, fpolicy sends 1 message on giving permission to a new user in a folder.
A video link has been pasted below.
- Ontap details below:
- Video of a similar operation that was tried out:
Below events were not captured while this video was being recorded.
But similar operation was done and events were captured in an external Fpolicy server.
- See the video on the ACL change done in Linux, we get following events:
Below ones few minutes before (whatever Kai tried via linux client)
<?xml version="1.0" encoding="UTF-8"?>
<FscreenReq>
<ReqId>124359556</ReqId>
<ReqType>SMB_SET_ATTR</ReqType>
<NotfInfo>
<SmbSetAttrReq>
<CommonInfo>
<ProtCommonInfo>
<ClientIp>10.197.144.115</ClientIp>
<GenerationTime>1587633146015785</GenerationTime>
<UsrIdType>MAPPED_ID</UsrIdType>
<UsrContext>
<MappedId>
<Uid>65534</Uid>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</MappedId>
</UsrContext>
<FileOwner>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</FileOwner>
<AccessPath>
<Path>
<PathNameType>WIN_NAME</PathNameType>
<PathName>\HR\Zayyan_Maxwell.xlsx</PathName>
</Path>
<Path>
<PathNameType>UNIX_NAME</PathNameType>
<PathName>/HR/Zayyan_Maxwell.xlsx</PathName>
</Path>
</AccessPath>
<VolMsid>2147554766</VolMsid>
<FileSize>0</FileSize>
<NumHardLnk>1</NumHardLnk>
<IsOfflineAttr>0</IsOfflineAttr>
<FileType>FILE</FileType>
<IsSparse>0</IsSparse>
<IsDense>0</IsDense>
</ProtCommonInfo>
<DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath>
<ProtVer>
<MajorNum>3</MajorNum>
<MinorNum>1</MinorNum>
</ProtVer>
</CommonInfo>
<SetAttrChangeAttr>11</SetAttrChangeAttr>
<SetAttrNewOwner>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</SetAttrNewOwner>
<SetAttrNewGroup>
<WinSid>S-1-5-21-3647202927-612482006-490203858-513</WinSid>
</SetAttrNewGroup>
<SetAttrMode>0</SetAttrMode>
</SmbSetAttrReq>
</NotfInfo>
</FscreenReq>
<?xml version="1.0" encoding="UTF-8"?>
<FscreenReq>
<ReqId>84748357</ReqId>
<ReqType>SMB_SET_ATTR</ReqType>
<NotfInfo>
<SmbSetAttrReq>
<CommonInfo>
<ProtCommonInfo>
<ClientIp>10.197.144.115</ClientIp>
<GenerationTime>1587633120980839</GenerationTime>
<UsrIdType>MAPPED_ID</UsrIdType>
<UsrContext>
<MappedId>
<Uid>65534</Uid>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</MappedId>
</UsrContext>
<FileOwner>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1615</WinSid>
</FileOwner>
<AccessPath>
<Path>
<PathNameType>WIN_NAME</PathNameType>
<PathName>\HR\Zayyan_Maxwell.xlsx</PathName>
</Path>
<Path>
<PathNameType>UNIX_NAME</PathNameType>
<PathName>/HR/Zayyan_Maxwell.xlsx</PathName>
</Path>
</AccessPath>
<VolMsid>2147554766</VolMsid>
<FileSize>0</FileSize>
<NumHardLnk>1</NumHardLnk>
<IsOfflineAttr>0</IsOfflineAttr>
<FileType>FILE</FileType>
<IsSparse>0</IsSparse>
<IsDense>0</IsDense>
</ProtCommonInfo>
<DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath>
<ProtVer>
<MajorNum>3</MajorNum>
<MinorNum>1</MinorNum>
</ProtVer>
</CommonInfo>
<SetAttrChangeAttr>1</SetAttrChangeAttr>
<SetAttrNewOwner>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</SetAttrNewOwner>
<SetAttrMode>0</SetAttrMode>
</SmbSetAttrReq>
</NotfInfo>
</FscreenReq>
- See the video for the ACL change done in Windows and we get following events:
<?xml version="1.0" encoding="UTF-8"?><FscreenReq> <ReqId>124468100</ReqId> <ReqType>SMB_SET_ATTR</ReqType> <NotfInfo> <SmbSetAttrReq> <CommonInfo> <ProtCommonInfo> <ClientIp>10.197.144.154</ClientIp> <GenerationTime>1587633548694627</GenerationTime> <UsrIdType>MAPPED_ID</UsrIdType> <UsrContext> <MappedId> <Uid>0</Uid> <WinSid>S-1-5-21-3647202927-612482006-490203858-500</WinSid> </MappedId> </UsrContext> <FileOwner> <WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid> </FileOwner> <AccessPath> <Path> <PathNameType>WIN_NAME</PathNameType> <PathName>\HR\Zayyan_Maxwell.xlsx</PathName> </Path> <Path> <PathNameType>UNIX_NAME</PathNameType> <PathName>/HR/Zayyan_Maxwell.xlsx</PathName> </Path> </AccessPath> <VolMsid>2147554766</VolMsid> <FileSize>0</FileSize> <NumHardLnk>1</NumHardLnk> <IsOfflineAttr>0</IsOfflineAttr> <FileType>FILE</FileType> <IsSparse>0</IsSparse> <IsDense>0</IsDense> </ProtCommonInfo> <DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath> <ProtVer> <MajorNum>3</MajorNum> <MinorNum>1</MinorNum> </ProtVer> </CommonInfo> <SetAttrChangeAttr>8</SetAttrChangeAttr> <SetAttrMode>0</SetAttrMode> </SmbSetAttrReq> </NotfInfo></FscreenReq>
Regards,
Abhi
+91-9845515269
2 REPLIES 2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know enough about the Linux SMB client, but ONTAP will just forward each client OP to the fpolicy server. If LInux is generating 4 calls where Windows generates only one (can be confirmed with packet trace), then that would be why. Then it would take investigation to see why Linux is generating those calls.
Have you tried a packet trace from Windows and from Linux (can be taken from filer with tcpdump command) to see if it indeed is generating 4 vs 1 calls?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. Have not taken a packet trace.
We can take a packet trace and see what is happening.
-Abhi
