Network and Storage Protocols

issue assigning security permissions with ntfs qtree and cifs

infinitiguy
8,309 Views

Hi,

I'm running data ontap 7.3.2 on a 2050 filer.  I have a volume (volMain) that has unix security.  Under it, I have a qtree (ntfsQtree) created with NTFS security.

The cifs share is set for everyone Full access on the volume /vol/volMain.  Inside of that I see my qtree folder, and can write to it from a windows server just fine... but what I really expected to see was a security tab on the files I'm writing to the qtree so I would be able to assign granular NTFS permissions...  however, in right clicking/going to properties on a folder, all I see are "General" "Previous versions" and "Customize", so I'm unclear as to how I can set granular ACL's on this qtree (and folders beneath it).

This seems like it shouldn't be hard to figure out, so I assume I'm missing something stupid.

It's been a very long time since I've worked on netapps so I'm trying to quickly come back up to speed on all of this stuff that I have forgotten, so forgive me if my question is dumb

Cheers,

-Derek

10 REPLIES 10

rmharwood
8,253 Views

You may well need to create the share at the qtree level and access it that way. Did you try that?

Richard

infinitiguy
8,253 Views

I hadn't tried that yet.  I'll look into that, although will not really do what I want to achieve.

In my above case what I did find worked was changing the  main volume qtree type to multi.  I then saw the security tab and unix  qtrees had everyone with a special permission (unix permission) while  ntfs qtrees had everyone with full permissions, which was grand.

I was confused as to why all my subfolders continued  to have everyone "full" permissions, but I just realized that it was  being inherited from the NTFS qtree.

I want to keep the top level shares pretty generic, and minimal (apps/users/groups/secure/public).. and below each get granular with security/permissions.

groups/secure would be the only ones I can see needing NTFS permissions.. for the rest unix is fine.  I'm wondering if it would be better to just create separate volumes for each one and have them either ntfs or unix.

The issue I think is most of the people accessing groups will do so from unix accounts, and I'm not sure if NTFS will really work out well in terms of the broad security requirements they may need... or how that really even translates.

For example...

unix uid = joe

unix gid = eng

If there is no AD group similar to eng (and from what I've read) netapp can't do unix group to windows group mapping... I'm not sure how he would be able to get access to shares using his gid, which in that case the groups share could not be NTFS permission... it would have to be unix or mixed.

My concern with mixed is from the sounds of it, if ntfs permissions get applied to a folder containing unix permissions, the unix permissions essentially get tossed away?  That could leave a huge hole open for mistakes.

rmharwood
8,253 Views

Personally I really really dislike using mixed security on a qtree precisely for these reasons. If you can use a CIFS/SMB client on your Unix side you will probably find it easier all round.

Richard

infinitiguy
8,253 Views

Fair enough re: use of mixed mode..  it does seem to be a little troublesome. 

I think I'm slowly coming to a visualization of what everything will look like.

Off topic a little... do you know if there is a way with netapp to implement quotas and have an end user notified automatically when the quota has been exceeded?  I'm not sure how netapp would go about doing that.  They'd need to query active directory, pull the email address and fire off an email.

I haven't done research into it yet, just popped into my mind as something that would be nice to do. 

rmharwood
8,253 Views

Netapp Operations Manager has this functionality although it may or may not fit your environment. Among other things, it assumes that all your users are in a single email domain. It works for us but may not for you. Plus you have to pay for Operations Manager of course. Your alternative is possibly to trap SNMP notices about quota usage and I thought at one point there was a sample script on the NOW site for doing some kind of quota notification.

Richard

infinitiguy
8,253 Views

"it assumes that all your users are in a single email domain"  I see that now...  got my first alert and noticed it was sent to my short username with no domain...

So my next question is... if any of you guys know..

The alert that is emailed to me (as end user) is kind of.... ugly.  Do you know where this template could be modified?

Cheers,

-Derek

You (as user "dmurphy") have used up 93.37% (1.87 GB out of 2.00 GB) of
available disk space quota on 2050b:/users_derek_2050b/home.

Please delete files that you no longer need.

Event (For IT Use only): https://dfmserver:8443/dfm/report/view/event-details/556225

-- IT Administrator

ryanstather
8,253 Views

rmharwood above wrote a PERL script which gets called when the "qtree full" or "qtree almost full" events are triggered and generates a user-friendly message.  You can find his example script and a more detailed explanation of how it's utilized in the following thread:

http://communities.netapp.com/message/10458#10458

They also reference another 3rd party tool called "Northern Storage Suite" which I believe is similar to the NTP Software I mentioned below.

Cheers,

Ryan

rmharwood
6,131 Views

Yes, the DFM/Ops Manager admin guide contains details about how to customize the email that is sent.

Richard

ryanstather
8,253 Views

You may want to investigate the usermap.cfg file:

http://now.netapp.com/NOW/knowledge/docs/ontap/rel80/html/ontap/filesag/GUID-964E23D4-86C2-49AA-A859-D97D990D306A.html

or consider Samba for sharing between UNIX and Windows.

In regards to your question about quota exceeded notifications there's a NetApp product called DFM/Operations Manager which can provide such functionality although it can be tricky and time-consuming to configure.  I'd suggest reading through the following thread:

http://communities.netapp.com/message/29543#29543

My organization is currently investigating a reporting tool that integrates with NetApp made by NTP Software which can be utilized for for a variety of different purposes including user notifications:

http://www.ntpsoftware.com/products/Storage_Management.aspx

Hope these help a bit.

Regards,

Ryan

infinitiguy
8,253 Views

Ill check out the products you listed.  We have DFM, so I'll look through that to see about configuring email alerts for users. 

I'm not sure if usermap.cfg needs any work done.  All of our user accounts have the same name between auth (ad/ldap), so the default mappings are working ok.

Thanks for the info! 

Public