ONTAP Discussions

Group Policy Objects and Ontap 9.6 (or newer)




I'm trying to find out how how things will behave in the following scenario.


3 SVM's and machine objects, all stored in the same OU in Active Directory

1 SVM is pure SMB/CIFS, 1 SVM is pure NFS, and 1 SVM is mixed with both CIFS & NFS access to the same data.


1) GPO Policy is applied to the OU that contains all 3 machine objects mentioned above. What happens / how do each of those 3 SVM's behave ?


- For the first one i assume everything works like it should (assuming, GPO's are enabled and the GPO contains supported GPO settings)

- For the second one i assume the GPO is just ignored (GPO-support might not be possible to enable on a NFS SVM, and it might not be added to AD as a machine object anyways)

- For the third, how does this handle ? Assuming GPO-support is turned on, will it only used the GPO's for access coming from CIFS/SMB Clients, or will GPO's also have any effect on access from the NFS side of things ?




Need a bit more:

1) Security style of volumes/qtrees of 2 and 3.

2) How are you handling NFS authentication?


I don't think NFS directly will be affected, unless you're mapping from Windows security style and using AD for that.


Since this is a solution that is not implemented yet, nothing is 100% set in stone, and things could change.


1) Volumes and qtrees will probably have mostly either "Unix" or "Mixed" security style.

2) With regards to NFS authentication, early on it will probably only be IP-filtering, but later on it will probably be Kerberos based.


I'm mostly trying to figure out how it works, more than figuring out "how to make it work", if that makes sense.  Someone could argue that what is the point of trying to log something like file-change, or file-access, if you only log it from CIFS, and not from NFS, if both NFS and CIFS are using/changing the files anyway.


After doing a little bit more talking, we'll probably go straight for Kerberos for NFS authentication.