Network and Storage Protocols

Changing SIDs/UIDs/GIDs safely in mixed qtrees


We use a FAS3220 MDL filer with Data ONTAP 8.1.4P6 7-MODE as a
combined CIFS and NFS server with mostly mixed-type qtrees, where
files and folders occur with both NFSv3 and NTFS access permissions.
Users are authenticated via Active Directory Kerberos and Unix
passwd/group information is provided via an LDAP server.


We are planning to migrate our old Active Directory domain to a new
domain. As part of such a domain migration, all SIDs of CIFS users
will change. Microsoft's domain migration tool ADMT includes a
"Security Translation Wizard" that (among other things) offers to walk
over every file tree in every CIFS/NTFS server in the domain to
replace in every NTFS security descriptor every old-domain SID with
the equivalent new-domain SID.


Likewise, we sometimes find it necessary to change the UID/GID of some
Unix users, and then we could use a chown shell script on an NFS
client to replace on the filer in every inode the old UID/GID with the
equivalent new one.


All of this is easy in pure Unix- or NTFS-mode qtrees, because there
are tools available for each to do this.


But what about our many mixed-mode qtrees, where our users keep a wild
mix of files and folders with either Unix- or NTFS-style security


If we use chmod via NFSv3 on a mixed-mode qtree, we would destroy all
NTFS security data, and if we used a Windows equivalent, like
Microsoft's "Security Translation Wizard", we would surely destroy all
security information in Unix-style files.


How can we safely translate UIDs/GIDs/SIDs in a mixed-mode qtree,
without changing the security type of any file or folder?


Is it even possible to do this from either an NFS or CIFS client?


How can an NFS or CIFS client even see what security-style a file or
folder uses, to avoid changing ownership and ACLs via the wrong protocol?


Is there any tool built onto, or available for, Data ONTAP 7-mode
that can safely translate UIDs/GIDs/SIDs in a mixed-mode qtrees?




One trick we have found so far is applicable when renumbering the UID or GID of a Unix user:


- First assign to the Unix user a new UID/GID in the LDAP server


- Then run nfs nsdb flush on the filer to flush its naming cache


- Wait another 60 seconds on your NFSv3 client until its attribute cache has timed out


Now all files in NTFS mode in the mixed qtree owned by that user will already show the new UID/GID.


Therefore, you can now safely chown -R from an NFSv3 client all the other files that still show

the old UID/GID, as all these will be Unix-mode files.


(NFSv4 is slightly more complicated, as the client doesn't see the actual UID/GID numbers.

For NFSv4 you have to keep in LDAP names for both the old and the new UID/GID numbers,

otherwise they will be mangled into nobody:nogroup. It is probably safer to do this via NFSv3.

We haven't been using NFSv4 ACLs yet, so no idea what to do about these.)