Hello all:
I have a large number of windows/unix home directories on my NetApps all under unix qtrees. I'm a unix admin so this works great for me but the NT admins have complained that they can access their users data. I would like any war stories, opions, etc from people who have tried and or use the mixed qtrees for this purpose. Any suggestions and what not are totally welcomed!
Thank you sooo much for your time 8)
Kelly McQuarrie Unix System Administrator Ericsson CDMA Systems
Don't ever implement "mixed". It becomes a nightmare from the user community since changes to a file from Windoze automatically changes (and sometimes screws up) the Unix perms.
Educating the user community on this is basically impossible, so avoid it. You can't expect users to know that if they change a file in Windoze, they need to re-verify the perms in Unix.
From Ontap 6.1 manual regarding mixed-mode security: ---------- If NTFS permissions on a file are changed, the Unix permissions are "recomputed" (quotes mine). If Unix permissions on a file are changed, the NTFS permissions are DELETED. -----------
/Brian/
Hello all:
I have a large number of windows/unix home directories on my NetApps all under unix qtrees. I'm a unix admin so this works great for me but the NT admins have complained that they can access their users data. I would like any war stories, opions, etc from people who have tried and or use the mixed qtrees for this purpose. Any suggestions and what not are totally welcomed!
Thank you sooo much for your time 8)
Kelly McQuarrie Unix System Administrator Ericsson CDMA Systems
Folks,
I'm a Unix-centric sysadmin from way back, but I have to say that we've had very few problems running with "mixed" qtrees in our environment.
It is true that folks will sometimes shoot themselves in the foot by setting permissions in Windows and breaking Unix applications, or the other way around. But for the most part, users and groups of users here work primarily in one platform or the other, and seldom collide with themselves or with users of the other platform.
I think that back when we had only Unix qtrees, we probably got more questions about why NTFS permissions weren't available to our Windows users, as compared to the number of problem reports we get now related to our current mixed qtree environment.
I recommend that you do what we did: Make the change on one qtree, or create a test qtree, and let people try it out for awhile.
Oh, a couple of notes: I'm not familiar with the "inheritance vs gzip" issue someone else mentioned.
Also, at our site I recommend making Windows homedirs be subdirectories of Unix homedirs, but that's mostly a personal preference. We support that configuration as well as having the Windows & Unix homedirs be identical, on a per-user basis. The cifs.home_dir option helps (the latter is blank, as in ""):
cifs.home_dir /vol/vol0/home/users/%u%/nt,/vol/vol0/home/users
cifs.home_dir_namestyle
Some care should be given to deciding if your Windows admin users will be fully equivalent to the Unix root user, permissions-wise. This is handled in the etc/usermap.cfg file. These options might also be relevant, if you're a Unix-centric person like me:
cifs.nfs_root_ignore_acl on wafl.nt_admin_priv_map_to_root off wafl.root_only_chown on
Regards,
-
Brian Long -
Kelly McQuarrie -
Marion Hakanson