Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Netapp: toasters

Change UNIX security to NTFS - ACLs?

 

 

Netapp toasters RSS feed   Index | Next | Previous | View Threaded


mcmorran at mdibl

Aug 1, 2007, 1:32 PM

Post #1 of 7 (4880 views)
Permalink
Change UNIX security to NTFS - ACLs?

Hello all,
I have a qtree that I wish to change from UNIX security style to NTFS.
Experimenting on a test volume I've found that when I make the change
the ownerships of all the objects are preserved*, and appropriate ACLs
show up for the owners. However, Unix "group" and "other" privileges do
not seem to get translated to ACLs.

Before I can proceed I really need to find a way to duplicate the
group-based permissions that existed on the Unix side. I've started
hacking together a script using smbcacls (the ACL utility in Samba).
The idea is to set appropriate ACLs for specific groups and "Everyone"
based on what the Unix mode bits used to be. Still I wonder if there's
an easier way. Has anyone had a similar "challenge"?

*In our environment all Unix and Windows user IDs are identical. We use
an LDAP back end for Unix authentication and for our Samba-based domain
controller.

This is 7.2.1.1 on a FAS3020 in case it matters.

Thanks for any input.
--

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran [at] mdibl


mcmorran at mdibl

Aug 10, 2007, 6:57 AM

Post #2 of 7 (4776 views)
Permalink
Re: Change UNIX security to NTFS - ACLs? [In reply to]

Roy McMorran wrote:
> Hello all,
> I have a qtree that I wish to change from UNIX security style to
> NTFS. Experimenting on a test volume I've found that when I make the
> change the ownerships of all the objects are preserved*, and
> appropriate ACLs show up for the owners. However, Unix "group" and
> "other" privileges do not seem to get translated to ACLs.
>
> Before I can proceed I really need to find a way to duplicate the
> group-based permissions that existed on the Unix side. I've started
> hacking together a script using smbcacls (the ACL utility in Samba).
> The idea is to set appropriate ACLs for specific groups and "Everyone"
> based on what the Unix mode bits used to be.
> Still I wonder if there's an easier way. Has anyone had a similar
> "challenge"?
>
> *In our environment all Unix and Windows user IDs are identical. We
> use an LDAP back end for Unix authentication and for our Samba-based
> domain controller.
>
> This is 7.2.1.1 on a FAS3020 in case it matters.
>
> Thanks for any input.
-bump-

Anyone?

I've opened a case with NetApp; I'll summarize if I get anything
interesting.

Thanks,

--

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran [at] mdibl


scl at sasha

Aug 10, 2007, 9:28 AM

Post #3 of 7 (4780 views)
Permalink
Re: Change UNIX security to NTFS - ACLs? [In reply to]

> Roy McMorran wrote:
> > Hello all,
> > I have a qtree that I wish to change from UNIX security style to
> > NTFS. Experimenting on a test volume I've found that when I make the
> > change the ownerships of all the objects are preserved*, and
> > appropriate ACLs show up for the owners. However, Unix "group" and
> > "other" privileges do not seem to get translated to ACLs.
> >
> > Before I can proceed I really need to find a way to duplicate the
> > group-based permissions that existed on the Unix side. I've started
> > hacking together a script using smbcacls (the ACL utility in Samba).
> > The idea is to set appropriate ACLs for specific groups and "Everyone"
> > based on what the Unix mode bits used to be.
> > Still I wonder if there's an easier way. Has anyone had a similar
> > "challenge"?
> >
> > *In our environment all Unix and Windows user IDs are identical. We
> > use an LDAP back end for Unix authentication and for our Samba-based
> > domain controller.
> >
> > This is 7.2.1.1 on a FAS3020 in case it matters.
> >
> > Thanks for any input.
> -bump-
>
> Anyone?
>
> I've opened a case with NetApp; I'll summarize if I get anything
> interesting.
>
> Thanks,

I think you are going to want to set ACLs everywhere. As I understand
it, WAFL maintains two sets of file permissions for each file and folder:
Unix owner, group, permissions and Windows owner, group, ACLs.
When you change a qtree from Unix style security to NTFS style, you don't
have any NTFS ACLs set anywhere, so the filer "makes do" with the Unix
permissions (and you see "fake" ACL data generated from the Unix
permissions). As soon as you set an ACL, however, WAFL ignores the
Unix permissions (they are still there) and uses the ACL.
If you are going to use NTFS security style, then you really want to
set ACLs on everything or things can get pretty confusing.

