Toasters: Client wants ability to quota by Active Directory group. I see some products out there, but none seem to be able to set a quota on a volume/qtree/directory with the quota pertaining to an A.D. group.
Only way I've implemented these in the past is to control access via NTFS ACL such that the A.D. group has write access (everyone else read or none), then set qtree quota. Client has political reasons not to restrict access via NTFS. This is NAS/CIFS only environment.
Has anyone else out there found another way, or using any other 3rd party *ware?
Best regards, Kevin M. Parker
[cid:image001.gif@01C87EC2.A5BBE990]http://www.nwnit.com/ [cid:image002.png@01C87EC2.A5BBE990]
Sr. Storage Solutions Engineer l 919.830.5819 mobile l 919.653.4489 office l 860 Aviation Pkwy., Ste. 1000, Morrisville, NC 27560
________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
Unfortunately, group quotas won't work in native ONTAP as AD groups do not map to UNIX groups properly. User and qtree quotas work fine. You could create qtrees that belong to the specific AD groups and place quotas on those. ----- Original Message ----- From: Kevin Parker To: toasters@mathworks.com Sent: Wednesday, March 05, 2008 1:19 PM Subject: Quotas for A.D. groups
Toasters:
Client wants ability to quota by Active Directory group. I see some products out there, but none seem to be able to set a quota on a volume/qtree/directory with the quota pertaining to an A.D. group.
Only way I've implemented these in the past is to control access via NTFS ACL such that the A.D. group has write access (everyone else read or none), then set qtree quota. Client has political reasons not to restrict access via NTFS. This is NAS/CIFS only environment.
Has anyone else out there found another way, or using any other 3rd party *ware?
Best regards,
Kevin M. Parker
Sr. Storage Solutions Engineer l 919.830.5819 mobile l 919.653.4489 office l 860 Aviation Pkwy., Ste. 1000, Morrisville, NC 27560
------------------------------------------------------------------------------ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
Unfortunately, group quotas won't work in native ONTAP as AD groups do not map to UNIX groups properly. User and qtree quotas work fine. You could create qtrees that belong to the specific AD groups and place quotas on those.
Also, netapp "group quotas" may not work like you want. In the Unix/NFS world, each file has a group id. A group quota limits the total disk space consumed by all files that have a particular group id. It does not matter who owns the files. Group quotas are easy to circumvent because the owner of a file can change its group id to any group that the owner belongs to.
Some folks mistakenly think that a "group quota" restricts the total disk space consumed by all the members of the group. In other words, if a group has members A, B, and C and the group quota is 10 Gbyte then disk space consumed by files owned by A, B, or C cannot exceed 10 Gbyte. This is NOT how group quotas work.
As others have stated, you probably need a qtree. Has anyone ever found netapp group quotas to be useful at all?
----- Original Message ----- From: Kevin Parker To: toasters@mathworks.com Sent: Wednesday, March 05, 2008 1:19 PM Subject: Quotas for A.D. groups
Toasters:
Client wants ability to quota by Active Directory group. I see some products out there, but none seem to be able to set a quota on a volume/qtree/directory with the quota pertaining to an A.D. group.
Only way I've implemented these in the past is to control access via NTFS ACL such that the A.D. group has write access (everyone else read or none), then set qtree quota. Client has political reasons not to restrict access via NTFS. This is NAS/CIFS only environment.
Has anyone else out there found another way, or using any other 3rd party *ware?
Best regards,
Kevin M. Parker
Sr. Storage Solutions Engineer l 919.830.5819 mobile l 919.653.4489 office l 860 Aviation Pkwy., Ste. 1000, Morrisville, NC 27560
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
Very useful for controlling growth and impact from individual groups/users. However, nearly impossible to effectively manage without being extremely time consuming.
We've looked at NTP Software's QFS product and like it - just a matter of funding.
Glenn
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Stephen C. Losen Sent: Wednesday, March 05, 2008 4:23 PM To: Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: Re: Quotas for A.D. groups
Unfortunately, group quotas won't work in native ONTAP as AD groups do
not map to UNIX groups properly. User and qtree quotas work fine. You could create qtrees that belong to the specific AD groups and place quotas on those.
Also, netapp "group quotas" may not work like you want. In the Unix/NFS world, each file has a group id. A group quota limits the total disk space consumed by all files that have a particular group id. It does not matter who owns the files. Group quotas are easy to circumvent because the owner of a file can change its group id to any group that the owner belongs to.
