I have a test volume with a CIFS share and default permissions. If I want to modify the NTFS permissions using either vserver security file-directory ntfs modify...or something like Ansible, how do I find the security descriptor to modify(ntfs-sd):
vserver security file-directory show -vserver svm1 -path /test4 -instance
Vserver: svm1 File Path: /test4 File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO
Feel like I'm missing something obvious here. . .
Thanks,
--Carl
I believe you can't do that, and to modify the perms using the file-directory commands you'll need to create an ntfs-sd, add the right ACEs you want (and you can't just tell the ntfs-sd to populate itself based on an existing files ACL) then create a policy and policy tasks to apply the SD to a path.
If you want to modify only one ACE, you still need to set up the ntfs-sd to have all the ACEs in it as running the policy will blow away the existing DACL and replace with what the ntfs-sd has, not just modify the individual ACE you mentioned.
Cheers
Graham
On Sat., 23 Oct. 2021, 10:07 pm Carl Howell, chowell@uwf.edu wrote:
I have a test volume with a CIFS share and default permissions. If I want to modify the NTFS permissions using either vserver security file-directory ntfs modify...or something like Ansible, how do I find the security descriptor to modify(ntfs-sd):
vserver security file-directory show -vserver svm1 -path /test4 -instance
Vserver: svm1 File Path: /test4 File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO
Feel like I'm missing something obvious here. . .
Thanks,
--Carl _______________________________________________ Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters
Carl,
First I would see if you have created any security descriptors yet: vserver security file-directory ntfs show
If not, then create one: vserver security file-directory ntfs create
And then you can modify it.
Here is a link that might be helpful as well: https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmp...
Thank you, Tim
________________________________ From: Toasters toasters-bounces@teaparty.net on behalf of Carl Howell chowell@uwf.edu Sent: Saturday, October 23, 2021 7:03 AM To: Toasters toasters@teaparty.net Subject: Security Descriptor noob question
I have a test volume with a CIFS share and default permissions. If I want to modify the NTFS permissions using either vserver security file-directory ntfs modify...or something like Ansible, how do I find the security descriptor to modify(ntfs-sd):
vserver security file-directory show -vserver svm1 -path /test4 -instance
Vserver: svm1 File Path: /test4 File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO
Feel like I'm missing something obvious here. . .
Thanks,
--Carl
Thanks Graham!
So, if you're trying to set NTFS ACL's via Ansible, is there a benefit to doing it through the ONTAP Ansible Collection > ONTAP Policy > ntfs-sd, or would it be simpler, and perhaps more portable, to do it via an Ansible/WIndows/NTFS Collection(if such a thing exists)?
Thanks
--Carl
On Sat, Oct 23, 2021 at 9:42 AM Timothy Naple tnaple@berkcom.com wrote:
Carl,
First I would see if you have created any security descriptors yet: vserver security file-directory ntfs show
If not, then create one: vserver security file-directory ntfs create
And then you can modify it.
Here is a link that might be helpful as well:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmp...
Thank you, Tim
*From:* Toasters toasters-bounces@teaparty.net on behalf of Carl Howell chowell@uwf.edu *Sent:* Saturday, October 23, 2021 7:03 AM *To:* Toasters toasters@teaparty.net *Subject:* Security Descriptor noob question
I have a test volume with a CIFS share and default permissions. If I want to modify the NTFS permissions using either vserver security file-directory ntfs modify...or something like Ansible, how do I find the security descriptor to modify(ntfs-sd):
vserver security file-directory show -vserver svm1 -path /test4 -instance
Vserver: svm1 File Path: /test4 File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO
Feel like I'm missing something obvious here. . .
Thanks,
--Carl
Carl,
What is your use case, what are you trying to achieve? Is it a big once-off permissions change you want to implement or an ongoing requirement to be regularly changing permissions back to some standard? The ONTAP ansible modules seem to have everything you'd need, i.e. create the SD, add the DACLs, create policy and tasks. I'm not sure what a windows/NTFS centric ansible collection would offer (assuming it exists), but I expect executing file permission changes directly on the filer would be faster than via a CIFS client so theres that benefit.
One thing I guess is that any "idempotence" of using ONTAP ansible modules for something like this is a bit of an illusion, because it's the ONTAP config of 'ntfs-sd's, DACLs and policy tasks that you're actually keeping consistent, not directly the permissions themselves. Looking at the ansible module for file-directory policy, it would execute the policy if a change was made to it like a new task is added, but not if you just need it to run because you know the actual NTFS permissions need a tune up, it's using that ONTAP policy configuration to manage idempotence, which is the right thing to do, but isn't really what you would be expecting in practice.
