Stephen C. Losen wrote:
Roy McMorran wrote:
Before I can proceed I really need to find a way to duplicate the group-based permissions that existed on the Unix side. I've started hacking together a script using smbcacls (the ACL utility in Samba). The idea is to set appropriate ACLs for specific groups and "Everyone" based on what the Unix mode bits used to be. Still I wonder if there's an easier way. Has anyone had a similar "challenge"?
At the top of your qtree, you might set an ACL that allows full control to an admin group (or to individual users who are admins) and read only access for everyone else. Have this propagate everywhere i.e., force inheritance of this top level ACL. (This is essentially a chmod -R.) This will set an ACL on everything and hide all of the old Unix permissions.
Thanks for the reply Steve.
When you start from scratch with an empty qtree and set up top level folders for different groups, you usually set the ACLs by hand with the Windows GUI and you get inheritance by default. Everything works great.
...
I hope this makes sense. Chances are if folks have been setting Unix permissions, they have them all screwed up anyway.
It does.
This qtree started life as a Samba share on a Unix filesystem, so Unix permissions were all we had. When we migrated to the NetApp we kept the UNIX security style for the sake of simplicity, and it's worked well. However, the "user-group-other" model is showing signs of strain - I have many users that belong to 16 groups (the limit, in general) and I need more flexibility. ACLs are definitely the way to go.
But your problem is that you have a ton of existing stuff
Exactly!
and so you need to start at the top, set an ACL and force it upon everything below. Then work your way down.
If the GUI will be too cumbersome, you can script this. I recommend the "fileacl" utility, which runs in a DOS (CLI) window.
This sounds useful, and I hadn't heard of that utility. I've also looked at setacl ( http://setacl.sourceforge.net/ ) and smbcacls (part of Samba).
Unlike the Windows cacls program, fileacl understands inheritance and you can do anything with fileacl that you can do with the GUI. Plus you can put a bunch of fileacl commands in a batch file and run it from a DOS window. You could use Unix to write the batch file.
Yes, that's the idea I had in mind. I like the idea of using inheritance as opposed to setting an ACL on each and every object (which my original script tried to do).
Thanks for the information. Best wishes,
-r