For the release you are running, it is possible to get the group permission checking you want by doing a "cifs terminate" then "cifs setup", and specifying that you want to "enforce UNIX semantics" when asked that setup question. However, there are a lot of good reasons to upgrade to 5.3x, and not just for CIFS-related issues.
The links we gave before describe the 5.3 and later security model, and answer your questions. Briefly, in the situation you described, the files would continue to use UNIX-style permissions, since you did not include a step of having the CIFS clients setting an ACL (which sets NTFS-style permissions). See
http://now.netapp.com/NOW/knowledge/docs/olio/guides/53_troubleshooting/inde... tml
particularly the "Basic Concepts" section. See also
http://now.netapp.com/NOW/knowledge/docs/olio/guides/53_troubleshooting/glos... .shtml#anchor1670777
which describes inherited security.
Mark Muhlestein -- mmm@netapp.com
-----Original Message----- From: Elizabeth Schwartz [mailto:eschwart@genuity.net] Sent: Tuesday, June 13, 2000 9:59 AM To: Hawley, Rob; mstjohn@genuity.net Cc: eschwart@genuity.net; Muhlestein, Mark; toasters@mathworks.com Subject: RE: Unix group permission and NT access on a filer
Thanks! We're running 5.2.3P1
I've been talking to the filer admin about upgrading. It sounds like the immediate short-term fix to our problem might be to create a small multiprotocol qtree while we evaluate whether to upgrade the OS and/or change the main qtrees.
We need to make sure that we understand all the security implications of changing a qtree from unix to multiprotocol.
Do you have anything that shows how the filer stores permission, whatever the filer equivalent of an inode is? (qnode? Wnode?) We were trying to whiteboard how the permissions work. Specifically:
- I start with a Unix qtree on the filer
- User directory is created with unix permissions set to 755
- We then change the qtree from unix to multiprotocol
- User accesses his directory as a CIFS share
- User creates a subdirectory and files under his home
What will the permissions be on those files? 755? Will they have anything in their NT ACL's?
I am under the impression that the filer stores permissions in some "neutral" format which it translates to Unix permission bits or NT ACL's, PLUS has some extra storage for NT ACL's - is that how it works?
Also, What happens if you create a multiprotocol file system and then change it later to unix? Is the additional ACL information a) translated, b) deleted, c) stored but not used (so that if you changed it back to multiprotocol again it might still be there?)
thanks for any pictures Betsy
At 07:06 AM 6/13/00 -0700, rob.hawley@netapp.com wrote:
What version of the filer are you running? Is it 5.3 or later?
The filer has always supported multiprotocol access to
files. With 5.3 we
have completed our security model that is described in the
following paper.
-- Elizabeth Schwartz 781-262-6565 Unix System Administrator eschwart@bbnplanet.com Genuity, Inc
-
mark.muhlestein@netapp.com