Network and Storage Protocols

Multi-protocol ACL's

BOB_KOCHANSKI
5,488 Views

Hello,

       We have implemented a FAS3240AE into a pure Unix/Linux environment (No Windows whatsoever)  They are using "Open LDAP" with about 1400 employees who will be accessing files/folders on the NetApp with a mixed environment of Windows and MAC client machines.  We have run CIFS setup choosing option 4 for LDAP integration as well as run the getXXbyYY command and the NetApp pulls in the correct information from LDAP.  We have created a volume with NTFS security style and created a share off of it.  Now we can mount the share from either Windows or MAC but it is read only and there is no security tab to change permissions.  We are mounting the share as a user stored in LDAP.  If I try and mount the drive as the local NetApp Administrator I get an error stating that the account does not have access to log on.  If we terminate CIFS and run setup again choosing 3 WORKGROUP authentication we have no issues seeing the security tab and can set the permissions but Is there a way that I can mount the drive as a user from LDAP and have the security tab show to change permissions from a UNIX world without having to change the CIFS option.

Any help would be appreciated.

Bob Kochanski

6 REPLIES 6

BOB_KOCHANSKI
5,489 Views

Sorry about that, probably just fluff, wanted to make sure you had a very detailed description, the real issue is the security.

aborzenkov
5,489 Views

Sorry, slipped finger. So - I am a bit confused. First you say "No Windows whatsoever" and then you say "mixed environment of Windows and MAC". So are there existing Windows clients (irrespectively of NetApp)? If yes - how they are organized? Is there existing Windows domain and Active Directory infrastructure?

aborzenkov
5,489 Views

Is there a way that I can mount the drive as a user from LDAP and have the security tab show to change permissions from a UNIX world

No. That's how NetApp works. If you use cifs setup option 4, NetApp presents shares as FAT filesystems which do not support ACLs. It is documented in File Access and Protocols Management Guide.

I am surprised you can access NetApp in the first place. Option 4 means plain text passwords, which are disabled by default in Windows for years.

BOB_KOCHANSKI
5,489 Views

No AD in the environment, the Windows clients are using Local Users on their machines that match the user in LDAP.  We did change the option in the Windows GPO for the clear text passwords in order to gain access.  So if I was to create a volume with the UNIX security style and created a share off of it, where would the UNIX admins change permissions going forward?  I am by far not a UNIX/LINUX guru so I am not sure where the permissions would be applied to the files/folders.

aborzenkov
5,489 Views

In the past there was GUI utility to edit Unix file mode. It seems to have disappeared from toolchest. There are command line tools that I myself never tried: http://support.netapp.com/NOW/download/tools/na_chstuff/

You may use something like SFTP client to control permissions and even ownership (I briefly tested WinSCP and it allows changing file owner/group and mode bits). But it also means you have to ensure unique UID for every user and setup LDAP for Unix user database as well.

You still need valid CIFS-to-Unix user mapping. It is independent from CIFS authentication mechanism.

BOB_KOCHANSKI
5,489 Views

The rwx issue has been resolved between MAC and Windows clients, however it seems we have an authentication problem.  I have broken down the steps we took in this process below:

1.) Created volume with UNIX security style

2.) Created qtree with UNIX security style

3.) Created share off of qtree with (Everyone-Full Control)

4.) Mounted NFS from the MAC side

5.) Mapped CIFS from the Windows side

6.) Had user create a folder and copy files into the folder from the NFS mount on the MAC client, the Windows client could see and access the files/folders created.

7.) Had user create a folder and copy files into the folder from the CIFS map on the Windows client, the MAC client could see and access the files/folders created.

The issue I have with this is if the MAC client creates a new directory anyone from the Windows client can delete it and vice versa.  I also noticed that regardless of whether we are mounting NFS or mapping CIFS, we are not being prompted for credentials to connect.  FYI....  The NetApp does query the user information from "Open LDAP".

Public