RE: Running CIFS - toasters

5 May 1999


      A mixed qtree already works exactly as you want it to. In a mixed qtree the
security of a file is based on the last security-setting operation. If an ACL is
set which denies you access, but you still need to do something with a file,
then as root you can change the security on any files/dirs in that qtree (using
chmod, chown, or chgrp), which changes the security-style to UNIX. After that,
those files follow regular UNIX rules, which allows root full access. If the
user wants to put an ACL back on afterwards, no problem.
We have found that using ACLs in a mixed qtree can be helpful in a number of
situations. That's because ACLs are enforced even for NT Admins and root. For
example, we found that some files were being accidentally deleted by root/Admin
users, so we put an ACL on those files which allows only READ access to all
users. That prevents deleting, even by root or NT Admins. Of course, if we
actually want to delete the files we just change the permissions to allow that,
since in a mixed qtree both root and NT Admins have a special dispensation to
change the permissions.
Mark Muhlestein -- mmm@netapp.com
-----Original Message-----
From: Jason D. Kelleher [mailto:kelleher@susq.com]
Sent: Wednesday, May 05, 1999 11:13 AM
To: Muhlestein, Mark
Cc: 'Mark D Fowle'; 'toasters@mathworks.com'
Subject: Re: Running CIFS
In message 7F608EC0BDE6D111B53A00805FA7F7DA03A83931@TAHOE.netapp.com, "Muh
lestein, Mark" writes:
...
There is a document on the NOW site that should help:
http://now.netapp.com/knowledge/docs/olio/guides/53_troubleshooting/
This is primarily for 5.3, but it is also useful for earlier releases. It h
as a
lot of explanations of our approach, a security FAQ, and a bunch of other
(hopefully useful) security-related stuff.
Mark Muhlestein -- mmm@netapp.com
This is nice.  Especially since the System Administrator's Guide
    doesn't talk about the usermap.cfg file.  (Even though the sample
    file refers you to it.  Just 'cause the filer is _usually_ simple
    to setup and maintain is no excuse for poor/missing documentation.)
I've been trying to setup access to a "mixed" quota tree such that
    no NT admin as access to it, but a UNIX root user can over-ride
    NTFS permissions.  I know this sounds weird, but there are _way_
    too many NT admin accounts floating around.  That's why I don't
    want NT admins to have access to (read: be able to screw up) the
    filer.  But because I'm one of those "pesky UNIX admins" I can't
    get and admin account, so I need root to be able to over-ride NTFS
    permissions.  Is this even possible?  I'm not having much luck.
jason
...
-----Original Message-----
From: Mark D Fowle [mailto:Fowle_Mark_D@CAT.com]
Sent: Wednesday, May 05, 1999 6:58 AM
To: toasters
Subject: Running CIFS
I am trying to set up a mixed environment on 2 720's. I have created a test
share and a usermap.cfg file that has
domain\user    unix-user   mapped out.  My problem is that only 2 our 7 peo
ple
can get access to the share.  What
else might I be missing?
Mark Fowle
Caterpillar - BCP
fowelmd@cat.net