Some folks mistakenly think that a "group quota" restricts the total disk space consumed by all the members of the group. In other words, if a group has members A, B, and C and the group quota is 10 Gbyte then disk space consumed by files owned by A, B, or C cannot exceed 10 Gbyte. This is NOT how group quotas work.
As others have stated, you probably need a qtree. Has anyone ever found netapp group quotas to be useful at all?
----- Original Message ----- From: Kevin Parker To: toasters@mathworks.com Sent: Wednesday, March 05, 2008 1:19 PM Subject: Quotas for A.D. groups
Toasters:
Client wants ability to quota by Active Directory group. I see some
products out there, but none seem to be able to set a quota on a volume/qtree/directory with the quota pertaining to an A.D. group.
Only way I've implemented these in the past is to control access via
NTFS ACL such that the A.D. group has write access (everyone else read or none), then set qtree quota. Client has political reasons not to restrict access via NTFS. This is NAS/CIFS only environment.
Has anyone else out there found another way, or using any other 3rd
party *ware?
Best regards,
Kevin M. Parker
Sr. Storage Solutions Engineer l 919.830.5819 mobile l 919.653.4489
office l 860 Aviation Pkwy., Ste. 1000, Morrisville, NC 27560
------------------------------------------------------------------------ ------
Note: This message and any attachments is intended solely for the
use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
How about NetApp 'Operations Manager with FSRM' and 'ccstor'? Both are offering quota management with file screening functionalities as well.
Thanks! |Suresh|
-----Original Message----- From: Glenn Walker [mailto:ggwalker@mindspring.com] Sent: Thursday, March 06, 2008 5:18 AM To: Stephen C. Losen; Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: RE: Quotas for A.D. groups
Very useful for controlling growth and impact from individual groups/users. However, nearly impossible to effectively manage without being extremely time consuming.
We've looked at NTP Software's QFS product and like it - just a matter of funding.
Glenn
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Stephen C. Losen Sent: Wednesday, March 05, 2008 4:23 PM To: Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: Re: Quotas for A.D. groups
Unfortunately, group quotas won't work in native ONTAP as AD groups do
not map to UNIX groups properly. User and qtree quotas work fine. You could create qtrees that belong to the specific AD groups and place quotas on those.
Also, netapp "group quotas" may not work like you want. In the Unix/NFS world, each file has a group id. A group quota limits the total disk space consumed by all files that have a particular group id. It does not matter who owns the files. Group quotas are easy to circumvent because the owner of a file can change its group id to any group that the owner belongs to.
Some folks mistakenly think that a "group quota" restricts the total disk space consumed by all the members of the group. In other words, if a group has members A, B, and C and the group quota is 10 Gbyte then disk space consumed by files owned by A, B, or C cannot exceed 10 Gbyte. This is NOT how group quotas work.
As others have stated, you probably need a qtree. Has anyone ever found netapp group quotas to be useful at all?
----- Original Message ----- From: Kevin Parker To: toasters@mathworks.com Sent: Wednesday, March 05, 2008 1:19 PM Subject: Quotas for A.D. groups
Toasters:
Client wants ability to quota by Active Directory group. I see some
products out there, but none seem to be able to set a quota on a volume/qtree/directory with the quota pertaining to an A.D. group.
Only way I've implemented these in the past is to control access via
NTFS ACL such that the A.D. group has write access (everyone else read or none), then set qtree quota. Client has political reasons not to restrict access via NTFS. This is NAS/CIFS only environment.
Has anyone else out there found another way, or using any other 3rd
party *ware?
Best regards,
Kevin M. Parker
Sr. Storage Solutions Engineer l 919.830.5819 mobile l 919.653.4489
office l 860 Aviation Pkwy., Ste. 1000, Morrisville, NC 27560
------------------------------------------------------------------------ ------
Note: This message and any attachments is intended solely for the
use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
The FSRM piece of DFM\Ops Manager has always been a bit difficult for us to kick-start, but to be fair we really haven't had the time to dedicate to it. The real issue is that we have to manually build the mailmap file for notifications because the usernames don't match the email addresses (this can be done, we've built a script to do it by pulling the AD attributes for each account).
CCSTOR I'm not familiar with, but it seems to be another vendor's product (Veritas Command Central) - if I'm right, what's the difference between buying one product or buying another?
