Hi Reena,
Thank you very much for the descriptive explanation. It cleared few of my doubts. I am still left with few more questions.
For your first two question on the permissions for the CIFS shares, you don't need to use the UNIX style RW or RO permissions, those are generally used for the UNIX groups. You can very well use the full control, change, read type of the
CIFS share level permissions for the Windows AD groups. After that you can restrict further with more granular permissions at the folder level using the NTFS ACLs.
1. Well, sorry for the confusion; When I mentioned RW/RO, I actually meant setting some permissions (not exactly Unix style perms). Back to my questions on CIFS share level permissions:
How can we set "CIFS share level permissions based on windows AD groups" on the Netapp filer? I tried a test command, but looks like it was expecting local unix group. Please fill me in
if I am missing something.
filer> cifs access testvol2$ -g AD-group "full control"
Unknown Unix group AD-group
2. I created a test volume and test qtree (Mixed mode security style). Created couple of test home directories. Exported this volume using NFS and mounted using NFSv3 on an adminstrative
host and set the ownership and permissions for the test home directories.
a. From a NFS client (Linux machine), permissions and ownership looks good.
b. But from a CIFS client (Mac machine), permissions and ownership look strange. They look as mentioned below. This is bit confusing.
From NFS client (Linux machine)
ls -ld /mnt/filer/testuser (Home directory root folder)
drwx--x--x 8 testuser staff 4096 2009-11-06 18:43 /mnt/filer/testuser
ls -l /mnt/filer/testuser/file1 (A file present under the root folder)
---------- 1 testuser staff 600 2009-08-31 10:54 /mnt/filer/testuser/file1 (Edits to this file from NFS client are denied as expected from perms)
From CIFS client (Mac machine)
ls -ld /mnt/filer/testuser
drwxrwxrwx+ 1 testuser DOMAIN\domain users 16384 Nov 6 18:43 /mnt/filer/testuser
ls -l /mnt/filer/testuser/file1
-rwxrwxrwx+ 1 testuser DOMAIN\domain users 600 Aug 31 10:54 /mnt/bang/file1 (Edits to this file from CIFS client are also denied but the perms look very confusing)
3. In the example scenario mentioned in the above point, if we were to set NTFS ACLs (owner - full control) on a Home directory by logging in as a "Domain Admin" in a Windows server (which is in the domain), I would assume in this case that filer computes the Unix permissions as well (based on the NTFS ACLs). But, I tested for few directories. The Unix permissions were just shown as "root:daemon" (for owner:group) and 700, though the individual owners have "Full control" on their respective home directories.
Am I doing something wrong? If yes, what is the proper way to set the ownership and perms on a Home directory?
Based on my testing: a. If we set the Unix permissions, they weren't looking consistent when accessed via CIFS.
b. If we set the NTFS ACLs, they weren't looking consistent when accessed via NFS.
Thanks,
Satish