Hi:
SMB ACL changes in Linux is creating more Fpolicy events than in Windows.
- Steps to reproduce:
A SMB share is mounted in Linux and Windows.
If a permission is changed in Linux Centos 7.x version, fpolicy sends 4 message on giving permission to a new user in a folder.
If a permission is changed in Windows 2016 server, fpolicy sends 1 message on giving permission to a new user in a folder.
A video link has been pasted below.
- Ontap details below:
- Video of a similar operation that was tried out:
Below events were not captured while this video was being recorded.
But similar operation was done and events were captured in an external Fpolicy server.
- See the video on the ACL change done in Linux, we get following events:
Below ones few minutes before (whatever Kai tried via linux client)
<?xml version="1.0" encoding="UTF-8"?>
<FscreenReq>
<ReqId>124359556</ReqId>
<ReqType>SMB_SET_ATTR</ReqType>
<NotfInfo>
<SmbSetAttrReq>
<CommonInfo>
<ProtCommonInfo>
<ClientIp>10.197.144.115</ClientIp>
<GenerationTime>1587633146015785</GenerationTime>
<UsrIdType>MAPPED_ID</UsrIdType>
<UsrContext>
<MappedId>
<Uid>65534</Uid>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</MappedId>
</UsrContext>
<FileOwner>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</FileOwner>
<AccessPath>
<Path>
<PathNameType>WIN_NAME</PathNameType>
<PathName>\HR\Zayyan_Maxwell.xlsx</PathName>
</Path>
<Path>
<PathNameType>UNIX_NAME</PathNameType>
<PathName>/HR/Zayyan_Maxwell.xlsx</PathName>
</Path>
</AccessPath>
<VolMsid>2147554766</VolMsid>
<FileSize>0</FileSize>
<NumHardLnk>1</NumHardLnk>
<IsOfflineAttr>0</IsOfflineAttr>
<FileType>FILE</FileType>
<IsSparse>0</IsSparse>
<IsDense>0</IsDense>
</ProtCommonInfo>
<DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath>
<ProtVer>
<MajorNum>3</MajorNum>
<MinorNum>1</MinorNum>
</ProtVer>
</CommonInfo>
<SetAttrChangeAttr>11</SetAttrChangeAttr>
<SetAttrNewOwner>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</SetAttrNewOwner>
<SetAttrNewGroup>
<WinSid>S-1-5-21-3647202927-612482006-490203858-513</WinSid>
</SetAttrNewGroup>
<SetAttrMode>0</SetAttrMode>
</SmbSetAttrReq>
</NotfInfo>
</FscreenReq>
<?xml version="1.0" encoding="UTF-8"?>
<FscreenReq>
<ReqId>84748357</ReqId>
<ReqType>SMB_SET_ATTR</ReqType>
<NotfInfo>
<SmbSetAttrReq>
<CommonInfo>
<ProtCommonInfo>
<ClientIp>10.197.144.115</ClientIp>
<GenerationTime>1587633120980839</GenerationTime>
<UsrIdType>MAPPED_ID</UsrIdType>
<UsrContext>
<MappedId>
<Uid>65534</Uid>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</MappedId>
</UsrContext>
<FileOwner>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1615</WinSid>
</FileOwner>
<AccessPath>
<Path>
<PathNameType>WIN_NAME</PathNameType>
<PathName>\HR\Zayyan_Maxwell.xlsx</PathName>
</Path>
<Path>
<PathNameType>UNIX_NAME</PathNameType>
<PathName>/HR/Zayyan_Maxwell.xlsx</PathName>
</Path>
</AccessPath>
<VolMsid>2147554766</VolMsid>
<FileSize>0</FileSize>
<NumHardLnk>1</NumHardLnk>
<IsOfflineAttr>0</IsOfflineAttr>
<FileType>FILE</FileType>
<IsSparse>0</IsSparse>
<IsDense>0</IsDense>
</ProtCommonInfo>
<DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath>
<ProtVer>
<MajorNum>3</MajorNum>
<MinorNum>1</MinorNum>
</ProtVer>
</CommonInfo>
<SetAttrChangeAttr>1</SetAttrChangeAttr>
<SetAttrNewOwner>
<WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid>
</SetAttrNewOwner>
<SetAttrMode>0</SetAttrMode>
</SmbSetAttrReq>
</NotfInfo>
</FscreenReq>
- See the video for the ACL change done in Windows and we get following events:
<?xml version="1.0" encoding="UTF-8"?><FscreenReq> <ReqId>124468100</ReqId> <ReqType>SMB_SET_ATTR</ReqType> <NotfInfo> <SmbSetAttrReq> <CommonInfo> <ProtCommonInfo> <ClientIp>10.197.144.154</ClientIp> <GenerationTime>1587633548694627</GenerationTime> <UsrIdType>MAPPED_ID</UsrIdType> <UsrContext> <MappedId> <Uid>0</Uid> <WinSid>S-1-5-21-3647202927-612482006-490203858-500</WinSid> </MappedId> </UsrContext> <FileOwner> <WinSid>S-1-5-21-3647202927-612482006-490203858-1616</WinSid> </FileOwner> <AccessPath> <Path> <PathNameType>WIN_NAME</PathNameType> <PathName>\HR\Zayyan_Maxwell.xlsx</PathName> </Path> <Path> <PathNameType>UNIX_NAME</PathNameType> <PathName>/HR/Zayyan_Maxwell.xlsx</PathName> </Path> </AccessPath> <VolMsid>2147554766</VolMsid> <FileSize>0</FileSize> <NumHardLnk>1</NumHardLnk> <IsOfflineAttr>0</IsOfflineAttr> <FileType>FILE</FileType> <IsSparse>0</IsSparse> <IsDense>0</IsDense> </ProtCommonInfo> <DisplayPath>\\DMOGRPSHR02\ENG\HR\Zayyan_Maxwell.xlsx</DisplayPath> <ProtVer> <MajorNum>3</MajorNum> <MinorNum>1</MinorNum> </ProtVer> </CommonInfo> <SetAttrChangeAttr>8</SetAttrChangeAttr> <SetAttrMode>0</SetAttrMode> </SmbSetAttrReq> </NotfInfo></FscreenReq>
Regards,
Abhi
+91-9845515269