We use a FAS3220 MDL filer with Data ONTAP 8.1.4P6 7-MODE as a combined CIFS and NFS server with mostly mixed-type qtrees, where files and folders occur with both NFSv3 and NTFS access permissions. Users are authenticated via Active Directory Kerberos and Unix passwd/group information is provided via an LDAP server.
We are planning to migrate our old Active Directory domain to a new domain. As part of such a domain migration, all SIDs of CIFS users will change. Microsoft's domain migration tool ADMT includes a "Security Translation Wizard" that (among other things) offers to walk over every file tree in every CIFS/NTFS server in the domain to replace in every NTFS security descriptor every old-domain SID with the equivalent new-domain SID.
Likewise, we sometimes find it necessary to change the UID/GID of some Unix users, and then we could use a chown shell script on an NFS client to replace on the filer in every inode the old UID/GID with the equivalent new one.
All of this is easy in pure Unix- or NTFS-mode qtrees, because there are tools available for each to do this.
But what about our many mixed-mode qtrees, where our users keep a wild mix of files and folders with either Unix- or NTFS-style security intermingled?
If we use chmod via NFSv3 on a mixed-mode qtree, we would destroy all NTFS security data, and if we used a Windows equivalent, like Microsoft's "Security Translation Wizard", we would surely destroy all security information in Unix-style files.
How can we safely translate UIDs/GIDs/SIDs in a mixed-mode qtree, without changing the security type of any file or folder?
Is it even possible to do this from either an NFS or CIFS client?
How can an NFS or CIFS client even see what security-style a file or folder uses, to avoid changing ownership and ACLs via the wrong protocol?
Is there any tool built onto, or available for, Data ONTAP 7-mode that can safely translate UIDs/GIDs/SIDs in a mixed-mode qtrees?