You may be able to set everything up very nicely using the Windows
GUI and ACL inheritance.

At the top of your qtree, you might set an ACL that allows
full control to an admin group (or to individual users who
are admins) and read only access for everyone else.
Have this propagate everywhere i.e., force inheritance of this
top level ACL. (This is essentially a chmod -R.) This will
set an ACL on everything and hide all of the old Unix permissions.

Now you can drop down to a sub folder that requires, say read/write
access for a group. The folder's ACL consists of inherited entries
from above. You can add an entry that allows read/write access to
the group. If "everyone" should not have read access, then you can
add an entry to deny this. Once you get the folder set up properly,
force inheritance on everything below.

Inheritance is nice because new files and folders inherit from
above (but only if you set up inheritance). Unix is sadly deficient
in this area. Even if you create a new file with NFS, it
inherits the Windows ACL, probably exactly what you want. (You
can not manage permissions via NFS when using NTFS security style.)

When you start from scratch with an empty qtree and set up top
level folders for different groups, you usually set the ACLs by
hand with the Windows GUI and you get inheritance by default.
Everything works great.

But your problem is that you have a ton of existing stuff and so
you need to start at the top, set an ACL and force it upon everything
below. Then work your way down.

I hope this makes sense. Chances are if folks have been setting
Unix permissions, they have them all screwed up anyway.

If the GUI will be too cumbersome, you can script this. I recommend
the "fileacl" utility, which runs in a DOS (CLI) window.

http://www.gbordier.com/gbtools/fileacl.htm

Unlike the Windows cacls program, fileacl understands inheritance
and you can do anything with fileacl that you can do with the GUI.
Plus you can put a bunch of fileacl commands in a batch file and run
it from a DOS window. You could use Unix to write the batch file.

Steve Losen scl [at] virginia phone: 434-924-0640

University of Virginia ITC Unix Support


neil at mbari

Aug 10, 2007, 1:48 PM

Post #4 of 7 (4764 views)
Permalink
RE: Change UNIX security to NTFS - ACLs? [In reply to]

Just a heads up that I recently ran into a significant problem when I used ndmpcopy to migrate 30GB of files from a Unix qtree to an NTFS qtree.

After the copy was complete, I used the AD management tool to set the NTFS permissions. Everything was fine for CIFS clients, but NFS clients lost the execute bit on existing files. New files were assigned the correct Unix ACLs, but there was no way to set the execute bit on the exiting files.

I worked with NetApp and we tried changing to Mixed mode and fixing the Unix ACLs with chmod and chown but nothing worked. We ended up changing the security style of the new qtree to Unix where chmod and chown worked as expected. I'm still working with NetApp to try and figure out what happened.

Neil

-----Original Message-----
From: owner-toasters [at] mathworks [mailto:owner-toasters [at] mathworks] On Behalf Of Stephen C. Losen
Sent: Friday, August 10, 2007 9:29 AM
To: Roy McMorran
Cc: toasters [at] mathworks
Subject: Re: Change UNIX security to NTFS - ACLs?

