Config (.cfg) File Options

Parameter	Description
`GlobalSuperUser`	Defines whether or not the global super user (root) privileges on the file system. It allows the administrator to decide if any user with super-user privileges may use those privileges on the file system. When this variable is set to “`Yes`”, any super-user has global access rights on the file system. This may be equated to the maproot=0 directive in NFS. When the `GlobalSuperUser` variable is set to “`No`”, a super-user may modify files only where he has access rights as a normal user. This value may be modified for existing file systems.
`Quotas`	Has an indirect relationship with security in that it requires a Windows Security Descriptor (SD) to track the owner of a file to correctly maintain their quota allotment. Currently quotas in StorNext File System-only systems work correctly in either all-Windows or all-non-Windows environments. This is because of the way quotas are tracked; when the meta-data server is deciding how an allocation should be charged, it uses either the SD, if one exists, or the UID/GID. Files created on Windows with `WindowsSecurity` ON always have an SD. Files created on non-Windows never have an SD. If a file that was created and allocated on a non-Windows platform is simply viewed on Windows, it gets assigned an SD as described above. At that point the quota will be wrong. Subsequent allocations of that file will be charged to the SD and not the UID/GID. To fix this problem, the UID/GID “space” and SD “space” must be consolidated into one “space”. Note: Quotas can only be enabled or disabled by modifying the `Quotas` parameter of the file system configuration file. The CLI snquota -L -F `file-system` command informs you whether the file system has quotas enabled.
`UnixDirectoryCreationModeOnWindows`	Controls which initial permissions directories have. Typically this is set to 755, but might be set to 700 to prevent access by anyone other than the owner on Unix systems, and on Windows require the use of ACLs to allow the directory to be accessed by anyone other than the owner.
`UnixFileCreationModeOnWindows`	Controls which initial permissions files have. Typically this is set to 644, but might be set to 600 to prevent access by anyone other than the owner on Unix systems, and on Windows require the use of ACLs to allow the file to be accessed by anyone other than the owner.
`UnixIdFabricationOnWindows`	Prevents (when set to “no”) or allows (when set to “yes”) fabricating a UID/GID for a GUID returned from a Microsoft Active Directory Server. When set to “yes”, the client overrides any UID/GID for that user, and instead fabricates its own UID/GID. Typically this setting is only set to “yes” if you have a Mac OS MDC.
`UnixNobodyGidOnWindows/UnixNobodyUidOnWindows`	Instructs the client to use this ID on Windows if an ID can't be found using Microsoft Active Directory.
`WindowsSecurity`	Enables or disables using Windows ACLs on Windows clients. Once turned on (provide a Windows security descriptor is created), it is always on, even if the .cfg is changed to “off”. In a Unix/Windows environment, if there isn't a specific Windows- User-to-Unix-User mapping, files created on Windows will be owned by “nobody” on Unix clients.

GlobalSuperUser

Defines whether or not the global super user (root) privileges on the file system. It allows the administrator to decide if any user with super-user privileges may use those privileges on the file system. When this variable is set to “Yes”, any super-user has global access rights on the file system. This may be equated to the maproot=0 directive in NFS. When the GlobalSuperUser variable is set to “No”, a super-user may modify files only where he has access rights as a normal user. This value may be modified for existing file systems.

Quotas

Has an indirect relationship with security in that it requires a Windows Security Descriptor (SD) to track the owner of a file to correctly maintain their quota allotment. Currently quotas in StorNext File System-only systems work correctly in either all-Windows or all-non-Windows environments. This is because of the way quotas are tracked; when the meta-data server is deciding how an allocation should be charged, it uses either the SD, if one exists, or the UID/GID.

Files created on Windows with WindowsSecurity ON always have an SD. Files created on non-Windows never have an SD. If a file that was created and allocated on a non-Windows platform is simply viewed on Windows, it gets assigned an SD as described above. At that point the quota will be wrong. Subsequent allocations of that file will be charged to the SD and not the UID/GID.

To fix this problem, the UID/GID “space” and SD “space” must be consolidated into one “space”.

Note: Quotas can only be enabled or disabled by modifying the Quotas parameter of the file system configuration file. The CLI snquota -L -F file-system command informs you whether the file system has quotas enabled.

UnixDirectoryCreationModeOnWindows

Controls which initial permissions directories have. Typically this is set to 755, but might be set to 700 to prevent access by anyone other than the owner on Unix systems, and on Windows require the use of ACLs to allow the directory to be accessed by anyone other than the owner.

UnixFileCreationModeOnWindows

Controls which initial permissions files have. Typically this is set to 644, but might be set to 600 to prevent access by anyone other than the owner on Unix systems, and on Windows require the use of ACLs to allow the file to be accessed by anyone other than the owner.

UnixIdFabricationOnWindows

Prevents (when set to “no”) or allows (when set to “yes”) fabricating a UID/GID for a GUID returned from a Microsoft Active Directory Server. When set to “yes”, the client overrides any UID/GID for that user, and instead fabricates its own UID/GID. Typically this setting is only set to “yes” if you have a Mac OS MDC.

UnixNobodyGidOnWindows/UnixNobodyUidOnWindows

Instructs the client to use this ID on Windows if an ID can't be found using Microsoft Active Directory.

WindowsSecurity

Enables or disables using Windows ACLs on Windows clients. Once turned on (provide a Windows security descriptor is created), it is always on, even if the .cfg is changed to “off”. In a Unix/Windows environment, if there isn't a specific Windows- User-to-Unix-User mapping, files created on Windows will be owned by “nobody” on Unix clients.