Usermapper and Unix Everyone else

Let's try this again.  I have a directory structure shared out via a NFS export and a SMB share.   I have two different authentication providers on the zone (Unix LDAP and Windows Active Directory). The providers are independent of the other, only the user ids match, so I have a mapping rule setup that matches ID from each to create the local mapping token.    

My issues:  When a unix admin changes the permissions of a file from the unix side (chmod 775 or 777),  from the windows side the Domain Users group is added and now has either change or full access depending on the "everyone else" permission set from the unix side.    I am trying to determine how to squash the mapping. between "everyone else" and Domain users.   

Hi,

Thank you for your question. What are you looking for help with in the situation? This might help. https://dell.to/3BvHqIj

Let us know if you have any additional questions.

There might be something in here that is helpful. https://dell.to/3o49Upo It goes through all of the options for mapping.

> Thus opening the data up to pretty much everyone in the environment.

That's what chmod 777 is supposed to accomplish... 

I assume your situation is that there are much less Unix users than Windows users? So you wish that 777 affects exactly those few Unix users, but not the "Windows only"users.

Let's keep in mind that the mapping rule is symmetric and has no "idea" wether both sides fully match across the board, or wether one side is only a smaller subset of the other. So "everyone" can implicitly mean very different sets of users. Which means you can't simply, with a single chmod 777, achieve what you have in mind.

A solution might include creating a special group for the Unix users and a corresponding mapped group in AD, and then: chgrp unixers file; chmod 770 file. Probably wrapped together in a tiny script...

Peter, I am not trying to chmod mod anything, I am trying to prevent it from being a security risk.

You are correct the 775/777 is doing exactly what is supposed to do.... but in a Unix host everyone else is only everyone else that can access that host.   With the syntactic ACLS from Powerscale, when the chmod 775 is run on a directory\file I am seeing everyone allow XXXX being added to the ACL.  No big deal, but since this is shared out between NFS and SMB shares and the multi authentication providers everyone is mapped to the AD group Domain users.  

That mapping is what I am trying to remove.  I have attempted to educate our admins not to run chmod and to request permissions changes from our security group to correct access issues, but it doesn't work, they do it anyway.   So, I am looking for a way to at least keep the data from being made to available to every member of our Active directory. 

I can't see an obvious way to change how the synthetic ACLs are generated (on the fly). Things are convoluted -- have you seen this whitepaper on OneFS ACLs ? Maybe some clever combination of settings will do it, or give rise to some acceptable alternate solution, but frankly I doubt it.