Network and Storage Protocols

Setting NTFS permissions on OnTap shares

darraghos
10,942 Views

I have a NetApp CIFS volume serving out many shares. The NTFS formatted volume root has a folder in it called ShareRoot e.g. /vol/shareroot/. In NetApp world,as this is a CIFS volume and not a LUN, you share out this root initially then create all your share root folders under this root e.g. to create more folders you access \\netappfiler\admin\ share and create the folders then create the shares with the NetApp mgmt. tools:

 

  • Admin   - /vol/shareroot
  • Share1 - /vol/shareroot/folder1
  • Share2 - /vol/shareroot/folder1

 

Naturally, for granularity we break inheritance on each subfolder under /vol/shareroot/ and add our DACLs as we see fit. For various reasons (3rd part monitoring apps etc.) I need to leave the root admin share open for admins. That means these admins can see the share root folders for all shares. because of this I wanted to add the following to each share root folder to protect it from someone doing anything silly:

 

  • Add Everyone - Deny Delete - This folder only

 

I'm setting this by access the share path (e.g. \\mynetappfiler\share1\ and it works fine but when I click apply the explorer UI then seems to spin through every single subfolder and file in that share. It only add the permission to the root folder as required so why does it go through every file when the scoping s 'This Folder Only'? The reasons I ask is I have hundreds of these to do and it's time consuming. I was expecting it to return immediately as I'm only adding an entry that applies to a single folder. 

 

Using icacls.exe yeilds saem result. The permissions get set correctly but it takes so long for such a simple change. I looked a fsecurity but it doesn't appear to have the ability to add a permission rather overwrite the entire thing.

 

For same on technet see: https://social.technet.microsoft.com/Forums/windowsserver/en-US/44ab3cf8-e061-4990-bbe1-572781c83df0/ntfs-permission-scoped-to-this-folder-only?forum=...

 

1 ACCEPTED SOLUTION

darraghos
10,752 Views

It does not appear to replace the DACL but simply add new ACEs therin form my testing.

View solution in original post

5 REPLIES 5

bobshouseofcards
10,917 Views

Hi Darraghos -

 

Short answer - this is the way NTFS file permission semantics work, so NetApp implements the same semantics that Windows would in a native NTFS setup.

 

Longer answer - I don't claim this to be canon, rather this is based on my experience with NTFS semantics.  I will gladly take correction by anyone more knowledgeable in low level NTFS semantics and operation.  

 

You mention that you are adding a security that only applies to the folder in question.  But, the "sum" of the ACLs for that folder sounds like they include at least one permission that does apply to sub-folders and files.  My experience is that there is no real add or delete of individual ACLs.  Rather, when the set of ACLs is changed the entire set is reapplied to the object in question as a whole.  Thus since one element of the entire ACL set applies to sub-folders, the entire file tree has to be processed.

 

It is hugely time consuming I agree, especially where you have so many individual trees to work through.  Unfortunately it's just the way it works.

 

 

I hope this helps you.

 

Bob Greenwald

Lead Storage Engineer

Huron Legal | Huron Consulting Group

NCDA, NCIE SAN Clustered, Data Protection

 

Kudos and accepted solutions are always appreciated.

 

 

darraghos
10,906 Views

Hmm, after testing using a unicode file with this content supplied to fsecurity:

 

cb56f6f4
1,0,"/vol/vol_2/PermissionsTest/",0,"D:(D;NP;0x10000;;;Everyone)"

 

It seems to add this ACE and leave all others intact. It completes in less than 1 second as opposed to 5 mins when using a windows server and a UNC path to add the permission. I can't find the exact details of how fsecurity deals with existing DACLS thoug

darraghos
10,905 Views

Ps: the fact that this forum HTML engine has replace my colon semi-colon in the SDDL above with a frowny makes me smile! 🙂

aborzenkov
10,898 Views

I can't find the exact details of how fsecurity deals with existing DACLS thoug

All information I have seen suggests fsecurity completely replaces existing DACL.

darraghos
10,753 Views

It does not appear to replace the DACL but simply add new ACEs therin form my testing.

Public