Just a heads up that I recently ran into a significant problem when I used ndmpcopy to migrate 30GB of files from a Unix qtree to an NTFS qtree.
After the copy was complete, I used the AD management tool to set the NTFS permissions. Everything was fine for CIFS clients, but NFS clients lost the execute bit on existing files. New files were assigned the correct Unix ACLs, but there was no way to set the execute bit on the exiting files.
I worked with NetApp and we tried changing to Mixed mode and fixing the Unix ACLs with chmod and chown but nothing worked. We ended up changing the security style of the new qtree to Unix where chmod and chown worked as expected. I'm still working with NetApp to try and figure out what happened.
Neil
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Stephen C. Losen Sent: Friday, August 10, 2007 9:29 AM To: Roy McMorran Cc: toasters@mathworks.com Subject: Re: Change UNIX security to NTFS - ACLs?
Roy McMorran wrote:
Hello all, I have a qtree that I wish to change from UNIX security style to NTFS. Experimenting on a test volume I've found that when I make the change the ownerships of all the objects are preserved*, and appropriate ACLs show up for the owners. However, Unix "group" and "other" privileges do not seem to get translated to ACLs.
Before I can proceed I really need to find a way to duplicate the group-based permissions that existed on the Unix side. I've started hacking together a script using smbcacls (the ACL utility in Samba). The idea is to set appropriate ACLs for specific groups and "Everyone" based on what the Unix mode bits used to be. Still I wonder if there's an easier way. Has anyone had a similar "challenge"?
*In our environment all Unix and Windows user IDs are identical. We use an LDAP back end for Unix authentication and for our Samba-based domain controller.
This is 7.2.1.1 on a FAS3020 in case it matters.
Thanks for any input.
-bump-
Anyone?
I've opened a case with NetApp; I'll summarize if I get anything interesting.
Thanks,
I think you are going to want to set ACLs everywhere. As I understand it, WAFL maintains two sets of file permissions for each file and folder: Unix owner, group, permissions and Windows owner, group, ACLs. When you change a qtree from Unix style security to NTFS style, you don't have any NTFS ACLs set anywhere, so the filer "makes do" with the Unix permissions (and you see "fake" ACL data generated from the Unix permissions). As soon as you set an ACL, however, WAFL ignores the Unix permissions (they are still there) and uses the ACL. If you are going to use NTFS security style, then you really want to set ACLs on everything or things can get pretty confusing.
You may be able to set everything up very nicely using the Windows GUI and ACL inheritance.
At the top of your qtree, you might set an ACL that allows full control to an admin group (or to individual users who are admins) and read only access for everyone else. Have this propagate everywhere i.e., force inheritance of this top level ACL. (This is essentially a chmod -R.) This will set an ACL on everything and hide all of the old Unix permissions.
Now you can drop down to a sub folder that requires, say read/write access for a group. The folder's ACL consists of inherited entries from above. You can add an entry that allows read/write access to the group. If "everyone" should not have read access, then you can add an entry to deny this. Once you get the folder set up properly, force inheritance on everything below.
Inheritance is nice because new files and folders inherit from above (but only if you set up inheritance). Unix is sadly deficient in this area. Even if you create a new file with NFS, it inherits the Windows ACL, probably exactly what you want. (You can not manage permissions via NFS when using NTFS security style.)
When you start from scratch with an empty qtree and set up top level folders for different groups, you usually set the ACLs by hand with the Windows GUI and you get inheritance by default. Everything works great.
But your problem is that you have a ton of existing stuff and so you need to start at the top, set an ACL and force it upon everything below. Then work your way down.
I hope this makes sense. Chances are if folks have been setting Unix permissions, they have them all screwed up anyway.
If the GUI will be too cumbersome, you can script this. I recommend the "fileacl" utility, which runs in a DOS (CLI) window.
http://www.gbordier.com/gbtools/fileacl.htm
Unlike the Windows cacls program, fileacl understands inheritance and you can do anything with fileacl that you can do with the GUI. Plus you can put a bunch of fileacl commands in a batch file and run it from a DOS window. You could use Unix to write the batch file.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support