Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Netapp: toasters

Unix <=> NTFS permissions question

  

 
Netapp toasters RSS feed   Index | Next | Previous | View Threaded


opienkos at sfu

Dec 5, 2008, 2:36 PM

Post #1 of 4 (2305 views)
Permalink
Unix <=> NTFS permissions question
Hello Toaster Experts!

We are currently mounting an NFS directory, e.g. /home/production from a filer to a Solaris 10 box. Security is done by local passwd entries. We need to export this directory via CIFS with read and write access to a group of windows developers ( a group in Active Directory.) Is there a way to do this without converting the filer security from UNIX to NTFS? The shares is owned by a single unix UID but will be accessed by multiple AD users. Is there a way to translate AD groups into Unix groups since usermap.cfg seems to translate only user IDs.
We don't want to run mixed-mode security.

Thanks a lot.

Oskar


Adam.Fox at netapp

Dec 5, 2008, 6:52 PM

Post #2 of 4 (2211 views)
Permalink
Re: Unix <=> NTFS permissions question [In reply to]
You can't map groups, but if you can ensure that every Windows user belongs to a group that can read/write the files. Each CIFS user will map to a UNIX user with UNIX groups.

If, by some chance the controller can't map to a UNIX user, you can set the option cifs.default_unix_user to the UNIX user who owns the files. But this only works if the controller can't map to a UNIX user.

-- Adam Fox
------------------------
Typed with my thumbs on a very small keyboard.


----- Original Message -----
From: Oskar Pienkos <opienkos [at] sfu>
To: toasters [at] mathworks <toasters [at] mathworks>
Sent: Fri Dec 05 17:36:06 2008
Subject: Unix <=> NTFS permissions question

Hello Toaster Experts!

We are currently mounting an NFS directory, e.g. /home/production from a filer to a Solaris 10 box. Security is done by local passwd entries. We need to export this directory via CIFS with read and write access to a group of windows developers ( a group in Active Directory.) Is there a way to do this without converting the filer security from UNIX to NTFS? The shares is owned by a single unix UID but will be accessed by multiple AD users. Is there a way to translate AD groups into Unix groups since usermap.cfg seems to translate only user IDs.
We don't want to run mixed-mode security.

Thanks a lot.

Oskar


Andrey.Borzenkov at fujitsu-siemens

Dec 7, 2008, 10:21 PM

Post #3 of 4 (2211 views)
Permalink
RE: Unix <=> NTFS permissions question [In reply to]
We are using share with forcegorup option:

Name Mount Point Description
---- ----------- -----------
pool /vol/vol1/share common pool
... forcegroup=s_group
DOMAIN\Special_users / Full Control

Where “s_group” is Unix group. /vol/vol1/share itself has Unix security style.

You still have to make sure that Unix group “group” has required access to files; but you would need to ensure this anyway. And you can limit access to a share using NT group membership.

This is less administration as long as you do not need to track file ownership.


С уважением / With best regards / Mit freundlichen Grüβen

---
Andrey Borzenkov
Senior system engineer

________________________________
From: owner-toasters [at] mathworks [mailto:owner-toasters [at] mathworks] On Behalf Of Fox, Adam
Sent: Saturday, December 06, 2008 5:52 AM
To: oskar [at] sfu; toasters [at] mathworks
Subject: Re: Unix <=> NTFS permissions question


You can't map groups, but if you can ensure that every Windows user belongs to a group that can read/write the files. Each CIFS user will map to a UNIX user with UNIX groups.

If, by some chance the controller can't map to a UNIX user, you can set the option cifs.default_unix_user to the UNIX user who owns the files. But this only works if the controller can't map to a UNIX user.

-- Adam Fox
------------------------
Typed with my thumbs on a very small keyboard.


----- Original Message -----
From: Oskar Pienkos <opienkos [at] sfu>
To: toasters [at] mathworks <toasters [at] mathworks>
Sent: Fri Dec 05 17:36:06 2008
Subject: Unix <=> NTFS permissions question

Hello Toaster Experts!

We are currently mounting an NFS directory, e.g. /home/production from a filer to a Solaris 10 box. Security is done by local passwd entries. We need to export this directory via CIFS with read and write access to a group of windows developers ( a group in Active Directory.) Is there a way to do this without converting the filer security from UNIX to NTFS? The shares is owned by a single unix UID but will be accessed by multiple AD users. Is there a way to translate AD groups into Unix groups since usermap.cfg seems to translate only user IDs.
We don't want to run mixed-mode security.

Thanks a lot.

Oskar


scl at sasha

Dec 8, 2008, 5:16 AM

Post #4 of 4 (2212 views)
Permalink
Re: Unix <=> NTFS permissions question [In reply to]
> Hello Toaster Experts!
>
> We are currently mounting an NFS directory, e.g. /home/production from a filer to a Solaris 10 box. Security is done by local passwd entries. We need to export this directory via CIFS with read and write access to a group of windows developers ( a group in Active Directory.) Is there a way to do this without converting the filer security from UNIX to NTFS? The shares is owned by a single unix UID but will be accessed by multiple AD users. Is there a way to translate AD groups into Unix groups since usermap.cfg seems to translate only user IDs.
> We don't want to run mixed-mode security.
>
> Thanks a lot.
>

When an AD user logs in with CIFS and maps a Unix security style share,
the filer must create Unix style credentials for the AD user. Unix
credentials include 1) Unix user id number (uid), 2) Unix primary
group id number (gid), and 3) Supplement group list (a list of group
gids where the Unix user is a member.)

Note that NFS (ironically) does not require a Unix user database
on the filer. This is because the Unix uid, gid, and group list
are included by the NFS client in each NFS request, so the filer
doesn't need to consult a user database. It just uses the credentials
supplied by the NFS client. CIFS, of course, does not provide
Unix credentials, so the filer must look them up.

To map an AD user to Unix, the filer uses the file /etc/usermap.cfg
to map each Windows user name to a Unix user name. If you are not
using NIS or LDAP for the filer's Unix user database, then the filer
uses its local /etc/passwd and /etc/group files just like a Unix system.

So all you need to do is edit the filer's /etc/passwd and /etc/group
files. No need for any passwords in /etc/passwd because the filer
is only interested in the uid and gid fields. Since you are using
a Unix group to control access, be sure that you use the same
numeric gid in the share and in /etc/group (or /etc/passwd).

You also need to edit /etc/usermap.cfg to map the Windows user names
to Unix user names in /etc/passwd. This does not need to be one to one.
You could map all of the Windows users to the same Unix user. The
usermap.cfg file also lets you use wild cards so you easily map
each Windows user name to an identical Unix user name.

Steve Losen scl [at] virginia phone: 434-924-0640

University of Virginia ITC Unix Support

Netapp toasters RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.