Cheers Graham
On Sun., 24 Oct. 2021, 4:10 am Carl Howell, chowell@uwf.edu wrote:
Thanks Graham!
So, if you're trying to set NTFS ACL's via Ansible, is there a benefit to doing it through the ONTAP Ansible Collection > ONTAP Policy > ntfs-sd, or would it be simpler, and perhaps more portable, to do it via an Ansible/WIndows/NTFS Collection(if such a thing exists)?
Thanks
--Carl
On Sat, Oct 23, 2021 at 9:42 AM Timothy Naple tnaple@berkcom.com wrote:
Carl,
First I would see if you have created any security descriptors yet: vserver security file-directory ntfs show
If not, then create one: vserver security file-directory ntfs create
And then you can modify it.
Here is a link that might be helpful as well:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmp...
Thank you, Tim
*From:* Toasters toasters-bounces@teaparty.net on behalf of Carl Howell chowell@uwf.edu *Sent:* Saturday, October 23, 2021 7:03 AM *To:* Toasters toasters@teaparty.net *Subject:* Security Descriptor noob question
I have a test volume with a CIFS share and default permissions. If I want to modify the NTFS permissions using either vserver security file-directory ntfs modify...or something like Ansible, how do I find the security descriptor to modify(ntfs-sd):
vserver security file-directory show -vserver svm1 -path /test4 -instance
Vserver: svm1 File Path: /test4 File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO
Feel like I'm missing something obvious here. . .
Thanks,
--Carl
Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters
The use case is a volume with folders that have very specific permissions set on them. I agree with you. I think the ONTAP ansible modules are a good fit here.
Thanks for the great feedback.
--Carl
On Sat, Oct 23, 2021 at 6:35 PM Graham McGeown mcg.graham@gmail.com wrote:
Carl,
What is your use case, what are you trying to achieve? Is it a big once-off permissions change you want to implement or an ongoing requirement to be regularly changing permissions back to some standard? The ONTAP ansible modules seem to have everything you'd need, i.e. create the SD, add the DACLs, create policy and tasks. I'm not sure what a windows/NTFS centric ansible collection would offer (assuming it exists), but I expect executing file permission changes directly on the filer would be faster than via a CIFS client so theres that benefit.
One thing I guess is that any "idempotence" of using ONTAP ansible modules for something like this is a bit of an illusion, because it's the ONTAP config of 'ntfs-sd's, DACLs and policy tasks that you're actually keeping consistent, not directly the permissions themselves. Looking at the ansible module for file-directory policy, it would execute the policy if a change was made to it like a new task is added, but not if you just need it to run because you know the actual NTFS permissions need a tune up, it's using that ONTAP policy configuration to manage idempotence, which is the right thing to do, but isn't really what you would be expecting in practice.
Cheers Graham
On Sun., 24 Oct. 2021, 4:10 am Carl Howell, chowell@uwf.edu wrote:
Thanks Graham!
So, if you're trying to set NTFS ACL's via Ansible, is there a benefit to doing it through the ONTAP Ansible Collection > ONTAP Policy > ntfs-sd, or would it be simpler, and perhaps more portable, to do it via an Ansible/WIndows/NTFS Collection(if such a thing exists)?
Thanks
--Carl
On Sat, Oct 23, 2021 at 9:42 AM Timothy Naple tnaple@berkcom.com wrote:
Carl,
First I would see if you have created any security descriptors yet: vserver security file-directory ntfs show
If not, then create one: vserver security file-directory ntfs create
And then you can modify it.
Here is a link that might be helpful as well:
https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmp...
Thank you, Tim
*From:* Toasters toasters-bounces@teaparty.net on behalf of Carl Howell chowell@uwf.edu *Sent:* Saturday, October 23, 2021 7:03 AM *To:* Toasters toasters@teaparty.net *Subject:* Security Descriptor noob question
I have a test volume with a CIFS share and default permissions. If I want to modify the NTFS permissions using either vserver security file-directory ntfs modify...or something like Ansible, how do I find the security descriptor to modify(ntfs-sd):
vserver security file-directory show -vserver svm1 -path /test4 -instance
Vserver: svm1 File Path: /test4 File Inode Number: 64 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO
Feel like I'm missing something obvious here. . .
Thanks,
--Carl
Toasters mailing list Toasters@teaparty.net https://www.teaparty.net/mailman/listinfo/toasters
-
Carl Howell -
Graham McGeown -
Timothy Naple