Filter
Top Products
Chapter 1 Troubleshooting Overview 1-13
Cacls
For issues with access to a file or directory, collect the output of the cacls command.
This command is available from the CLI. At the CLI, enter “cacls <full pathname>”.
The full pathname should begin with the volume name, as in this example: “cacls
/vol1/testfile.txt”.
Cacls output contains the following information:
First, the basic mode information and UID/GID of the owner is displayed. Here is
an example:
drwxrw---- 34 22 /vol1/data
In this case, we can see that the item is a directory, with 750 permissions:
Read/write/execute (7) for the owner (UID 34), Read/write for members of the
owner’s group (GID 22), and no permissions (0) for everyone else.
Listed next are Creation time, FS Creation time, and FS mtime. These are timestamps
associated with the file and the filesystem, generally only useful for troubleshooting
timestamp issues.
Next is the Windows security descriptor. In its simplest form, it will read “No
security descriptor”. This means that no Windows security is present, and that
Windows will simulate security based on the above NFS permissions.
If a Windows security descriptor is present, the following information is displayed:
■ Security Descriptor:The type of security descriptor. This can be disregarded.
■ Owner:The user name or SID of the owner.
■ Primary Group: The group name or SID of the group owner.
■ Discretionary Access Control List (DACL):A list of users who have access to the
file, by SID.
A SID is a number that uniquely identifies a user or group. The data to the right of
the final dash identifies the user within the domain; the rest of the number indicates
domain and type of account information. This user information is known as the RID
(relative ID). The RID is the number used for user mapping. It can be cross-
referenced with the StorEdge user or group mapping data determine the user/group
name and NFS UID/GID.
User access token
For issues with the access of a particular user, it may be useful to capture the access
token. The access token identifies an SMB user along with other details such as
domain and group memberships. See the instructions under /proc filesystem. This
item is particularly useful when the issue involves group membership. Note that this
data is only useful for SMB issues.