SMB ACL changes in Linux is raising more Fpolicy events than in Windows

abhit · ‎2020-04-29

Hi:

SMB ACL changes in Linux is creating more Fpolicy events than in Windows.

Steps to reproduce:

A SMB share is mounted in Linux and Windows.

If a permission is changed in Linux Centos 7.x version, fpolicy sends 4 message on giving permission to a new user in a folder.

If a permission is changed in Windows 2016 server, fpolicy sends 1 message on giving permission to a new user in a folder.

A video link has been pasted below.

Ontap details below:

Video of a similar operation that was tried out:

https://netapp-my.sharepoint.com/:v:/p/knieberg/Ed1C85bMTTFEs8q-MNwiGR4B-JYX459jxSCFcPkdmMCBiA?e=2TSu8V

Below events were not captured while this video was being recorded.

But similar operation was done and events were captured in an external Fpolicy server.

See the video on the ACL change done in Linux, we get following events:

Below ones few minutes before (whatever Kai tried via linux client)

<?xml version="1.0" encoding="UTF-8"?>

<UsrIdType>MAPPED_ID</UsrIdType>

</MappedId>

</UsrContext>

</FileOwner>

<Path>

<PathName>\HR\Zayyan_Maxwell.xlsx</PathName>

</Path>

<Path>

<PathName>/HR/Zayyan_Maxwell.xlsx</PathName>

</Path>

</AccessPath>

</ProtCommonInfo>

<DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath>

</ProtVer>

</CommonInfo>

</SetAttrNewOwner>

</SetAttrNewGroup>

</SmbSetAttrReq>

</NotfInfo>

</FscreenReq>

<?xml version="1.0" encoding="UTF-8"?>

<UsrIdType>MAPPED_ID</UsrIdType>

</MappedId>

</UsrContext>

</FileOwner>

<Path>

<PathName>\HR\Zayyan_Maxwell.xlsx</PathName>

</Path>

<Path>

<PathName>/HR/Zayyan_Maxwell.xlsx</PathName>

</Path>

</AccessPath>

</ProtCommonInfo>

<DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath>

</ProtVer>

</CommonInfo>

</SetAttrNewOwner>

</SmbSetAttrReq>

</NotfInfo>

</FscreenReq>

See the video for the ACL change done in Windows and we get following events:

<?xml version="1.0" encoding="UTF-8"?><FscreenReq> <ReqId>124468100</ReqId> <ReqType>SMB_SET_ATTR</ReqType> <NotfInfo> <SmbSetAttrReq> <CommonInfo> <ProtCommonInfo> <ClientIp>10.197.144.154</ClientIp> <GenerationTime>1587633548694627</GenerationTime> <UsrIdType>MAPPED_ID</UsrIdType> <UsrContext> <MappedId> <Uid>0</Uid> <WinSid>S-1-5-21-3647202927-612482006-490203858-500</WinSid> </MappedId> </UsrContext> <FileOwner> <WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid> </FileOwner> <AccessPath> <Path> <PathNameType>WIN_NAME</PathNameType> <PathName>\HR\Zayyan_Maxwell.xlsx</PathName> </Path> <Path> <PathNameType>UNIX_NAME</PathNameType> <PathName>/HR/Zayyan_Maxwell.xlsx</PathName> </Path> </AccessPath> <VolMsid>2147554766</VolMsid> <FileSize>0</FileSize> <NumHardLnk>1</NumHardLnk> <IsOfflineAttr>0</IsOfflineAttr> <FileType>FILE</FileType> <IsSparse>0</IsSparse> <IsDense>0</IsDense> </ProtCommonInfo> <DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath> <ProtVer> <MajorNum>3</MajorNum> <MinorNum>1</MinorNum> </ProtVer> </CommonInfo> <SetAttrChangeAttr>8</SetAttrChangeAttr> <SetAttrMode>0</SetAttrMode> </SmbSetAttrReq> </NotfInfo></FscreenReq>

Regards,

Abhi

+91-9845515269

paul_stejskal · ‎2020-04-29

I don't know enough about the Linux SMB client, but ONTAP will just forward each client OP to the fpolicy server. If LInux is generating 4 calls where Windows generates only one (can be confirmed with packet trace), then that would be why. Then it would take investigation to see why Linux is generating those calls.

Have you tried a packet trace from Windows and from Linux (can be taken from filer with tcpdump command) to see if it indeed is generating 4 vs 1 calls?

abhit · ‎2020-05-08

No. Have not taken a packet trace.

We can take a packet trace and see what is happening.

-Abhi

SMB ACL changes in Linux is raising more Fpolicy events than in Windows

Get ready to power on