ONTAP Discussions

Unix to Mixed security style change

Pkumawat
961 Views

Hi All,

 

I created new SVM with root volume and data volumes with UNIX security style. While creating the volumes, the requirement was limited to NFS access only. Now the new requirement requires CIFS access too. I have a volume lets say volume_nfs, under that there is a qtree lets say volume_nfs_qtree. Security style for both volume and qtree is UNIX. There are no other file or folder under volume volume_nfs except volume_nfs_qtree. Currently only NFS export is configured on this volume.

 

Now I am thinking to change security style of qtree volume_nfs_qtree to mixed from UNIX and I will keep security style of volume volume_nfs unchanged. 

 

Is that a right approach? I am worried what if it changes file permissions and application starts seeing issues with the file access. Please advice on this.

 

Thanks,

PK

3 REPLIES 3

TMACMD
910 Views

Don’t do it. Nothing ever good comes out of using mixed mode. I call it “last one to set security wins”. And by this I mean: ONTAP only supports a single set of permissions in files/directories. Either Unix permissions or nt ACLs. Not both. I can set Unix permissions then someone can come in ABBA set an acl and restrict. Then troubleshooting security becomes a nightmare. 

set up an ldap client for the svm. Make sure your Active Directory schema includes uid, number and gidnumber. 

review the Netapp multi protocol tr 

Ashun
413 Views

hi

 

I think you are wrong to set security to mixed, you should set it to unix or ntfs

You can follow the links below to determine the security you want to set

Decide which security style to use on SVMs (netapp.com)

Security styles and their effects (netapp.com)

 

chris_hurley
385 Views

As all mentioned, MIXED is not needed for multiprotocol access.   Multiprotocol access is available on any security style.  That the security style represents is the management of the permissions.  For UNIX style, NFSv3 perms (mode bits) or NFSv4 ACLs are used to secure the files.  Windows users will need to map to a unix user via AD & LDAP.   For NTFS style, NTFS ACLs are used to secure the files and NFS users will need to map to a Windows user via AD & LDAP.

Public