Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Netapp: toasters

Need Advice for changing qtree from Unix to NTFS security style

 

 

Netapp toasters RSS feed   Index | Next | Previous | View Threaded


scl at sasha

Sep 15, 2006, 4:58 AM

Post #1 of 3 (2508 views)
Permalink
Need Advice for changing qtree from Unix to NTFS security style

We have a filer that serves files in a qtree with both NFS and CIFS.

The file security style is currently Unix.

The qtree has about 7000 files using about 150G.

CIFS authentication is done via a Windows DC and we have a Unix
passwd NIS map for converting the Windows users to Unix users.

There are over 100 folks using this share. Each one owns a directory
(not a home directory -- just storage) and each one wants to be able
to grant some of the 100 other users access to their folder. Plus
they have an admin who needs to be able to manipulate access rights
on everything.

Obviously Unix security style isn't going to cut it. So we want to
switch the qtree to NTFS security style.

We switched a test qtree from Unix to NTFS style and discovered that no
one (not even a Windows user with admin privs in the domain) has "modify"
or "full control" rights on any file or folder that already exists. So
it looks like we can't change the ACLs on anything that already exists.
If a Windows user creates a new folder or file, then he has the ability
to change the ACL.

Has anyone else switched a qtree from Unix to NTFS style? Is there
anything we can do either before or after we switch the security
style to make it possible to set ACLs on files that already exist?

I didn't try logging in to CIFS as a local filer user. Is that the
secret?

I suppose we could create a new empty qtree with NTFS style and
copy the files from the old qtree to the new one. But I would
really like to avoid that if possible.


Steve Losen scl [at] virginia phone: 434-924-0640

University of Virginia ITC Unix Support


tmacmd at gmail

Sep 15, 2006, 6:21 AM

Post #2 of 3 (2435 views)
Permalink
Re: Need Advice for changing qtree from Unix to NTFS security style [In reply to]

If I recall, you must be a domain user to set ACL's on a CIFS share so
any local account probably won't work.

Why not get a hold of something like setacl:
http://setacl.sourceforge.net/



On 9/15/06, Stephen C. Losen <scl [at] sasha> wrote:
>
>
> We have a filer that serves files in a qtree with both NFS and CIFS.
>
> The file security style is currently Unix.
>
> The qtree has about 7000 files using about 150G.
>
> CIFS authentication is done via a Windows DC and we have a Unix
> passwd NIS map for converting the Windows users to Unix users.
>
> There are over 100 folks using this share. Each one owns a directory
> (not a home directory -- just storage) and each one wants to be able
> to grant some of the 100 other users access to their folder. Plus
> they have an admin who needs to be able to manipulate access rights
> on everything.
>
> Obviously Unix security style isn't going to cut it. So we want to
> switch the qtree to NTFS security style.
>
> We switched a test qtree from Unix to NTFS style and discovered that no
> one (not even a Windows user with admin privs in the domain) has "modify"
> or "full control" rights on any file or folder that already exists. So
> it looks like we can't change the ACLs on anything that already exists.
> If a Windows user creates a new folder or file, then he has the ability
> to change the ACL.
>
> Has anyone else switched a qtree from Unix to NTFS style? Is there
> anything we can do either before or after we switch the security
> style to make it possible to set ACLs on files that already exist?
>
> I didn't try logging in to CIFS as a local filer user. Is that the
> secret?
>
> I suppose we could create a new empty qtree with NTFS style and
> copy the files from the old qtree to the new one. But I would
> really like to avoid that if possible.
>
>
> Steve Losen scl [at] virginia phone: 434-924-0640
>
> University of Virginia ITC Unix Support
>
>
>


--
--tmac


scl at sasha

Sep 15, 2006, 6:30 AM

Post #3 of 3 (2422 views)
Permalink
Re: Need Advice for changing qtree from Unix to NTFS security style [In reply to]

> If I recall, you must be a domain user to set ACL's on a CIFS share so
> any local account probably won't work.
>
> Why not get a hold of something like setacl:
> http://setacl.sourceforge.net/
>

After a little more playing, it looks like I can connect with CIFS
to the share using our filer's local "administrator" account and can
set ACLs to my heart's content.


Steve Losen scl [at] virginia phone: 434-924-0640

University of Virginia ITC Unix Support

Netapp toasters RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.