5.6.x HP X9000 Series Network Storage System Installation Guide (TA768-96056, December 2011)

ACEs can be explicit or inherited. An explicit ACE is assigned directly to the object by the owner
or an administrator, while an inherited ACE is inherited from the parent directory. ACEs are
governed by the following precedence rules:
An explicit deny ACE overrides an explicit allow ACE, and an inherited deny ACE overrides
an inherited allow ACE. For example, if an explicit allow ACE grants a user read-write
permission, but an explicit deny ACE denies the same user write permission, the effective
permission for this user is read-only.
An explicit ACE overrides an inherited ACE. For example, if an explicit allow ACE grants the
user read-write permission and an inherited deny ACE denies this same user write permission,
the resulting permission for this user is still read-write.
An ACL that is assigned to a file created by X9000 Software defines up to three special explicit
allow ACEs derived from the file mask, in addition to any other explicit and inherited ACEs the
file might have.
Linux mode mask and special ACEs mapping
The X9000 client maps the mode mask for a file to a set of up to three special explicit allow ACEs,
as shown in the following table. The first ACE is for the Windows user that corresponds to the file
UID, the second ACE is for the Windows group that corresponds to the file GID, and the third ACE
is for the built-in Windows group Everyone, which corresponds to the file's Other class of user.
Windows accountLinux class
Owner special ACEOwner (owning user)
Group special ACEGroup (owning group)
Everyone special ACEOther
The permissions for each special ACE are set according to the bits in each category. If all bits in
some categories are cleared, no corresponding special ACE is added to the file ACL, and no
explicit deny ACE is generated.
User mapping
Owner mapping. Each file and directory in Linux has a UID that defines its owner and should be
mapped to a corresponding Windows user. See “Configuring groups and users on the Active
Directory server (page 53).
If the user mapping can be resolved, this user is designated as the owner in the Owner special
ACE, and is displayed as the owner of the file. If the user mapping cannot be resolved, an
unknown Windows user is used instead. The unknown user must be defined on the management
console.
Group mapping. Each file and directory in Linux has a GID that defines its owner group, with
access rights as specified by the mode mask. A Windows group can be mapped to a corresponding
Linux GID.
If the mapping can be resolved, this group is designated as the owning group in the Group special
ACE. If the mapping cannot be resolved, the Group special ACE is not added to the file ACL.
Mapping ACLs to mode masks
If a special ACE is modified by the Windows client, the corresponding bits in the file mode mask
are updated. Likewise, if the mode mask is modified by the Linux client, the corresponding permission
in the special ACEs is updated.
Inherited ACEs do not affect the file mode mask, only special ACEs do this. For example, if you
have a special ACE for Everyone with read permission, and an inherited ACE for Everyone with
58 Adding Linux and Windows X9000 clients