-----Original Message----- From: N,SureshKumar [mailto:Sureshkumar.N@netapp.com] Sent: Thursday, March 06, 2008 8:08 AM To: Glenn Walker; Stephen C. Losen; Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: RE: Quotas for A.D. groups
How about NetApp 'Operations Manager with FSRM' and 'ccstor'? Both are offering quota management with file screening functionalities as well.
Thanks! |Suresh|
-----Original Message----- From: Glenn Walker [mailto:ggwalker@mindspring.com] Sent: Thursday, March 06, 2008 5:18 AM To: Stephen C. Losen; Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: RE: Quotas for A.D. groups
Very useful for controlling growth and impact from individual groups/users. However, nearly impossible to effectively manage without being extremely time consuming.
We've looked at NTP Software's QFS product and like it - just a matter of funding.
Glenn
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Stephen C. Losen Sent: Wednesday, March 05, 2008 4:23 PM To: Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: Re: Quotas for A.D. groups
Unfortunately, group quotas won't work in native ONTAP as AD groups do
not map to UNIX groups properly. User and qtree quotas work fine. You could create qtrees that belong to the specific AD groups and place quotas on those.
Also, netapp "group quotas" may not work like you want. In the Unix/NFS world, each file has a group id. A group quota limits the total disk space consumed by all files that have a particular group id. It does not matter who owns the files. Group quotas are easy to circumvent because the owner of a file can change its group id to any group that the owner belongs to.
Some folks mistakenly think that a "group quota" restricts the total disk space consumed by all the members of the group. In other words, if a group has members A, B, and C and the group quota is 10 Gbyte then disk space consumed by files owned by A, B, or C cannot exceed 10 Gbyte. This is NOT how group quotas work.
As others have stated, you probably need a qtree. Has anyone ever found netapp group quotas to be useful at all?
----- Original Message ----- From: Kevin Parker To: toasters@mathworks.com Sent: Wednesday, March 05, 2008 1:19 PM Subject: Quotas for A.D. groups
Toasters:
Client wants ability to quota by Active Directory group. I see some
products out there, but none seem to be able to set a quota on a volume/qtree/directory with the quota pertaining to an A.D. group.
Only way I've implemented these in the past is to control access via
NTFS ACL such that the A.D. group has write access (everyone else read or none), then set qtree quota. Client has political reasons not to restrict access via NTFS. This is NAS/CIFS only environment.
Has anyone else out there found another way, or using any other 3rd
party *ware?
Best regards,
Kevin M. Parker
Sr. Storage Solutions Engineer l 919.830.5819 mobile l 919.653.4489
office l 860 Aviation Pkwy., Ste. 1000, Morrisville, NC 27560
------------------------------------------------------------------------ ------
Note: This message and any attachments is intended solely for the
use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
NetApp also sells NetApp branded CCStor (OEM from Veritas). NetApp CCStor should be used when you have Multivendor SAN environment, Whereas NetApp Operations Manager best caters to NetApp-only environment.
Regards mrpr
-----Original Message----- From: Glenn Walker [mailto:ggwalker@mindspring.com] Sent: Thursday, March 06, 2008 8:01 PM To: N,SureshKumar; Stephen C. Losen; Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: RE: Quotas for A.D. groups
The FSRM piece of DFM\Ops Manager has always been a bit difficult for us to kick-start, but to be fair we really haven't had the time to dedicate to it. The real issue is that we have to manually build the mailmap file for notifications because the usernames don't match the email addresses (this can be done, we've built a script to do it by pulling the AD attributes for each account).
CCSTOR I'm not familiar with, but it seems to be another vendor's product (Veritas Command Central) - if I'm right, what's the difference between buying one product or buying another?
-----Original Message----- From: N,SureshKumar [mailto:Sureshkumar.N@netapp.com] Sent: Thursday, March 06, 2008 8:08 AM To: Glenn Walker; Stephen C. Losen; Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: RE: Quotas for A.D. groups
How about NetApp 'Operations Manager with FSRM' and 'ccstor'? Both are offering quota management with file screening functionalities as well.
Thanks! |Suresh|
-----Original Message----- From: Glenn Walker [mailto:ggwalker@mindspring.com] Sent: Thursday, March 06, 2008 5:18 AM To: Stephen C. Losen; Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: RE: Quotas for A.D. groups
Very useful for controlling growth and impact from individual groups/users. However, nearly impossible to effectively manage without being extremely time consuming.