> Roy McMorran wrote:
> > Hello all,
> > I have a qtree that I wish to change from UNIX security style to
> > NTFS. Experimenting on a test volume I've found that when I make the
> > change the ownerships of all the objects are preserved*, and
> > appropriate ACLs show up for the owners. However, Unix "group" and
> > "other" privileges do not seem to get translated to ACLs.
> >
> > Before I can proceed I really need to find a way to duplicate the
> > group-based permissions that existed on the Unix side. I've started
> > hacking together a script using smbcacls (the ACL utility in Samba).
> > The idea is to set appropriate ACLs for specific groups and "Everyone"
> > based on what the Unix mode bits used to be.
> > Still I wonder if there's an easier way. Has anyone had a similar
> > "challenge"?
> >
> > *In our environment all Unix and Windows user IDs are identical. We
> > use an LDAP back end for Unix authentication and for our Samba-based
> > domain controller.
> >
> > This is 7.2.1.1 on a FAS3020 in case it matters.
> >
> > Thanks for any input.
> -bump-
>
> Anyone?
>
> I've opened a case with NetApp; I'll summarize if I get anything
> interesting.
>
> Thanks,

I think you are going to want to set ACLs everywhere. As I understand
it, WAFL maintains two sets of file permissions for each file and folder:
Unix owner, group, permissions and Windows owner, group, ACLs.
When you change a qtree from Unix style security to NTFS style, you don't
have any NTFS ACLs set anywhere, so the filer "makes do" with the Unix
permissions (and you see "fake" ACL data generated from the Unix
permissions). As soon as you set an ACL, however, WAFL ignores the
Unix permissions (they are still there) and uses the ACL.
If you are going to use NTFS security style, then you really want to
set ACLs on everything or things can get pretty confusing.

You may be able to set everything up very nicely using the Windows
GUI and ACL inheritance.

At the top of your qtree, you might set an ACL that allows
full control to an admin group (or to individual users who
are admins) and read only access for everyone else.
Have this propagate everywhere i.e., force inheritance of this
top level ACL. (This is essentially a chmod -R.) This will
set an ACL on everything and hide all of the old Unix permissions.

Now you can drop down to a sub folder that requires, say read/write
access for a group. The folder's ACL consists of inherited entries
from above. You can add an entry that allows read/write access to
the group. If "everyone" should not have read access, then you can
add an entry to deny this. Once you get the folder set up properly,
force inheritance on everything below.

Inheritance is nice because new files and folders inherit from
above (but only if you set up inheritance). Unix is sadly deficient
in this area. Even if you create a new file with NFS, it
inherits the Windows ACL, probably exactly what you want. (You
can not manage permissions via NFS when using NTFS security style.)

When you start from scratch with an empty qtree and set up top
level folders for different groups, you usually set the ACLs by
hand with the Windows GUI and you get inheritance by default.
Everything works great.

But your problem is that you have a ton of existing stuff and so
you need to start at the top, set an ACL and force it upon everything
below. Then work your way down.

I hope this makes sense. Chances are if folks have been setting
Unix permissions, they have them all screwed up anyway.

If the GUI will be too cumbersome, you can script this. I recommend
the "fileacl" utility, which runs in a DOS (CLI) window.

http://www.gbordier.com/gbtools/fileacl.htm

Unlike the Windows cacls program, fileacl understands inheritance
and you can do anything with fileacl that you can do with the GUI.
Plus you can put a bunch of fileacl commands in a batch file and run
it from a DOS window. You could use Unix to write the batch file.

Steve Losen scl [at] virginia phone: 434-924-0640

University of Virginia ITC Unix Support


mcmorran at mdibl

Aug 14, 2007, 7:45 AM

Post #5 of 7 (4748 views)
Permalink
Re: Change UNIX security to NTFS - ACLs? [In reply to]

Stephen C. Losen wrote:
>> Roy McMorran wrote:
>>
>>> Before I can proceed I really need to find a way to duplicate the
>>> group-based permissions that existed on the Unix side. I've started
>>> hacking together a script using smbcacls (the ACL utility in Samba).
>>> The idea is to set appropriate ACLs for specific groups and "Everyone"
>>> based on what the Unix mode bits used to be.
>>> Still I wonder if there's an easier way. Has anyone had a similar
>>> "challenge"?
>>>
>
> At the top of your qtree, you might set an ACL that allows
> full control to an admin group (or to individual users who
> are admins) and read only access for everyone else.
> Have this propagate everywhere i.e., force inheritance of this
> top level ACL. (This is essentially a chmod -R.) This will
> set an ACL on everything and hide all of the old Unix permissions.
>
>
Thanks for the reply Steve.

