We use a FAS3220 MDL filer with Data ONTAP 8.1.4P6 7-MODE as a
combined CIFS and NFS server with mostly mixed-type qtrees, where
files and folders occur with both NFSv3 and NTFS access permissions.
Users are authenticated via Active Directory Kerberos and Unix
passwd/group information is provided via an LDAP server.
We are planning to migrate our old Active Directory domain to a new
domain. As part of such a domain migration, all SIDs of CIFS users
will change. Microsoft's domain migration tool ADMT includes a
"Security Translation Wizard" that (among other things) offers to walk
over every file tree in every CIFS/NTFS server in the domain to
replace in every NTFS security descriptor every old-domain SID with
the equivalent new-domain SID.
Likewise, we sometimes find it necessary to change the UID/GID of some
Unix users, and then we could use a chown shell script on an NFS
client to replace on the filer in every inode the old UID/GID with the
equivalent new one.
All of this is easy in pure Unix- or NTFS-mode qtrees, because there
are tools available for each to do this.
But what about our many mixed-mode qtrees, where our users keep a wild
mix of files and folders with either Unix- or NTFS-style security
intermingled?
If we use chmod via NFSv3 on a mixed-mode qtree, we would destroy all
NTFS security data, and if we used a Windows equivalent, like
Microsoft's "Security Translation Wizard", we would surely destroy all
security information in Unix-style files.
How can we safely translate UIDs/GIDs/SIDs in a mixed-mode qtree,
without changing the security type of any file or folder?
Is it even possible to do this from either an NFS or CIFS client?
How can an NFS or CIFS client even see what security-style a file or
folder uses, to avoid changing ownership and ACLs via the wrong protocol?
Is there any tool built onto, or available for, Data ONTAP 7-mode
that can safely translate UIDs/GIDs/SIDs in a mixed-mode qtrees?