2011-10-22 12:50 PM
Hello all! I'm new here and new to NetApp administration.
We recently purchased a NetApp FAS3240 with ONTAP 8 and have been configuring several CIFS share volumes. I configured the share to use NTFS security permissions and set the ACLs to allow Everyone read access, Administrators full control and Domain Users read/write access. When I map the drive in Windows and check the permissions on the mapping, it shows Everyone has full control and nothing else. When new files are coppied to the share, those files also only show Everyone with full control.
How do I configure the share to force all new files to inherit the defined permissions that I listed above?
Sorry if my nomenclature is incorrect. I'm still new to NetApp!
Solved! SEE THE SOLUTION
2011-10-22 01:54 PM
When you create a share the default is everyone full control but sounds like you are modifying at the share level there...but the question sounds like permissions on the folders/files... those are the same as any windows server.. check if inherited permissions at the top level if that is what you want.
2011-10-22 02:48 PM
The top level would be the share itself in this situation. So as Administrator are you saying I have to define the ACL's on each host mapping the share?
In other words I created a volume and setup a CIFS share, defined the desired permissions then mapped the share on a Windows 7 workstation. As Administrator I know I can change the permissions for that share at the host level, but in a traditional situation where the OS for a Windows file server is Windows, I can set the default permissions on the folder that's being shared. When a user maps the share, the default permissions that were set are inherited for all hosts that map the share and propagated to all new files that are placed in the share.
How do I achieve this with a NetApp filer?
2011-10-22 06:53 PM
So file ACL's have to be set at each host that maps the share? I don't mean to sound ignorant but I find that to be a major limitation.
On the NetApp filer, I create a volume on an aggregate and assign it NTFS security settings. I then create the CIFS share on the volume and assign Windows ACL's to meet our security schema. I then map the share from a Windows host but don't see the ACL's I configured on the share at the filer, only full control for "Everyone". I can, however modify the ACL's from the Windows host where the share was mapped, as the Domain Admin. Is this the procedure for setting default ACL's? Define the security settings at each and every host that maps the shares?
I would consider the "top level" to be the share point on the NetApp filer, not the mapped share on the host. Is this not correct?
Once again, I'm new to NetApp filers. Please be patient.
2011-10-23 12:45 AM
NTFS ACLS on files are all managed from a host not on the netapp side.. just the share level permission on the netapp, then all file/dir ACLs are all modified from the host. It should look the same as if it were a windows server just not modified on the server itself in this case. You should be able to set the ACL the way you want it to inherit down.
2011-10-23 05:22 AM
I follow you now. What I did was create a new share with no files or directories, assuming the new files placed in the share would inherit the NTFS ACL's I configured on the filer. So I need to place the ACL's on existing directories on the share for permissions to propagate.
So this raised another question. How do I restrict what can be coppied to the root of the share by the users? I thought I was did this on the filer by restricting "Everyone" to read only. But this doesn't seem to be the case.
2011-10-25 08:01 AM
Hello, We have a similar question. The share created on the filer has default share permision of "everyone" having "full control". We can change the share permissions but the filer is unable to list Windows domain groups, only domain users. This seems like it may be a bug in our software version 7.3.4. So there appears to be no way, for example, to replace the share permission "everyone" with "Domain Users"?
2011-10-25 08:07 AM
You should be able to add the permission and remove everyone.. everyone is added by default but from the command line to add domain users then delete everyone... then confirm with "cifs shares".
cifs access sharename :domain\Domain Users" "Full Control"
cifs access sharename -delete everyone
If you can't see domain users and groups then there is an issue with cifs and check "cifs domaininfo" and "cifs testdc".. unless a bug like you mentioned list the burt here so we can see it.