RE: Problems integrating CIFS and NFS access control - toasters

17 Mar 2000


      The reason we change the security style in mixed qtrees is to guarantee
correct semantics. A conservative security rule implies the permission you
get should be _exactly_ what was set. Because it is not possible to map the
settings exactly, we chose to replace the permissions entirely and change
the security style in mixed qtrees.
Going forward, that will continue to be the default behavior. However, we
understand that not all sites require such strict security rules, so we have
plans to relax this behavior under control of an option. As always, feedback
on how you would like things to work is very welcome.
On the names being identical: as I mentioned before, it is *not* necessary
to have them identical. You can map them in the /etc/usermap.cfg file. But
it makes administration easier if they are the same, because it's one less
thing to manage.
Mark Muhlestein -- mmm@netapp.com
-----Original Message-----
From: Todd C. Merrill [mailto:tmerrill@mathworks.com]
Sent: Friday, March 17, 2000 10:01 AM
To: Paul Lupa
Cc: toasters@mathworks.com
Subject: Re: Problems integrating CIFS and NFS access control
On Thu, 16 Mar 2000, Paul Lupa wrote:
...
I have a problem with the operation of a NetApp that servers up a share
both via CIFS and NFS.  The goal  of a group that I support was to have
a common directory for both the UNIX systems and the NT systems.  A user
We use common directories for home directories for both UNIX and
NT users here.  That filer uses mixed qtree security:
file:/cdrom/534R3/html/sag/qtree2.htm#1164436
The behavior is exactly as you stated, and as the docs state:
==========
Both NTFS and UNIX style permissions are permitted. The security style
of a file is the style most recently used to set permissions on that
file. See the information in "NTFS."
Caution: Changing NTFS permissions on a file recomputes UNIX
permissions on that file.
Changing UNIX permissions or ownership on a file deletes any NTFS
permissions on that file.
==========
A slightly bizarre interpretation, I think.  You might say there is loss
of data here!  ;)
...
My questions to the group:
1: Is anyone sharing the same directory under CIFS and NFS and found a
       workaround or an acceptable way to implement permissions?
We use the mixed style when we absolutely need data sharing
*and* NT clients need to use the full ACL's (one filer).  Otherwise, we
use UNIX style security (four filers), which is a bit more straightforward
for the admins and our users.
...
2:  Has anyone thought about what would be wrong with using UNIX
permissions
        to determine access when using NFS and  NT permissions when
using CIFS?
I don't have an answer for you on this one.  I don't know what
is involved in having NFS/CIFS permissions behave as they do with UNIX
style security for the owner and primary group owner of the
file/directory, and only have the additional NT ACL's be applicable only
to CIFS clients.  Why *wipe* them out on the NFS/CIFS side if they are
changed on the CIFS/NFS side?
But, as someone else said, all this sharing only works when the
usernames are *identical* via NFS and CIFS.
Feel free to continue the thread or email me personally about
how we implement/workaround stuff here.
Until next time...
The Mathworks, Inc.				508-647-7000 x7792
3 Apple Hill Drive, Natick, MA 01760-2098	508-647-7001 FAX
tmerrill@mathworks.com				http://www.mathworks.com
---