Re: NetApp Share ACL vs. DACL

JV-CA · ‎2017-02-03

Is there a way to sync the ACL on the NetApp shares to sync back to windows? The permissions are set correctly on the ACL and only those on the ACL have access to them but of course the DACL shows everyone on the windows side. This is obviously more asthetic than anything but if an audit happened it's just one more thing I would have to explain/prove.

JGPSHNTAP · ‎2017-02-03

I'm not sure what you are saying here. Are you talking Netapp share permission?

Can you give us a deeper example

JV-CA · ‎2017-02-03

Sure thing, if you look at the output below, the vserver cifs share command shows the share level permission on NetApp, so only Domain Admins have access. When you look at the vserver security output, it shows the Windows DACL which still has Everyone listed, so if I go into the properties in Windows it will look like Everyone has access. Like I said though this is really asthetic or so I wouldn't have to explain this for an audit or anything as the permissions work the way they should on the NetApp. Is there a way to have the permissions on NetApp propogate so they are in sync on the Windows DACL as well?

SAN::> vserver cifs share access-control show -share Test
Share User/Group User/Group Access
Vserver Name Name Type Permission
-------------- ----------- --------------------------- ----------- -----------
svm01 Test Domain Admins windows Full_Control

SAN::> vserver security file-directory show -vserver svm01 -path /Test

Vserver: svm01
File Path: /Test
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8004
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-Everyone-0x1f01ff
ALLOW-Everyone-0x10000000-OI|CI|IO

JGPSHNTAP · ‎2017-02-03

You are displaying two different things.

You are displaying share level permissions vs ntfs file level permissions.

JV-CA · ‎2017-02-03

Yes I understand that, the NTFS permissions don't really matter as the share permissions on the netapp are working correctly. I know I could go into the NTFS permission on windows and change them manually I was just wondering if there's a way to push the permissions from the share to match in NTFS since they are both windows groups. Everything I have seen online has pointed to manually changing them in windows.

JGPSHNTAP · ‎2017-02-03

Those are two separate entire entities. It's basic windows, two constructs, Share ACLs' and File System ACLs.

When you create a file system, the default permissions are everyone/full control. I don't think that's modifiable. Same with shares, you need to go edit them and create access lists.

But the standard practice in the industry is either

share level - everyone / full control or authenticated users - full control

ntfs - this is where you lock the files down with security groups etc.

There is no concept of pushing down permissions from a share to a file system.

This is a good read - https://blog.varonis.com/the-difference-between-share-and-ntfs-permissions/

JV-CA · ‎2017-02-03

Wow that was dumb of me. Sorry I was way trying to overcomplicate this and didn't think about what these actually were. Sorry about that. Thanks for head check, I need it every now and then. I'm new to netapp so I just straight up tried to be overcomplex.

Suryaprathap · ‎2017-02-17

If you want to set NTFS permissions on files or folders from storage you can use fsecurity,