Hello all, I have a qtree that I wish to change from UNIX security style to NTFS. Experimenting on a test volume I've found that when I make the change the ownerships of all the objects are preserved*, and appropriate ACLs show up for the owners. However, Unix "group" and "other" privileges do not seem to get translated to ACLs.
Before I can proceed I really need to find a way to duplicate the group-based permissions that existed on the Unix side. I've started hacking together a script using smbcacls (the ACL utility in Samba). The idea is to set appropriate ACLs for specific groups and "Everyone" based on what the Unix mode bits used to be. Still I wonder if there's an easier way. Has anyone had a similar "challenge"?
*In our environment all Unix and Windows user IDs are identical. We use an LDAP back end for Unix authentication and for our Samba-based domain controller.
This is 7.2.1.1 on a FAS3020 in case it matters.
Thanks for any input.
Roy McMorran wrote:
Hello all, I have a qtree that I wish to change from UNIX security style to NTFS. Experimenting on a test volume I've found that when I make the change the ownerships of all the objects are preserved*, and appropriate ACLs show up for the owners. However, Unix "group" and "other" privileges do not seem to get translated to ACLs.
Before I can proceed I really need to find a way to duplicate the group-based permissions that existed on the Unix side. I've started hacking together a script using smbcacls (the ACL utility in Samba). The idea is to set appropriate ACLs for specific groups and "Everyone" based on what the Unix mode bits used to be. Still I wonder if there's an easier way. Has anyone had a similar "challenge"?
*In our environment all Unix and Windows user IDs are identical. We use an LDAP back end for Unix authentication and for our Samba-based domain controller.
This is 7.2.1.1 on a FAS3020 in case it matters.
Thanks for any input.
-bump-
Anyone?
I've opened a case with NetApp; I'll summarize if I get anything interesting.
Thanks,
Roy McMorran wrote:
Hello all, I have a qtree that I wish to change from UNIX security style to NTFS. Experimenting on a test volume I've found that when I make the change the ownerships of all the objects are preserved*, and appropriate ACLs show up for the owners. However, Unix "group" and "other" privileges do not seem to get translated to ACLs.
Before I can proceed I really need to find a way to duplicate the group-based permissions that existed on the Unix side. I've started hacking together a script using smbcacls (the ACL utility in Samba). The idea is to set appropriate ACLs for specific groups and "Everyone" based on what the Unix mode bits used to be. Still I wonder if there's an easier way. Has anyone had a similar "challenge"?
*In our environment all Unix and Windows user IDs are identical. We use an LDAP back end for Unix authentication and for our Samba-based domain controller.
This is 7.2.1.1 on a FAS3020 in case it matters.
Thanks for any input.
-bump-
Anyone?
I've opened a case with NetApp; I'll summarize if I get anything interesting.
Thanks,
I think you are going to want to set ACLs everywhere. As I understand it, WAFL maintains two sets of file permissions for each file and folder: Unix owner, group, permissions and Windows owner, group, ACLs. When you change a qtree from Unix style security to NTFS style, you don't have any NTFS ACLs set anywhere, so the filer "makes do" with the Unix permissions (and you see "fake" ACL data generated from the Unix permissions). As soon as you set an ACL, however, WAFL ignores the Unix permissions (they are still there) and uses the ACL. If you are going to use NTFS security style, then you really want to set ACLs on everything or things can get pretty confusing.
You may be able to set everything up very nicely using the Windows GUI and ACL inheritance.
At the top of your qtree, you might set an ACL that allows full control to an admin group (or to individual users who are admins) and read only access for everyone else. Have this propagate everywhere i.e., force inheritance of this top level ACL. (This is essentially a chmod -R.) This will set an ACL on everything and hide all of the old Unix permissions.
Now you can drop down to a sub folder that requires, say read/write access for a group. The folder's ACL consists of inherited entries from above. You can add an entry that allows read/write access to the group. If "everyone" should not have read access, then you can add an entry to deny this. Once you get the folder set up properly, force inheritance on everything below.
Inheritance is nice because new files and folders inherit from above (but only if you set up inheritance). Unix is sadly deficient in this area. Even if you create a new file with NFS, it inherits the Windows ACL, probably exactly what you want. (You can not manage permissions via NFS when using NTFS security style.)
