neil at mbari
Aug 10, 2007, 1:48 PM
Post #4 of 7
Just a heads up that I recently ran into a significant problem when I used ndmpcopy to migrate 30GB of files from a Unix qtree to an NTFS qtree.
After the copy was complete, I used the AD management tool to set the NTFS permissions. Everything was fine for CIFS clients, but NFS clients lost the execute bit on existing files. New files were assigned the correct Unix ACLs, but there was no way to set the execute bit on the exiting files.
I worked with NetApp and we tried changing to Mixed mode and fixing the Unix ACLs with chmod and chown but nothing worked. We ended up changing the security style of the new qtree to Unix where chmod and chown worked as expected. I'm still working with NetApp to try and figure out what happened.
From: owner-toasters [at] mathworks [mailto:owner-toasters [at] mathworks] On Behalf Of Stephen C. Losen
Sent: Friday, August 10, 2007 9:29 AM
To: Roy McMorran
Cc: toasters [at] mathworks
Subject: Re: Change UNIX security to NTFS - ACLs?
> Roy McMorran wrote:
> > Hello all,
> > I have a qtree that I wish to change from UNIX security style to
> > NTFS. Experimenting on a test volume I've found that when I make the
> > change the ownerships of all the objects are preserved*, and
> > appropriate ACLs show up for the owners. However, Unix "group" and
> > "other" privileges do not seem to get translated to ACLs.
> > Before I can proceed I really need to find a way to duplicate the
> > group-based permissions that existed on the Unix side. I've started
> > hacking together a script using smbcacls (the ACL utility in Samba).
> > The idea is to set appropriate ACLs for specific groups and "Everyone"
> > based on what the Unix mode bits used to be.
> > Still I wonder if there's an easier way. Has anyone had a similar
> > "challenge"?
> > *In our environment all Unix and Windows user IDs are identical. We
> > use an LDAP back end for Unix authentication and for our Samba-based
> > domain controller.
> > This is 18.104.22.168 on a FAS3020 in case it matters.
> > Thanks for any input.
> I've opened a case with NetApp; I'll summarize if I get anything
I think you are going to want to set ACLs everywhere. As I understand
it, WAFL maintains two sets of file permissions for each file and folder:
Unix owner, group, permissions and Windows owner, group, ACLs.
When you change a qtree from Unix style security to NTFS style, you don't
have any NTFS ACLs set anywhere, so the filer "makes do" with the Unix
permissions (and you see "fake" ACL data generated from the Unix
permissions). As soon as you set an ACL, however, WAFL ignores the
Unix permissions (they are still there) and uses the ACL.
If you are going to use NTFS security style, then you really want to
set ACLs on everything or things can get pretty confusing.
You may be able to set everything up very nicely using the Windows
GUI and ACL inheritance.
At the top of your qtree, you might set an ACL that allows
full control to an admin group (or to individual users who
are admins) and read only access for everyone else.
Have this propagate everywhere i.e., force inheritance of this
top level ACL. (This is essentially a chmod -R.) This will
set an ACL on everything and hide all of the old Unix permissions.
Now you can drop down to a sub folder that requires, say read/write
access for a group. The folder's ACL consists of inherited entries
from above. You can add an entry that allows read/write access to
the group. If "everyone" should not have read access, then you can
add an entry to deny this. Once you get the folder set up properly,
force inheritance on everything below.
Inheritance is nice because new files and folders inherit from
above (but only if you set up inheritance). Unix is sadly deficient
in this area. Even if you create a new file with NFS, it
inherits the Windows ACL, probably exactly what you want. (You
can not manage permissions via NFS when using NTFS security style.)
When you start from scratch with an empty qtree and set up top
level folders for different groups, you usually set the ACLs by
hand with the Windows GUI and you get inheritance by default.
Everything works great.
But your problem is that you have a ton of existing stuff and so
you need to start at the top, set an ACL and force it upon everything
below. Then work your way down.
I hope this makes sense. Chances are if folks have been setting
Unix permissions, they have them all screwed up anyway.
If the GUI will be too cumbersome, you can script this. I recommend
the "fileacl" utility, which runs in a DOS (CLI) window.
Unlike the Windows cacls program, fileacl understands inheritance
and you can do anything with fileacl that you can do with the GUI.
Plus you can put a bunch of fileacl commands in a batch file and run
it from a DOS window. You could use Unix to write the batch file.
Steve Losen scl [at] virginia phone: 434-924-0640
University of Virginia ITC Unix Support