HP CIFS Server Directory ACLs and Windows 2000/XP Clients

Directory ACL Types

Under POSIX, directory ACL contains both access and default ACEs. Access ACEs control the access to the directory itself. Default ACEs define what permissions are set for new files and subdirectories created under the current directory.

Viewing ACLs from Windows 2000 Clients

Windows 2000 or XP can show ACLs on a file or a directory in Basic and Advanced views.

Viewing Basic ACLs from Windows 2000 Clients

Right-click on a file or a directory and select Properties
Click on the Security tab

Figure 3-7 Basic ACL View

Viewing Advanced ACLs from Windows 2000 Clients

Right-click on a file or a directory and select Properties
Click on the Security tab
Click on the Advanced button

Figure 3-8 Advanced ACL View

Mapping Windows 2000/XP Directory Inheritance Values to POSIX

Under POSIX, default ACEs can apply to both files and subdirectories. In a Windows 2000 or XP environment, directory ACE entries differ from POSIX and use the following Windows Inheritance Values (Apply To values in the Windows Advanced ACE screen) to distinguish access and default behavior:

This folder only
This folder, subfolders and files
This folder and subfolders
This folder and files
Subfolders and files only
Subfolders only
Files only

When a user attempts to change or add a directory ACE from the Windows Advanced ACE screen, the HP CIFS Server maps the Windows Inheritance Values to the corresponding POSIX ACE type.

The following table shows how Windows Inheritance Values are mapped to POSIX:

Table 3-6 Mapping Table for Inheritance Values to POSIX

Inheritance Value	POSIX Mapping by HP CIFS Server
This Folder only	Maps to access ACE.
This Folder, Subfolders and Files	An ACE of this type is mapped to both access and default ACE.
This Folder and Subfolders	Maps only to access ACE for this directory.
This Folder and Files	Maps only to access ACE for this directory.
Subfolders and Files only	Maps to default ACE for this directory.
Subfolders only	This type is not supported and any ACE with this type is ignored by the HP CIFS Server.
Files only	This type is not supported and any ACE with this type is ignored by the HP CIFS Server.

Modifying Directory ACLs From Windows 2000/XP Clients




	NOTE: HP-UX directory ACLs are set inconsistently using the ACL Basic permission screen from the Windows 2000 or XP client. You must use the Windows Advanced permission screen (`Directory-> Properties->Security Tab->Advanced` Button) to view or change POSIX directory ACLs.

This section describes how to modify a directory ACE from the Widnows 2000 or XP client:

Right-click on a directory and select Properties
Click on the Security tab
Click on the Advanced button
Select an ACE, click on the View/Edit tab
Figure 3-9 Modifying ACE Permissions
Check/uncheck the boxes next to each permission to add/remove any permissions that you want. Please refer to "Mapping Table for Windows 2000/XP Permissions to UNIX Permissions" for detail information on how each permission in this window is mapped to UNIX permissions
Select the appropriate ACE type from Apply to dropdown list in the dialog box. Choose the selection according to how it will be mapped to POSIX ACEs. Please refer to "Mapping Table for Inheritance Values to POSIX" for detail information
Click on OK, you will be taken back to the Advanced ACE screen. Repeat the step 4 through step 6 to modify other ACEs
Click on OK or Apply button on the Advanced ACE screen

Figure 3-10 Modifying an ACE Type With Apply To value




	IMPORTANT: If you want different permissions on default and access ACEs for the same user or group , you must select two different ACE entries in the advanced ACE view dialog box before you click on the OK button. If you modify an ACE entry and clear both Allow and Deny check boxes, the Windows 2000 or XP client removes that ACE and does not send it to the HP CIFS Server. To prevent a directory owner from losing access, both access and default ACEs for the owner should be set to Full Control permissions.

Removing an ACE entry from Windows 2000/XP clients

For mandatory ACLs (user, owning group, everyone), removing an ACE entry from the Advanced Windows permission screen does not remove that ACE entry on the UNIX system. The HP CIFS Server generates the missing ACEs from the existing access ACEs on the file.

For any other user or group ACEs, removing an ACE entry from the Advanced Windows screen will remove that ACE entry on the HP CIFS Server.

Examples

Following are three examples to show the changes of the directory ACEs on the HP CIFS Server when an ACE entry is removed from the Windows 2000/XP client.

