Hi Folks,
I have a problem with the operation of a NetApp that servers up a share both via CIFS and NFS. The goal of a group that I support was to have a common directory for both the UNIX systems and the NT systems. A user would be able to see all of their files under either UNIX or NT. The problem manifests itself because whatever was last used by the user to set access rights is what sets the security mode for the file or directory. For example, if a user accesses a directory from NT and gives himself and a NT group access to a file, from UNIX only he would have access. If from Unix he set a directory to rwxr-x---, someone in an NT group that he specifically want to grant access to would not have access. Generally speaking whatever was last used (NT or Unix) to set permissions works correctly, and the other one works, but not correctly.
My questions to the group:
1: Is anyone sharing the same directory under CIFS and NFS and found a
workaround or an acceptable way to implement permissions?
2: Has anyone thought about what would be wrong with using UNIX permissions to determine access when using NFS and NT permissions when using CIFS?
Thanks, Paul Lupa
Paul Lupa wrote:
My questions to the group:
1: Is anyone sharing the same directory under CIFS and NFS and found a
workaround or an acceptable way to implement permissions?
Yes - but one thing that has to be assumed is that your NT and Unix usernames are the same. If that is the case you can create a Unix group for the people that need access to the file and give ownership of the file to that Unix group. Users coming in through NT will map into that Unix group and everthing will work fine. This pretty much does an end-around the "mixed" security model. In fact, you'd probably be better off just using "unix" mode on a volume that you control in such a manner. We have implemented this on at least a dozen shares and it works fine. This is with 5.2.x OS's. In 5.3.x there are probably more elegant ways to solve the problem using NT groups and usermap.cfg
2: Has anyone thought about what would be wrong with using UNIX permissions to determine access when using NFS and NT permissions when using CIFS?
We thought about it, tested it, it works fine - but your NT and Unix login ID's MUST be the same.
Graham
On Thu, 16 Mar 2000, Paul Lupa wrote:
I have a problem with the operation of a NetApp that servers up a share both via CIFS and NFS. The goal of a group that I support was to have a common directory for both the UNIX systems and the NT systems. A user
We use common directories for home directories for both UNIX and NT users here. That filer uses mixed qtree security:
file:/cdrom/534R3/html/sag/qtree2.htm#1164436
The behavior is exactly as you stated, and as the docs state:
========== Both NTFS and UNIX style permissions are permitted. The security style of a file is the style most recently used to set permissions on that file. See the information in "NTFS."
Caution: Changing NTFS permissions on a file recomputes UNIX permissions on that file.
Changing UNIX permissions or ownership on a file deletes any NTFS permissions on that file. ==========
A slightly bizarre interpretation, I think. You might say there is loss of data here! ;)
My questions to the group:
1: Is anyone sharing the same directory under CIFS and NFS and found a workaround or an acceptable way to implement permissions?
We use the mixed style when we absolutely need data sharing *and* NT clients need to use the full ACL's (one filer). Otherwise, we use UNIX style security (four filers), which is a bit more straightforward for the admins and our users.
2: Has anyone thought about what would be wrong with using UNIX permissions to determine access when using NFS and NT permissions when using CIFS?
I don't have an answer for you on this one. I don't know what is involved in having NFS/CIFS permissions behave as they do with UNIX style security for the owner and primary group owner of the file/directory, and only have the additional NT ACL's be applicable only to CIFS clients. Why *wipe* them out on the NFS/CIFS side if they are changed on the CIFS/NFS side?
But, as someone else said, all this sharing only works when the usernames are *identical* via NFS and CIFS.
Feel free to continue the thread or email me personally about how we implement/workaround stuff here.
Until next time...
The Mathworks, Inc. 508-647-7000 x7792 3 Apple Hill Drive, Natick, MA 01760-2098 508-647-7001 FAX tmerrill@mathworks.com http://www.mathworks.com ---
-
Graham Knight -
Paul Lupa -
Todd C. Merrill