Network and Storage Protocols

How to set default file permissions on a CIFS share?

EGDEMATTIA
38,226 Views

Hello all!  I'm new here and new to NetApp administration.

We recently purchased a NetApp FAS3240 with ONTAP 8 and have been configuring several CIFS share volumes.  I configured the share to use NTFS security permissions and set the ACLs to allow Everyone read access, Administrators full control and Domain Users read/write access. When I map the drive in Windows and check the permissions on the mapping, it shows Everyone has full control and nothing else.  When new files are coppied to the share, those files also only show Everyone with full control.

How do I configure the share to force all new files to inherit the defined permissions that I listed above?

Sorry if my nomenclature is incorrect.  I'm still new to NetApp!

Thanks!!

1 ACCEPTED SOLUTION

scottgelb
38,141 Views

NTFS ACLS on files are all managed from a host not on the netapp side.. just the share level permission on the netapp, then all file/dir ACLs are all modified from the host.  It should look the same as if it were a windows server just not modified on the server itself in this case.  You should be able to set the ACL the way you want it to inherit down.

View solution in original post

10 REPLIES 10

scottgelb
38,026 Views

When you create a share the default is everyone full control but sounds like you are modifying at the share level there...but the question sounds like permissions on the folders/files... those are the same as any windows server.. check if inherited permissions at the top level if that is what you want.

EGDEMATTIA
38,026 Views

The top level would be the share itself in this situation.  So as Administrator are you saying I have to define the ACL's on each host mapping the share?

In other words I created a volume and setup a CIFS share, defined the desired permissions then mapped the share on a Windows 7 workstation.  As Administrator I know I can change the permissions for that share at the host level, but in a traditional situation where the OS for a Windows file server is Windows, I can set the default permissions on the folder that's being shared.  When a user maps the share, the default permissions that were set are inherited for all hosts that map the share and propagated to all new files that are placed in the share.

How do I achieve this with a NetApp filer?

scottgelb
38,026 Views

Should be able to set from the top level. File acls are managed on windows not the NetApp so from the top modify the permissions.

Sent from my iPhone 4S

EGDEMATTIA
38,026 Views

So file ACL's have to be set at each host that maps the share?  I don't mean to sound ignorant but I find that to be a major limitation.

On the NetApp filer, I create a volume on an aggregate and assign it NTFS security settings.  I then create the CIFS share on the volume and assign Windows ACL's to meet our security schema.  I then map the share from a Windows host but don't see the ACL's I configured on the share at the filer, only full control for "Everyone".  I can, however modify the ACL's from the Windows host where the share was mapped, as the Domain Admin.  Is this the procedure for setting default ACL's?  Define the security settings at each and every host that maps the shares?

I would consider the "top level" to be the share point on the NetApp filer, not the mapped share on the host.  Is this not correct?

Once again, I'm new to NetApp filers.  Please be patient.

scottgelb
38,142 Views

NTFS ACLS on files are all managed from a host not on the netapp side.. just the share level permission on the netapp, then all file/dir ACLs are all modified from the host.  It should look the same as if it were a windows server just not modified on the server itself in this case.  You should be able to set the ACL the way you want it to inherit down.

EGDEMATTIA
38,026 Views

I follow you now.  What I did was create a new share with no files or directories, assuming the new files placed in the share would inherit the NTFS ACL's I configured on the filer.  So I need to place the ACL's on existing directories on the share for permissions to propagate.

So this raised another question.  How do I restrict what can be coppied to the root of the share by the users?  I thought I was did this on the filer by restricting "Everyone" to read only.  But this doesn't seem to be the case.

scottgelb
38,027 Views

If read only they shouldn't be able to write... you can look at sectrace and fsecurity commands to see what is happening with permissions. 

TRANDOTCOM
38,027 Views

Hello,  We have a similar question.  The share created on the filer has default share permision of "everyone" having "full control".  We can change the share permissions but the filer is unable to list Windows domain groups, only domain users.  This seems like it may be a bug in our software version 7.3.4.  So there appears to be no way, for example, to replace the share permission "everyone" with "Domain Users"?

scottgelb
38,027 Views

You should be able to add the permission and remove everyone.. everyone is added by default but from the command line to add domain users then delete everyone... then confirm with "cifs shares".

cifs access sharename :domain\Domain Users" "Full Control"

cifs access sharename -delete everyone


If you can't see domain users and groups then there is an issue with cifs and check "cifs domaininfo" and "cifs testdc".. unless a bug like you mentioned list the burt here so we can see it.

TRANDOTCOM
12,532 Views

Thank you, from the command line that works.  In the System Manager console app under Windows we then have to move away from "shares" in the left hand menu then return to it, edit the share, in order to see the change - but it worked.

Our issue is that through the graphical System Manager, when editing the share, on the share permissions tab, if we click "edit" then change "locations" to my domain, then click "advanced", change the "Object Types" to "groups" and click "Find Now", no results are returned.  If we change the location to our domain and enter the group name, it is not found.  But through the CLI we can assign domain group permissions as you suggested.

I think this has to do with our legacy named and flaky 2003 domain that called both "domain" and "domain.com".  Through the GUI the FAS2040 refers to the domain as "domain.com" (probably by using the Windows dialog boxes for selecting domain objects) but through the CLI I refer to "domain\group" and that works.

I do have another default CIFS share permissions question, this time about ownership.

When we create a share the default 'owner' of the share and subfolders, under Windows, is listed as "Administrators (<filer name>\Administrators)"

Do we care about this?  We can change it to our domain administrators group but should we bother?  Is there some future implication for assigning permissions and auditing entries?  What's the best practice here?

Thank you!

Public