ONTAP Discussions

From Windows client unable to view security tab on file/directory of CIFS share

avamaruser
16,741 Views

Hello All,

Let me start off by saying this is a testing environment so making changes to the security style of volumes/qtrees is ok and preserving past data is not important.

I have a Netapp filer which is running:

fas3020> version

NetApp Release 7.2.5.1P6: Mon Oct  6 11:21:33 PDT 2008

I have a volume on this filer which is set to security style unix:

fas3020> fsecurity show /vol/QA_test/

[/vol/QA_test - Directory (inum 64)]

  Security style: Unix

  Effective style: Unix

  DOS attributes: 0x0010 (----D---)

  Unix security:

    uid: 0 (root)

    gid: 0 (daemon)

    mode: 0755 (rwxr-xr-x)

  No security descriptor available.

And underneath this volume i have created a q-tree and set it's security style to NTFS:

fas3020> fsecurity show /vol/QA_test/NTFS-qtree/

[/vol/QA_test/NTFS-qtree - Directory (inum 102)]

  Security style: NTFS

  Effective style: NTFS

  DOS attributes: 0x0030 (---AD---)

  Unix security:

    uid: 0 (root)

    gid: 0 (daemon)

    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:

    Owner: BUILTIN\Administrators

    Group: BUILTIN\Administrators

    DACL:

      Allow - Everyone - 0x001f01ff (Full Control)

      Allow - Everyone - 0x10000000 - OI|CI|IO

I have exported the volume using a CIFS share:

fas3020> cifs shares

Name         Mount Point                       Description

----         -----------                       -----------

ETC$         /etc                              Remote Administration

                        BUILTIN\Administrators / Full Control

HOME         /vol/vol0/home                    Default Share

                        everyone / Full Control

C$           /                                 Remote Administration

                        BUILTIN\Administrators / Full Control

install      /vol/vol0

                        everyone / Full Control

QA_test      /vol/QA_test

                        everyone / Full Control

QA_small     /vol/QA_small

                        everyone / Full Control

On several of the Windows clients (2008/7/xp) which has the volume added as a share, the properties tab on the file/folders undreneath /vol/QA_test/NTFS-qtree/ does not show a 'security' tab to view Windows ACLs which I am accustomed to on my other Netapp filers. This tab is missing for some reason on this filer, what other settings do I need to enable on the filer so that my windows clients can recognize this as a NTFS file system?

Here is how I expect it to look on a working NTFS CIFS share with security tab available:

1 ACCEPTED SOLUTION

parisi
16,741 Views

Try changing the security style of the parent volume to NTFS and re-connect. Does the security tab show then?

View solution in original post

5 REPLIES 5

parisi
16,742 Views

Try changing the security style of the parent volume to NTFS and re-connect. Does the security tab show then?

avamaruser
16,741 Views

Yup that did it! The security tab now shows up on the qtree below the parent volume. Thanks!

JGPSHNTAP
16,741 Views

Ok, let me address a few of my concerns here.

You create a qtree and set the security style of the qtree to NTFS, but you created a share at the root of the volume.    You would need to create a share at the qtree level in order for this to work smoothly as discussed.   

All of these volumes

QA_test      /vol/QA_test

                        everyone / Full Control

QA_small     /vol/QA_small

                        everyone / Full Control

were defaulted to unix based b/c you have a wafl option set to unix

If you want to change your default you need to do the following

options wafl.default_security_style  ntfs

Also, based on the thread, it concerns me that you don't have a good grasp on the situation so you might want to do a little bit of reading regarding qtrees etc...

Like I said before, it doesn't make a difference if your root vol is unix, if you created a qtree and shared at the qtree level you would have been fine.

Also, you are running a VERY old version of ontap, so you might want to check HWU to see what you can upgrade too. 

avamaruser
16,741 Views

Thank you for your input. I did it this way because at the root of the volume I had files which were created and managed by unix clients at /vol/QA_test. Those files needed to be read by the windows clients so thats why i shared it at the root of the volume. I then put a qtree inside of that volume that the windows clients could create and edit files i.e. /vol/QA_test/NTFS-qtree/. I tried to minimize the number of shares the windows clients have to mount in order to accomplish both of these tasks.

JGPSHNTAP
16,741 Views

Ok, again, you are confusing me, and not to be difficult.    

If you are creating a mixed mount that's one thing, but then you decided to create a qtree and not share out the qtree.  So, remind me again, what was the point of creating a qtree?  That doesn't make sense to me.

Also, IMHO, all mixed mount security should be controlled by NTFS with password file and usermap if necassary.  

Public