We've looked at NTP Software's QFS product and like it - just a matter of funding.
Glenn
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Stephen C. Losen Sent: Wednesday, March 05, 2008 4:23 PM To: Bill Holland Cc: Kevin Parker; toasters@mathworks.com Subject: Re: Quotas for A.D. groups
Unfortunately, group quotas won't work in native ONTAP as AD groups do
not map to UNIX groups properly. User and qtree quotas work fine. You could create qtrees that belong to the specific AD groups and place quotas on those.
Also, netapp "group quotas" may not work like you want. In the Unix/NFS world, each file has a group id. A group quota limits the total disk space consumed by all files that have a particular group id. It does not matter who owns the files. Group quotas are easy to circumvent because the owner of a file can change its group id to any group that the owner belongs to.
Some folks mistakenly think that a "group quota" restricts the total disk space consumed by all the members of the group. In other words, if a group has members A, B, and C and the group quota is 10 Gbyte then disk space consumed by files owned by A, B, or C cannot exceed 10 Gbyte. This is NOT how group quotas work.
As others have stated, you probably need a qtree. Has anyone ever found netapp group quotas to be useful at all?
----- Original Message ----- From: Kevin Parker To: toasters@mathworks.com Sent: Wednesday, March 05, 2008 1:19 PM Subject: Quotas for A.D. groups
Toasters:
Client wants ability to quota by Active Directory group. I see some
products out there, but none seem to be able to set a quota on a volume/qtree/directory with the quota pertaining to an A.D. group.
Only way I've implemented these in the past is to control access via
NTFS ACL such that the A.D. group has write access (everyone else read or none), then set qtree quota. Client has political reasons not to restrict access via NTFS. This is NAS/CIFS only environment.
Has anyone else out there found another way, or using any other 3rd
party *ware?
Best regards,
Kevin M. Parker
Sr. Storage Solutions Engineer l 919.830.5819 mobile l 919.653.4489
office l 860 Aviation Pkwy., Ste. 1000, Morrisville, NC 27560
------------------------------------------------------------------------ ------
Note: This message and any attachments is intended solely for the
use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
We use quotas to restrict by department amount of space.
UNC PATH: \server\share\deptname Filer Path: /vol/Groupdir/deptname where deptname is a qtree and set quota on qtree.
Stephen C. Losen wrote:
Unfortunately, group quotas won't work in native ONTAP as AD groups do not map to UNIX groups properly. User and qtree quotas work fine. You could create qtrees that belong to the specific AD groups and place quotas on those.
Also, netapp "group quotas" may not work like you want. In the Unix/NFS world, each file has a group id. A group quota limits the total disk space consumed by all files that have a particular group id. It does not matter who owns the files. Group quotas are easy to circumvent because the owner of a file can change its group id to any group that the owner belongs to.
Some folks mistakenly think that a "group quota" restricts the total disk space consumed by all the members of the group. In other words, if a group has members A, B, and C and the group quota is 10 Gbyte then disk space consumed by files owned by A, B, or C cannot exceed 10 Gbyte. This is NOT how group quotas work.
As others have stated, you probably need a qtree. Has anyone ever found netapp group quotas to be useful at all?
----- Original Message ----- From: Kevin Parker To: toasters@mathworks.com Sent: Wednesday, March 05, 2008 1:19 PM Subject: Quotas for A.D. groups
Toasters:
Client wants ability to quota by Active Directory group. I see some products out there, but none seem to be able to set a quota on a volume/qtree/directory with the quota pertaining to an A.D. group.
Only way I've implemented these in the past is to control access via NTFS ACL such that the A.D. group has write access (everyone else read or none), then set qtree quota. Client has political reasons not to restrict access via NTFS. This is NAS/CIFS only environment.
Has anyone else out there found another way, or using any other 3rd party *ware?
Best regards,
Kevin M. Parker
Sr. Storage Solutions Engineer l 919.830.5819 mobile l 919.653.4489 office l 860 Aviation Pkwy., Ste. 1000, Morrisville, NC 27560
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
-
Bill Holland -
Glenn Walker -
Jack Lyons -
Kevin Parker -
N,SureshKumar -
Reddy,Ravi -
Stephen C. Losen