When an NTFS qtree is set up, the qtree directory gets an ACL which grants the Everyone group Full Control. If the qtree had previously been Unix or mixed, it might not have ACLs on every file/dir in it. Any files that don't have ACLs will still use the Unix security when checking access. This is explained fully in the security troubleshooter guide on NOW:
http://now.netapp.com/NOW/knowledge/docs/olio/guides/53_troubleshooting/
Mark Muhlestein -- mmm@netapp.com
-----Original Message----- From: neil lehrer [mailto:nlehrer@ibb.gov] Sent: Monday, February 12, 2001 9:07 AM To: toasters Subject: ntfs qtrees
hi,
we are migrating our files from sun/NFS to filer/cifs. i have clustered f760's running ontap 5.36r2. for testing the data is copied over using cpio and the unix perms are maintained.
i found the note shown below on page 421 of the Ontap SAG. i find it confusing and a little contradictory -- every windows user is given full access, but if you don't set ntfs file sec then unix perms are enforced?
"Note When you create an NTFS qtree or change a qtree to NTFS, by default, every Windows user is given full access. You must change the permissions if you want to restrict access to the qtree for some users. If you do not set NTFS file security on a file, UNIX permissions are enforced."
could someone please clear this up? what if the unix perms say no?? is this just written poorly?
thanks.
regards
well, i have read every white paper and still have a couple of questions.
i copied the user hierarchy from our sun box to the filer maintaining the unix perms. the target on the filer was a qtree with unix sec style.
i just changed the sec style from unix to ntfs. when i look at the ntfs perms on the ntfs qtree they look okay. i used both nt explorer and some cmd line utils i have.
my question at this point is are these permissions "fake." is there any way to to tell? just the "has acl" box in secureshare tool? are they still unix perms and synthesized until i actually create acls? does it matter?? should i run thru the structure and create acl's? or can it wait...
also, i noted that user's sub directories have r-x for everyone. that is being picked up from the unix perms for other. which did not matter in nfs because access could not get past the home dir perms which only gave rights to the owner. however, if i am in nt explorer as as normal [non-privileged] user i can see all the users directories, but cannot enter them by clicking in [which is the way we want it]. however, i can cd into the lower level directories from a cmd line. do i correct this by correcting the acls, or is there a traverse restriction i remember from somewhere?
i'm sure there is something i'm forgetting to ask.
thanks.
"Muhlestein, Mark" wrote:
When an NTFS qtree is set up, the qtree directory gets an ACL which grants the Everyone group Full Control. If the qtree had previously been Unix or mixed, it might not have ACLs on every file/dir in it. Any files that don't have ACLs will still use the Unix security when checking access. This is explained fully in the security troubleshooter guide on NOW:
http://now.netapp.com/NOW/knowledge/docs/olio/guides/53_troubleshooting/
Mark Muhlestein -- mmm@netapp.com
-----Original Message----- From: neil lehrer [mailto:nlehrer@ibb.gov] Sent: Monday, February 12, 2001 9:07 AM To: toasters Subject: ntfs qtrees
hi,
we are migrating our files from sun/NFS to filer/cifs. i have clustered f760's running ontap 5.36r2. for testing the data is copied over using cpio and the unix perms are maintained.
i found the note shown below on page 421 of the Ontap SAG. i find it confusing and a little contradictory -- every windows user is given full access, but if you don't set ntfs file sec then unix perms are enforced?
"Note When you create an NTFS qtree or change a qtree to NTFS, by default, every Windows user is given full access. You must change the permissions if you want to restrict access to the qtree for some users. If you do not set NTFS file security on a file, UNIX permissions are enforced."
could someone please clear this up? what if the unix perms say no?? is this just written poorly?
thanks.
regards
-
Muhlestein, Mark -
neil lehrer