There are some points about ntfs/unix qtree styles that can be easliy overlooked or mis-interpreted:
* A mixed security style only means that there can be unix and ntfs files in that qtree * It DOES NOT mean that the files are mixed mode; be sure to understand the difference. * The files can switch security styles at any time, thus causing CIFS ACL's to get dropped when switching to unix, etc.
Since the CIFS ACL's are so much more detailed and harder to match in unix than unix ACL's are to match in CIFS, in a mixed environment, I usually recommend an NTFS security style and then use user mapping (usermap.cfg) to equate users.
Additional documentation of this same theme while you're at it:
Unix group permissions on directory not enforced on CIFS users: http://now.netapp.com/Knowledgebase/solutionarea.asp?id=kb16326
Unified Windows and UNIX Authorization Using Microsoft Active Directory LDAP as a Directory Store: http://www.netapp.com/us/library/technical-reports/tr-3458.html
Unified Windows and UNIX Authentication Using Microsoft Active Directory Kerberos http://www.netapp.com/us/library/technical-reports/tr-3457.html
Good luck !
Cheers ...................
Stetson M. Webster Onsite Professional Services Engineer PS - North Amer. - East
NetApp 919.250.0052 Mobile Stetson.Webster@netapp.com mailto:Stetson.Webster@netapp.com www.netapp.com http://www.netapp.com/
-----Original Message----- From: David Lee [mailto:t.d.lee@durham.ac.uk mailto:t.d.lee@durham.ac.uk ] Sent: Wednesday, April 23, 2008 12:24 PM To: toasters@mathworks.com Subject: mount.cifs; NetApp; owner/mode appearance
If this is an FAQ, feel free to point me in the right direction...
Short-form: o UNIX-derived filesystem (qtree) on filer; o Linux client using "mount.cifs" to access qtree via CIFS; o File ownerships look wrong; mode always shows as 777.
Detail:
We run a central fileserver on behalf of many users. A particular new qtree is a fresh copy of a filesystem (on which many users each have their own, self-owned subdirectory). It was previously hosted on UNIX, and is still intended to be used solely in a UNIX context.
But we (service providers) don't own the Linux machines which will be connecting to this, therefore we are not exporting it as NFS (host-based security) as this would compromise security. (User-A on their Linux box could 'su' to root and then 'su' again to User-B and see User-B files... this would be bad.)
So we are trying to set things up so that the users can use CIFS (which is user-based security). So we have set the qtree mixed mode and made it a CIFS share on the filer. So far, so good.
Overall: UNIX users on UNIX clients to UNIX-filesystems on filer, but having to use CIFS rather than NFS as the protocol.
When a user on their Linux client does: /sbin/mount.cifs //filer/qtree /local/mountpoint
what they see is that all file ownerships are apparently their own (even though this level shows the directory of self-owned subdirectories) and that all permissions appear as 777 (rwxrwxrwx). The actual workings seem to be OK, but the appearance is less than desirable.
Presumably this is because the SMB/CIFS protocol cannot carry the UNIX permissions and ownerships.
1. Is the above reasoning towards understanding the problem more or less correct?
2. Is there any way around it? I understand that more recent definitions of CIFS have UNIX extensions. Is this implemented in ONTAP?
Our versions: filer: "NetApp Release 7.2.2" mount.cifs: 1.10
Apologies if the question is poorly expressed!
--
: David Lee I.T. Service : : Senior Systems Programmer Computer Centre : : UNIX Team Leader Durham University : : South Road : : http://www.dur.ac.uk/t.d.lee/ http://www.dur.ac.uk/t.d.lee/ Durham DH1 3LE : : Phone: +44 191 334 2752 U.K. :