When you start from scratch with an empty qtree and set up top level folders for different groups, you usually set the ACLs by hand with the Windows GUI and you get inheritance by default. Everything works great.
But your problem is that you have a ton of existing stuff and so you need to start at the top, set an ACL and force it upon everything below. Then work your way down.
I hope this makes sense. Chances are if folks have been setting Unix permissions, they have them all screwed up anyway.
If the GUI will be too cumbersome, you can script this. I recommend the "fileacl" utility, which runs in a DOS (CLI) window.
http://www.gbordier.com/gbtools/fileacl.htm
Unlike the Windows cacls program, fileacl understands inheritance and you can do anything with fileacl that you can do with the GUI. Plus you can put a bunch of fileacl commands in a batch file and run it from a DOS window. You could use Unix to write the batch file.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
Just a heads up that I recently ran into a significant problem when I used ndmpcopy to migrate 30GB of files from a Unix qtree to an NTFS qtree.
After the copy was complete, I used the AD management tool to set the NTFS permissions. Everything was fine for CIFS clients, but NFS clients lost the execute bit on existing files. New files were assigned the correct Unix ACLs, but there was no way to set the execute bit on the exiting files.
I worked with NetApp and we tried changing to Mixed mode and fixing the Unix ACLs with chmod and chown but nothing worked. We ended up changing the security style of the new qtree to Unix where chmod and chown worked as expected. I'm still working with NetApp to try and figure out what happened.
Neil
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Stephen C. Losen Sent: Friday, August 10, 2007 9:29 AM To: Roy McMorran Cc: toasters@mathworks.com Subject: Re: Change UNIX security to NTFS - ACLs?
Roy McMorran wrote:
Hello all, I have a qtree that I wish to change from UNIX security style to NTFS. Experimenting on a test volume I've found that when I make the change the ownerships of all the objects are preserved*, and appropriate ACLs show up for the owners. However, Unix "group" and "other" privileges do not seem to get translated to ACLs.
Before I can proceed I really need to find a way to duplicate the group-based permissions that existed on the Unix side. I've started hacking together a script using smbcacls (the ACL utility in Samba). The idea is to set appropriate ACLs for specific groups and "Everyone" based on what the Unix mode bits used to be. Still I wonder if there's an easier way. Has anyone had a similar "challenge"?
*In our environment all Unix and Windows user IDs are identical. We use an LDAP back end for Unix authentication and for our Samba-based domain controller.
This is 7.2.1.1 on a FAS3020 in case it matters.
Thanks for any input.
-bump-
Anyone?
I've opened a case with NetApp; I'll summarize if I get anything interesting.
Thanks,
I think you are going to want to set ACLs everywhere. As I understand it, WAFL maintains two sets of file permissions for each file and folder: Unix owner, group, permissions and Windows owner, group, ACLs. When you change a qtree from Unix style security to NTFS style, you don't have any NTFS ACLs set anywhere, so the filer "makes do" with the Unix permissions (and you see "fake" ACL data generated from the Unix permissions). As soon as you set an ACL, however, WAFL ignores the Unix permissions (they are still there) and uses the ACL. If you are going to use NTFS security style, then you really want to set ACLs on everything or things can get pretty confusing.
You may be able to set everything up very nicely using the Windows GUI and ACL inheritance.
At the top of your qtree, you might set an ACL that allows full control to an admin group (or to individual users who are admins) and read only access for everyone else. Have this propagate everywhere i.e., force inheritance of this top level ACL. (This is essentially a chmod -R.) This will set an ACL on everything and hide all of the old Unix permissions.
Now you can drop down to a sub folder that requires, say read/write access for a group. The folder's ACL consists of inherited entries from above. You can add an entry that allows read/write access to the group. If "everyone" should not have read access, then you can add an entry to deny this. Once you get the folder set up properly, force inheritance on everything below.
Inheritance is nice because new files and folders inherit from above (but only if you set up inheritance). Unix is sadly deficient in this area. Even if you create a new file with NFS, it inherits the Windows ACL, probably exactly what you want. (You can not manage permissions via NFS when using NTFS security style.)
When you start from scratch with an empty qtree and set up top level folders for different groups, you usually set the ACLs by hand with the Windows GUI and you get inheritance by default. Everything works great.
But your problem is that you have a ton of existing stuff and so you need to start at the top, set an ACL and force it upon everything below. Then work your way down.
