Network and Storage Protocols
Network and Storage Protocols
I'd like to prevent Windows access to my vFiler rootvolume. But, when I setup the vFiler for AD access, the domain administrator can setup a share to access the rootvol.
One way around this is that before presenting the vFiler rootvol to the rootvol is to NFS mount is and chmod 500 the directory.
Is there a way to do this from the OnTap command line?
(OnTap 8.1RC2)
Thanks
Solved! See The Solution
fsecurity command may help here (not perform chmod on NetApp, but to set extra ACL that overrides standard NTFS ACL)
fsecurity command may help here (not perform chmod on NetApp, but to set extra ACL that overrides standard NTFS ACL)
administrator must have a mapping to root somehow if windows is accessing the unix style vfiler root (the default is admin on windows maps to root so you could change that)... or you could remove the cifs share for admin.. the "\" share default via C$ to a vFiler directs to a special mount point that sees all volumes.. you can remove it with vfiler run vfilername cifs shares delete c$ to remove windows access.. this is different than vfiler0 where c$ points to the root volume of the system...but the vfiler default is all volumes root but can be changed to the path of root volume if you want to match vfiler0 or just delete it for no windows access.
you can also use the diag account to mount back to the vfiler from the bsd prompt from the system shell outside of ontap but via the same login, but I wouldn't do that if you have host access to do it...
I'm not concerned about vFiler root. But, am concerned about other vFilers binding to other ADs (don't want those domain admins to monkeying with the child vFiler's rootvol). Will be using ipspaces to quarantine the child vFiler to this other AD and VLAN environment. In that environment, I may not have access to a linux box to change the perms.
Removing the CIFS share might be the easiest and most effective route.
Sort of ... the Domain Admins can just create the share over again. Which by setting the directories to 500 on the UNIX side, the domain admins could create the share, but can't see/alter the directory structure / files.
Good point… you could unlock the diaguser account then mount from bsd on the command line to do the chmod…not officially supported but works to get a local nfs mount on the same system then unmount and lock the account when done.