2013-04-22 11:52 AM
My organization is getting ready to migrate from a Samba server to NetApp, and along the way, we would like to make the permission scheme NTFS instead of Unix. Obviously, there's a lot of work that needs to be done behind the scenes, including a reconciliation of user and group accounts. My question is: does anyone have or know of any reference scripts for reconciling Unix-style passwd and group files with Active Directory? We can put something together, but this seems like it must be a common enough task that such scripts must already exist.
2013-05-08 04:29 AM
Somehow, this one slipped through the cracks. Sorry for the delay. Here is my take. Since you are migrating from a UNIx box to NetApp, I assume that you will use some tool like rsync. I would typically not suggest using mixed mode security style but this is a good use case. If you set the volume security style (technically it is qtree security /vol/<volume> <style>) to mixed then you can natively copy over the UNIX permissions. Using mixed mode allows for you to go in and convert the permissions from UNIX to NTFS very easily. Next, you can use something like NTFS Security 2.1 PoSH toolkit (see this thread) to read the current interpreted NTFS permissions (ONTAP does this natively) and then set whatever default ACLs or permissions that you would like. Alternately, the option would be to simply mount the CIFS share and manually adjust the permissions.
Mixed mode security applies the 'type' of security that was last used to edit the security of a file. Newly created files should be NTFS if they are made by a host accessing over NTFS. Older files retain UNIX permissions until they are changed with a host accessing via CIFS. Does that make sense?
Jeremy Goodrum, NetApp
2013-05-08 04:05 PM
Thanks for the information. Looking back at my original post, I think I was not clear. Basically, what we're trying to do is enumerate the users in the passwd file and their group memberships and then create the users and groups in AD. Creating the ACEs is less of an issue than ensuring that the user and group memberships from the Unix side are translated correctly on the Windows side. We need to make sure that any user which exists in Unix has a Windows counterpart and that the group memberships in Windows are correct so that the users will still have access when we flip to NTFS permissions. We think we have a workable solution, but I was interested to see how anyone else might have cracked this nut.