I hope this makes sense. Chances are if folks have been setting Unix permissions, they have them all screwed up anyway.
If the GUI will be too cumbersome, you can script this. I recommend the "fileacl" utility, which runs in a DOS (CLI) window.
http://www.gbordier.com/gbtools/fileacl.htm
Unlike the Windows cacls program, fileacl understands inheritance and you can do anything with fileacl that you can do with the GUI. Plus you can put a bunch of fileacl commands in a batch file and run it from a DOS window. You could use Unix to write the batch file.
Steve Losen scl@virginia.edu phone: 434-924-0640
University of Virginia ITC Unix Support
Conner, Neil wrote:
Just a heads up that I recently ran into a significant problem when I used ndmpcopy to migrate 30GB of files from a Unix qtree to an NTFS qtree.
Hi Neil,
Thanks for the warning. I do have a handful of files that are accessed via NFS and need to remain executable. Does this *only* happen if you use ndmpcopy (I wasn't planning to), or is it a general CIFS vs. NFS issue?
Thanks and best wishes, -r
I don't know. NetApp was surprised it happened at all, but the finger is pointed at ndmpcopy until I can find the time to either reproduce the condition or not.
The recommendation was to ndmpcopy to the same style qtree, then change the style.
Neil
-----Original Message----- From: owner-toasters@mathworks.com [mailto:owner-toasters@mathworks.com] On Behalf Of Roy McMorran Sent: Tuesday, August 14, 2007 7:52 AM Cc: toasters@mathworks.com Subject: Re: Change UNIX security to NTFS - ACLs?
Conner, Neil wrote:
Just a heads up that I recently ran into a significant problem when I used ndmpcopy to migrate 30GB of files from a Unix qtree to an NTFS qtree.
Hi Neil,
Thanks for the warning. I do have a handful of files that are accessed via NFS and need to remain executable. Does this *only* happen if you use ndmpcopy (I wasn't planning to), or is it a general CIFS vs. NFS issue?
Thanks and best wishes, -r
Stephen C. Losen wrote:
Roy McMorran wrote:
Before I can proceed I really need to find a way to duplicate the group-based permissions that existed on the Unix side. I've started hacking together a script using smbcacls (the ACL utility in Samba). The idea is to set appropriate ACLs for specific groups and "Everyone" based on what the Unix mode bits used to be. Still I wonder if there's an easier way. Has anyone had a similar "challenge"?
At the top of your qtree, you might set an ACL that allows full control to an admin group (or to individual users who are admins) and read only access for everyone else. Have this propagate everywhere i.e., force inheritance of this top level ACL. (This is essentially a chmod -R.) This will set an ACL on everything and hide all of the old Unix permissions.
Thanks for the reply Steve.
When you start from scratch with an empty qtree and set up top level folders for different groups, you usually set the ACLs by hand with the Windows GUI and you get inheritance by default. Everything works great.
...
I hope this makes sense. Chances are if folks have been setting Unix permissions, they have them all screwed up anyway.
It does.
This qtree started life as a Samba share on a Unix filesystem, so Unix permissions were all we had. When we migrated to the NetApp we kept the UNIX security style for the sake of simplicity, and it's worked well. However, the "user-group-other" model is showing signs of strain - I have many users that belong to 16 groups (the limit, in general) and I need more flexibility. ACLs are definitely the way to go.
But your problem is that you have a ton of existing stuff
Exactly!
and so you need to start at the top, set an ACL and force it upon everything below. Then work your way down.
If the GUI will be too cumbersome, you can script this. I recommend the "fileacl" utility, which runs in a DOS (CLI) window.
This sounds useful, and I hadn't heard of that utility. I've also looked at setacl ( http://setacl.sourceforge.net/ ) and smbcacls (part of Samba).
Unlike the Windows cacls program, fileacl understands inheritance and you can do anything with fileacl that you can do with the GUI. Plus you can put a bunch of fileacl commands in a batch file and run it from a DOS window. You could use Unix to write the batch file.
Yes, that's the idea I had in mind. I like the idea of using inheritance as opposed to setting an ACL on each and every object (which my original script tried to do).
Thanks for the information. Best wishes,
-r
-
Conner, Neil -
Roy McMorran -
Stephen C. Losen