Example 1:

In the example 1, assume that the existing directory ACEs for testdir on the HP CIFS Server are:

# file:testdir

# owner:testuser

# owning group:users

access:owner:rwx

access:owning group:rwx

access:other:rwx

default:owner:rwx

default:owning group:r-x

default:other:r-x

In the example 1, if a default owning group ACE entry, r-x, is removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing default owning group ACE entry based on the existing access owning group ACE, rwx, The following shows the result of changes for the directory ACEs on the HP CIFS Server:

# file:testdir

# owner:testuser

# owning group:users

access:owner:rwx

access:owning group:rwx

access:othere:rwx

defualt:owner:rwx

default:owning group:rwx

default:other:r-x

Example 2:

In the example 2, assume that the existing directory ACEs for testdir on the HP CIFS Server are:

# file:testdir

# owner:testuser

# owning group:users

access:owner:rwx

access:owning group:r-x

access:other:rwx

defualt:owner:rwx

default:owning group:r--

default:other:r--

In the example 2, if both access owning gorup ACE entry, r-x, and defautl owning group ACE entry, r--, are removed from the Advanced Windows ACE screen, the HP CIFS Server generates the missing owning group ACE entries based on the existing access owning group ACE. The following shows the result of changes for the directory ACEs on the HP CIFS Server:

# file:testdir

# owner:testuser

# owning group:users

access:owner:rwx

access:owning group:r-x

access:other:rwx

defualt:owner:rwx

default:owning group:r-x

default:other:r--

Example 3:

In the example 3, assume that the existing directory ACEs for testdir on the HP CIFS Server are:

# file:testdir

# owner:testuser

# owning group:users

# other group:testgroup

access:owner:rwx

access:owning group:r-x

access:other group:rw-

defualt:owner:rwx

default:owning group:r--

default:other group:r-w

In the example 3, if both access other gorup ACE entry, rw-, and defaut other group ACE entry, r--x, are removed from the Advanced Windows ACE screen, the HP CIFS Server will remove both access other group and default other group ACE entries.The following shows the result of changes for the directory ACEs on the HP CIFS Server:

# file:testdir

# owner:testuser

# owning group:users

# other group:testgroup

access:owner:rwx

access:owning group:r-x

defualt:owner:rwx

default:owning group:r--

Adding Directory ACLs From Windows 2000/XP Clients

This section describes how to add a directory ACE from the Widnows 2000 or XP client:

Right-click on a directory and select Properties
Click on the Security tab
Click on the Advanced button
Click on Add button, a select user or group window is displayed
You may select any user or group from the available one.
Click on OK, you will be prompted to enter ACE permissions and the type of ACE
Enter the desired permissions, click on OK
You will be taken to the ACE Advanced view screen, click on OK or Apply button to add the new ACE

Figure 3-11 Selecting a new ACE user or group




	IMPORTANT: POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the `Add` button on the Windows ACL interface.

POSIX Default Owner and Owning Group ACLs

With HP CIFS Server version A.01.10, the POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group.

The HP CIFS Server versions A.01.09 and below, only one ACE each for owner, owning group and everyone is shown if the permissions are the same on corresponding access and default ACEs.

With HP CIFS Server version A.01.10, the POSIX default owner and default owning group ACEs are shown in the Windows interface as Creator Owner and Creator Group even if the permissions on the access and default ACEs are the same. However, everyone is shown as only one ACE if the access and default permissions are the same.

Changing permissions on Windows Creator Owner and Creator Group ACEs will only modify POSIX default owner and owning group ACEs on the HP CIFS Server.

POSIX ACEs with zero permissions

POSIX owning group and everyone ACEs with zeros permissions are not displayed in the Windows interface. For example, if a directory owning group has zero permissions on the HP CIFS Server, an ACE for that owning group will not be shown on the Windows interface. ACEs for any other user or group with zero permissions are shown with no permissions in the Windows interface.

POSIX ACEs with zero permission can be modified by adding an ACE and setting the desired permissions for that user or group. A new ACE can be added by using the Add button on the Windows ACL interface.

HP CIFS Server Directory ACLs and Windows 2000/XP Clients

Technical documentation

» Table of Contents

» Glossary

» Index

Directory ACL Types

Viewing ACLs from Windows 2000 Clients

Viewing Basic ACLs from Windows 2000 Clients

Viewing Advanced ACLs from Windows 2000 Clients

Mapping Windows 2000/XP Directory Inheritance Values to POSIX

Modifying Directory ACLs From Windows 2000/XP Clients

Removing an ACE entry from Windows 2000/XP clients

Examples

Adding Directory ACLs From Windows 2000/XP Clients

POSIX Default Owner and Owning Group ACLs

POSIX ACEs with zero permissions