You have to set the qtree security to mixed or ntfs to use ACLs.
Yes, the local user approach is limited. I was just trying to clarify the statement that "no real security is available".
Mark
-----Original Message----- From: Alan McLachlan [mailto:amclachlan@asi.com.au] Sent: Wednesday, April 16, 2003 4:18 PM To: Muhlestein, Mark; Alan McLachlan; Robert Borowicz; toasters@mathworks.com Cc: Dane Knudson Subject: RE: CIFS in Workgroup mode
Mark Muhlestein wrote:
Alan wrote:
One problem is that in workgroup mode NTFS security isn't available. In fact, no real security is available...
This isn't quite right. If you are running with ONTAP 6.1.1 or later
you
can create up to 96 local users in workgroup mode and use NTFS
security
with NTLM authentication. Even without local users you can use UNIX-style security if you are willing to use /etc/passwd accounts (which unfortunately implies the use of plaintext passwords over the wire during CIFS login).
However, it is true that for the very best available CIFS security (which uses Kerberos authentication) you do have to have the filer installed in a Win2k domain.
Hi Mark,
I just tried this on a lab filer here running 6.4.1R1 and in workgroup mode on an NT4.0 Workstation client (as still used by many of our government Novell customers - some are even still using Win98...) the mapped drive still shows up as FAT - no ACL's. I'll look into this further but I don't see how you're going to get ACL's on basic Windows peer-to-peer networking.
Win2K local user account ACL's may work with WinXP workstations, but most customers using NetApp for home directories have hundreds or thousands of users. For only 96 or less users you're not going to buy a NetApp primarily for home dirs... (unless you have too much money to play with and believe in overkill, or they are VERY I/O intensive users, i.e. graphic artists, CAD etc :o) )
In any case, the issue here isn't whether you can use fun workarounds to implement some security - you could use hidden shares to obscure user's home dirs from each other but that's not the same as real permissions. And yes you can map to Unix accounts on the filer and use Unix security. But the real issue is how can this be administered from Novell eDirectory as a resource with managed security. Local accounts (whether Unix or post-Ontap 6.1.1 Win2K local accounts) on the filer don't help, the Novell eDirectory server somehow needs to be the primary account management server before most Novell admins will accept the solution.
Personally, I wish we didn't have to deal with Novell environments but there are still too many around to ignore it. *sigh*
Do you know what the status is WRT LDAP authentication in OnTap?
Regards,
Alan.
**** ASI Solutions Disclaimer **** The material transmitted may contain confidential and/or privileged material and is intended only for the addressee. If you receive this in error, please notify the sender and destroy any copies of the material immediately. ASI will protect your Privacy according to the 10 Privacy Principles outlined under the new Privacy Act, Dec 2001.
This email is also subject to copyright. Any use of or reliance upon this material by persons or entities other than the addressee is prohibited.
E-mails may be interfered with, may contain computer viruses or other defects. Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments. **** END OF MESSAGE ****