Make sure you are running 5.3 or greater. Once you are, determining access is pretty straightforward:
* If the file has an NT ACL, the ACL is used to check permissions. NFS requests use the mapped NT identity of the requesting user.
* If the file does not have an ACL, UNIX permissions are used. CIFS users use the mapped UNIX identity of the requesting user.
In-house at NetApp we use the mixed mode a lot, because it gives the most flexibility. There is a web site on NOW than explains all about how to use the multi-protocol security on the filer:
http://now.netapp.com/knowledge/docs/olio/guides/53_troubleshooting/index.sh tml
About your suggestion about having the access check based on the client type: we considered that approach but we decided it results in even more confusing behavior as seen by non-native clients, as well as being less secure. The motivation for our approach is in the "Basic Concepts" section of the above document.
If you still have questions, or you can't make your environment work the way you want it to, please let us know. Multi-protocol security can be confusing, but we are very interested in making it work as well as possible in as many situations as possible.
Mark Muhlestein -- mmm@netapp.com
-----Original Message----- From: Paul Lupa [mailto:Paul.Lupa@motorola.com] Sent: Thursday, March 16, 2000 9:24 PM To: toasters@mathworks.com Subject: Problems integrating CIFS and NFS access control
Hi Folks,
I have a problem with the operation of a NetApp that servers up a share both via CIFS and NFS. The goal of a group that I support was to have a common directory for both the UNIX systems and the NT systems. A user would be able to see all of their files under either UNIX or NT. The problem manifests itself because whatever was last used by the user to set access rights is what sets the security mode for the file or directory. For example, if a user accesses a directory from NT and gives himself and a NT group access to a file, from UNIX only he would have access. If from Unix he set a directory to rwxr-x---, someone in an NT group that he specifically want to grant access to would not have access. Generally speaking whatever was last used (NT or Unix) to set permissions works correctly, and the other one works, but not correctly.
My questions to the group:
1: Is anyone sharing the same directory under CIFS and NFS and found a
workaround or an acceptable way to implement permissions?
2: Has anyone thought about what would be wrong with using UNIX permissions to determine access when using NFS and NT permissions when using CIFS?
Thanks, Paul Lupa