In message 7F608EC0BDE6D111B53A00805FA7F7DA03A83938@TAHOE.netapp.com, "Muh lestein, Mark" writes:

A mixed qtree already works exactly as you want it to. In a mixed qtree the security of a file is based on the last security-setting operation. If an A CL is set which denies you access, but you still need to do something with a file, then as root you can change the security on any files/dirs in that qtree (using chmod, chown, or chgrp), which changes the security-style to UNIX. After that,

Ok, so far I've read this alot. No maybe I'm missing something 'cause I get the following errors trying to put it into practice.

Here's a test on a directory w/ NTFS permissions allowing only full control to the owner:

root@jagular: fs0/home/kelleher [130] # root@jagular: fs0/home/kelleher [130] # ls -ald test_dir drwx------ 2 kelleher users 4096 May 5 14:47 test_dir root@jagular: fs0/home/kelleher [131] # root@jagular: fs0/home/kelleher [131] # ls -al test_dir test_dir: Permission denied total 8 root@jagular: fs0/home/kelleher [132] # root@jagular: fs0/home/kelleher [132] # chown 755 test_dir chown: test_dir: Not owner root@jagular: fs0/home/kelleher [133] # root@jagular: fs0/home/kelleher [133] # chown root test_dir chown: test_dir: Not owner root@jagular: fs0/home/kelleher [134] #

I can however su to the UNIX user, chmod it, and then get access to the file:

root@jagular: fs0/home/kelleher [134] # su kelleher jagular% jagular% chmod 755 test_dir jagular% jagular% exit jagular% root@jagular: fs0/home/kelleher [135] # root@jagular: fs0/home/kelleher [135] # ls -al test_dir total 72 drwxr-xr-x 2 kelleher users 4096 May 5 14:47 . drwxr-xr-x 25 kelleher users 32768 May 5 15:25 .. -rwx------ 1 kelleher users 0 May 5 14:47 test_file root@jagular: fs0/home/kelleher [136] # root@jagular: fs0/home/kelleher [136] #

Is this what you mean?

those files follow regular UNIX rules, which allows root full access. If the user wants to put an ACL back on afterwards, no problem.

We have found that using ACLs in a mixed qtree can be helpful in a number of situations. That's because ACLs are enforced even for NT Admins and root. For example, we found that some files were being accidentally deleted by root/Admin users, so we put an ACL on those files which allows only READ access to all users. That prevents deleting, even by root or NT Admins. Of course, if we actually want to delete the files we just change the permissions to allow that, since in a mixed qtree both root and NT Admins have a special dispensation tochange the permissions.

Sounds like the problem is too many people with root/Admin access. Your solution only requires these people to take an extra step (give themselves the permissions) before they accidentally mess something up. If I were you I'd work on getting rid of their access. (Not that it's an easy thing to do.)

jason