> When you start from scratch with an empty qtree and set up top
> level folders for different groups, you usually set the ACLs by
> hand with the Windows GUI and you get inheritance by default.
> Everything works great.
>
...
> I hope this makes sense. Chances are if folks have been setting
> Unix permissions, they have them all screwed up anyway.
>
It does.

This qtree started life as a Samba share on a Unix filesystem, so Unix
permissions were all we had. When we migrated to the NetApp we kept the
UNIX security style for the sake of simplicity, and it's worked well.
However, the "user-group-other" model is showing signs of strain - I
have many users that belong to 16 groups (the limit, in general) and I
need more flexibility. ACLs are definitely the way to go.

> But your problem is that you have a ton of existing stuff
Exactly!
> and so
> you need to start at the top, set an ACL and force it upon everything
> below. Then work your way down.
>
> If the GUI will be too cumbersome, you can script this. I recommend
> the "fileacl" utility, which runs in a DOS (CLI) window.
>
> http://www.gbordier.com/gbtools/fileacl.htm
>
This sounds useful, and I hadn't heard of that utility. I've also
looked at setacl ( http://setacl.sourceforge.net/ ) and smbcacls (part
of Samba).

> Unlike the Windows cacls program, fileacl understands inheritance
> and you can do anything with fileacl that you can do with the GUI.
> Plus you can put a bunch of fileacl commands in a batch file and run
> it from a DOS window. You could use Unix to write the batch file.
>
Yes, that's the idea I had in mind. I like the idea of using
inheritance as opposed to setting an ACL on each and every object (which
my original script tried to do).

Thanks for the information. Best wishes,

-r
--

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran [at] mdibl


mcmorran at mdibl

Aug 14, 2007, 7:51 AM

Post #6 of 7 (4745 views)
Permalink
Re: Change UNIX security to NTFS - ACLs? [In reply to]

Conner, Neil wrote:
> Just a heads up that I recently ran into a significant problem when I used ndmpcopy to migrate 30GB of files from a Unix qtree to an NTFS qtree.
>
Hi Neil,

Thanks for the warning. I do have a handful of files that are accessed
via NFS and need to remain executable. Does this *only* happen if you
use ndmpcopy (I wasn't planning to), or is it a general CIFS vs. NFS issue?

Thanks and best wishes,
-r
--

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran [at] mdibl


neil at mbari

Aug 14, 2007, 1:01 PM

Post #7 of 7 (4748 views)
Permalink
RE: Change UNIX security to NTFS - ACLs? [In reply to]

I don't know. NetApp was surprised it happened at all, but the finger is pointed at ndmpcopy until I can find the time to either reproduce the condition or not.

The recommendation was to ndmpcopy to the same style qtree, then change the style.

Neil

-----Original Message-----
From: owner-toasters [at] mathworks [mailto:owner-toasters [at] mathworks] On Behalf Of Roy McMorran
Sent: Tuesday, August 14, 2007 7:52 AM
Cc: toasters [at] mathworks
Subject: Re: Change UNIX security to NTFS - ACLs?

Conner, Neil wrote:
> Just a heads up that I recently ran into a significant problem when I used ndmpcopy to migrate 30GB of files from a Unix qtree to an NTFS qtree.
>
Hi Neil,

Thanks for the warning. I do have a handful of files that are accessed
via NFS and need to remain executable. Does this *only* happen if you
use ndmpcopy (I wasn't planning to), or is it a general CIFS vs. NFS issue?

Thanks and best wishes,
-r
--

Roy McMorran
Systems Administrator
MDI Biological Laboratory
mcmorran [at] mdibl

Netapp toasters RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.