There are a number of important bug fixes and improvements in the security model in 5.3. I would encourage you to upgrade as soon as practical.
When you say multiprotocol I believe you mean is what would happen if you started using a more NT style of security. That is another good reason to upgrade. The UNIX portion of the mixed security model was not fully implemented in 5.2. 5.2 fully implemented pure UNIX security as you are currently using. It also implements ACLs from the NT side. It did not fully implement UNIX access to files with ACLs. The NOW articles I cited describe the full implementation that is contained in 5.3.
The reference I cited earlier also is a more detailed discussion on the security model then what I could present in an email. I would encourage you to have a look at that document.
-----Original Message----- From: Elizabeth Schwartz [mailto:eschwart@genuity.net] Sent: Tuesday, June 13, 2000 9:59 AM To: Hawley, Rob; mstjohn@genuity.net Cc: eschwart@genuity.net; Muhlestein, Mark; toasters@mathworks.com Subject: RE: Unix group permission and NT access on a filer
Thanks! We're running 5.2.3P1
I've been talking to the filer admin about upgrading. It sounds like the immediate short-term fix to our problem might be to create a small multiprotocol qtree while we evaluate whether to upgrade the OS and/or change the main qtrees.
We need to make sure that we understand all the security implications of changing a qtree from unix to multiprotocol.
Do you have anything that shows how the filer stores permission, whatever the filer equivalent of an inode is? (qnode? Wnode?) We were trying to whiteboard how the permissions work. Specifically:
1) I start with a Unix qtree on the filer 2) User directory is created with unix permissions set to 755 3) We then change the qtree from unix to multiprotocol 4) User accesses his directory as a CIFS share 5) User creates a subdirectory and files under his home
What will the permissions be on those files? 755? Will they have anything in their NT ACL's?
I am under the impression that the filer stores permissions in some "neutral" format which it translates to Unix permission bits or NT ACL's, PLUS has some extra storage for NT ACL's - is that how it works?
Also, What happens if you create a multiprotocol file system and then change it later to unix? Is the additional ACL information a) translated, b) deleted, c) stored but not used (so that if you changed it back to multiprotocol again it might still be there?)
thanks for any pictures Betsy
At 07:06 AM 6/13/00 -0700, rob.hawley@netapp.com wrote:
What version of the filer are you running? Is it 5.3 or later?
The filer has always supported multiprotocol access to files. With 5.3 we have completed our security model that is described in the following paper.
-- Elizabeth Schwartz 781-262-6565 Unix System Administrator eschwart@bbnplanet.com Genuity, Inc