Authorization limitations

Authorization limitations are specific to the protocols that are used to access data.

NFS ACL limitations

ACLs are stored as NFSv4 ACLs in the file system.

For more information about limitations of the NFSV4 ACLs, see Exceptions and limitations to NFS V4 ACLs support.

SMB ACL limitations

The following are the SMB ACL limitations:
  • ACL of a new child file or directory depends on the ACL type, the file system settings, and the ACL of the parent directory. Depending on these variables, the results in the IBM Storage Scale might be slightly different than in Microsoft Windows. For example, if the parent directory is set to have two ACEs, for example full access for owner and for everyone, the Windows default is to create two ACLs for the child. One is to allow full access for owner and other to allow full access for everyone. The IBM Storage Scale system by default creates six ACLs to allow and deny ACLs for owner, group, and everyone.
  • If domain server manages the UID and GID mapping, the UID and GID mappings must be configured in the domain server before an ACE for that user or group can be created.
  • Users and groups that belonged to another domain, and was migrated to a new domain by using the SID-History mechanism, cannot be stored in an ACL.
  • Most well-known SIDs and built-in SIDs cannot be stored in an ACL. Only the "Everyone" SID can be stored and used in an IBM Storage Scale system.
  • The SMB ACLs cannot be modified when LDAP-based authentication is used for file access.
  • By using Microsoft Windows, you can limit the scope of inheritance for an ACE to one inheritance by selecting the Apply these permissions to objects and/or containers within this container only checkbox in the Windows Explorer. The IBM Storage Scale system does not support to configure this option and limit the scope of inheritance for an ACL.
  • ACL inheritance stops at fileset junction points. New filesets always have the default ACL (770 root root).
  • The root path of every SMB share needs read permission (read data, read attribute, read extended attribute) for everyone to prevent the unexpected behavior of, for example, Windows Explorer.
  • To prevent display of Access Denied errors, the user must have the read attribute permission on all parent directories, when they have access to a file or directory.
  • The value of the dacl_protected bit related to the Include Inheritable permissions from this object's parent checkbox can be changed only through SMB. The ACL commands cannot access this field. Setting a new ACL resets this field.
  • The commands that are used to work on the ACLs do not support recursive updates of inherited ACEs in the file tree.
  • Access privileges that are defined in Windows are not honored. Those privileges are tied to administrator groups and allow access, where the ACL alone does not grant it.
  • Audit and alarm ACEs are not supported inside an ACL.
  • The Bypass Traverse Check is implemented in GPFS for SMB clients only. Clients that use other protocols might still be locked out because the parent tree of an export has more restrictive ACLs than the export itself.
  • POSIX-style ACLs are not supported.
  • Similar to the POSIX standard, which is needed to read the content of a subdirectory, apart from the read permission in the ACL of this subdirectory, you also need to have traversal permission (SEARCH in Windows, EXECUTE in POSIX) for all of the parent directories. You can set the traverse permission in the “Everyone” group ACE at the share root, and inherit this privilege to all subdirectories. For the SMB protocol, this permission is applicable only if the bypassTraversalCheck configuration option is disabled.
  • Even though the underlying file system does not enforce the permissions for extended attributes (READ_NAMED and WRITE_NAMED), these permissions are enforced for SMB clients.

ACL limitations that are applicable to all protocols

The following limitations are applicable to all protocols:
  • When you create a file system, you need to specify -k nfs4 to specifically use NFSv4 ACLs, otherwise the default -k all uses both POSIX ACLs and NFSV4 ACLs.
  • The IBM Storage Scale Object Storage does not do file share with NFS and SMB.