Subscribe
Accepted Solution

From Windows client unable to view security tab on file/directory of CIFS share

Hello All,

Let me start off by saying this is a testing environment so making changes to the security style of volumes/qtrees is ok and preserving past data is not important.

I have a Netapp filer which is running:

fas3020> version

NetApp Release 7.2.5.1P6: Mon Oct  6 11:21:33 PDT 2008

I have a volume on this filer which is set to security style unix:

fas3020> fsecurity show /vol/QA_test/

[/vol/QA_test - Directory (inum 64)]

  Security style: Unix

  Effective style: Unix

  DOS attributes: 0x0010 (----D---)

  Unix security:

    uid: 0 (root)

    gid: 0 (daemon)

    mode: 0755 (rwxr-xr-x)

  No security descriptor available.

And underneath this volume i have created a q-tree and set it's security style to NTFS:

fas3020> fsecurity show /vol/QA_test/NTFS-qtree/

[/vol/QA_test/NTFS-qtree - Directory (inum 102)]

  Security style: NTFS

  Effective style: NTFS

  DOS attributes: 0x0030 (---AD---)

  Unix security:

    uid: 0 (root)

    gid: 0 (daemon)

    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:

    Owner: BUILTIN\Administrators

    Group: BUILTIN\Administrators

    DACL:

      Allow - Everyone - 0x001f01ff (Full Control)

      Allow - Everyone - 0x10000000 - OI|CI|IO

I have exported the volume using a CIFS share:

fas3020> cifs shares

Name         Mount Point                       Description

----         -----------                       -----------

ETC$         /etc                              Remote Administration

                        BUILTIN\Administrators / Full Control

HOME         /vol/vol0/home                    Default Share

                        everyone / Full Control

C$           /                                 Remote Administration

                        BUILTIN\Administrators / Full Control

install      /vol/vol0

                        everyone / Full Control

QA_test      /vol/QA_test

                        everyone / Full Control

QA_small     /vol/QA_small

                        everyone / Full Control

On several of the Windows clients (2008/7/xp) which has the volume added as a share, the properties tab on the file/folders undreneath /vol/QA_test/NTFS-qtree/ does not show a 'security' tab to view Windows ACLs which I am accustomed to on my other Netapp filers. This tab is missing for some reason on this filer, what other settings do I need to enable on the filer so that my windows clients can recognize this as a NTFS file system?

Here is how I expect it to look on a working NTFS CIFS share with security tab available:

Re: From Windows client unable to view security tab on file/directory of CIFS share

Try changing the security style of the parent volume to NTFS and re-connect. Does the security tab show then?

Re: From Windows client unable to view security tab on file/directory of CIFS share

Yup that did it! The security tab now shows up on the qtree below the parent volume. Thanks!

Re: From Windows client unable to view security tab on file/directory of CIFS share

Ok, let me address a few of my concerns here.

You create a qtree and set the security style of the qtree to NTFS, but you created a share at the root of the volume.    You would need to create a share at the qtree level in order for this to work smoothly as discussed.   

All of these volumes

QA_test      /vol/QA_test

                        everyone / Full Control

QA_small     /vol/QA_small

                        everyone / Full Control

were defaulted to unix based b/c you have a wafl option set to unix

If you want to change your default you need to do the following

options wafl.default_security_style  ntfs

Also, based on the thread, it concerns me that you don't have a good grasp on the situation so you might want to do a little bit of reading regarding qtrees etc...

Like I said before, it doesn't make a difference if your root vol is unix, if you created a qtree and shared at the qtree level you would have been fine.

Also, you are running a VERY old version of ontap, so you might want to check HWU to see what you can upgrade too. 

Re: From Windows client unable to view security tab on file/directory of CIFS share

Thank you for your input. I did it this way because at the root of the volume I had files which were created and managed by unix clients at /vol/QA_test. Those files needed to be read by the windows clients so thats why i shared it at the root of the volume. I then put a qtree inside of that volume that the windows clients could create and edit files i.e. /vol/QA_test/NTFS-qtree/. I tried to minimize the number of shares the windows clients have to mount in order to accomplish both of these tasks.

Re: From Windows client unable to view security tab on file/directory of CIFS share

Ok, again, you are confusing me, and not to be difficult.    

If you are creating a mixed mount that's one thing, but then you decided to create a qtree and not share out the qtree.  So, remind me again, what was the point of creating a qtree?  That doesn't make sense to me.

Also, IMHO, all mixed mount security should be controlled by NTFS with password file and usermap if necassary.