How does ONTAP generate permissions for NFS and CIFS clients, when the volume security style is not native to the protocol?
Applies to
ONTAP 9
Answer
NFS clients accessing NTFS security files/folders
NTFS ACLs are translated into the least permissive variant of Unix modebits, and are applied to the Owner, Owner Group, and Other fields as they would apply to a user making a request. Ownership of a file is determined by the UID & GID of the mapped user that wrote the ownership information. The "other" field may be present, depending on if an equivalent SID has explicit permissions (such as Everyone). This can lead to some confusion if an Administrator assigns an arbitrary owner of an object, as the resulting Unix permissions will reflect their mapping, rather than the new owner's.
The following Access Masks will translate into modebits directly:
- Read & Execute (r-x),
- Read (r--),
- Write (-w-),
- Modify (rwx),
- Full Control (rwx),
- Traverse Folder / Execute File (--x),
- Create Files / Write Data(-w-),
- List Folders / Read Data (r--)
Other special permissions don't have a direct translation into Unix modebits. In those cases, it is not possible to express a client's ability to perform such an action with modebits alone.
CIFS clients accessing UNIX security files/folders
Unix permissions are translated into NTFS ACLs, when the option -is-unix-nt-acl-enabled
is set to true (default).
These fields are translated into a fake SID by default, showing
- UNIXPermUid\User
- UNIXPermGid\Group
- other
- the current accessing user
The entry for the current accessing user is a representation of the effective permissions for the user and is not an applied permission on the file/folder.
The resulting NTFS ACL will appear more permissive, compared to the modebits, as there are permissions that do not have a translation. ONTAP tries to preserve the client's expectation with this translation - a Windows user whose mapped user would get rwx would effectively have a Full Control ACL, even though this provides special permissions that a Unix user could not be explicitly given via modebits.
Both translations are performed when permissions are written.
Additional Information
SID/Prefix
|
Placeholder Name
|
S-1-5-21-2038298172-1297133386-11111-<uidNumber>
|
UNIXPermUid
|
S-1-5-21-2038298172-1297133386-22222-<gidNumber>
|
UNIXPermGid
|
S-1-5-21-2038298172-1297133386-33333
|
UNIXPerm\other
|