How to change security style of volume from UNIX to NTFS in ONTAP 9

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 10,615

Visibility:: Public

Votes:: 2

Category:: ontap-9

Specialty:: nas

Last Updated:

Applies to

ONTAP 9

Description

This article includes instructions on modifying security style of existing volume/qtree and propagating NTFS permissions to sub-folders and files in ONTAP 9

Procedure

Modify security style of volume or qtree to NTFS:

::> volume modify -vserver vserver_name -volume -security-style ntfs

After the security style has been change, the root of the volume will be updated

Example

Cluster::> vserver security file-directory show -vserver Vs1 -path /vol1

Vserver: Vs1 File Path: /vol1 File Inode Number: 96 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff-(Inherited) ALLOW-Everyone-0x10000000-OI|CI|IO (Inherited)
The only change made to any child object is the security style

Example

Cluster::> vserver security file-directory show -vserver Vs1 -path /vol1/new.txt

Vserver: Vs1 File Path: /vol1/new.txt File Inode Number: 102 Security Style: ntfs Effective Style: unix DOS Attributes: 20 DOS Attributes in Text: ---A---- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: -

Perform below steps on windows end to propagate DACL information to sub-folders and files.

Access share from windows and navigate to Advanced option in security tab under properties
Click on "Change" next to Owner, select an appropriate user
Click on "Replace all child object permission entries with inheritable permission entries from this object" option and click Apply

Note: You can add/remove DACL on parent folder based on your requirement before clicking on above option.

After this process finishes, all child objects will now show NTFS as the effective security style and will have the NTFS ACL applied
Until this process finishes, ONTAP will enforce UNIX permissions

Additional Information

If in case the propagation of permissions doesn't work from windows, we can enforce the permissions from Ontap CLI.
It is not recommended to change/set NTFS permissions from ONTAP CLI, this should only be attempted if other methods are unavailable.
Propagation of permissions is always from top to bottom, so first permissions are applied on parent folder and then sub-folders.
In case of rollback plan, that is to change the security style from NTFS to UNIX, modify the security style of volume or qtree to UNIX, permissions can be changed from LINUX end post changing the security style.
Output from file-directory on the qtree and files/folders present under it when security style of qtree is UNIX

Example

::> file-directory show -vserver svm01 -path /vol1/tree3 (vserver security file-directory show)

Vserver: svm01 File Path: /vol1/tree3 File Inode Number: 1346562 Security Style: unix Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 755 UNIX Mode Bits in Text: rwxr-xr-x ACLs: -

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1 (vserver security file-directory show)

Vserver: svm01 File Path: /vol1/tree3/folder1 File Inode Number: 1346564 Security Style: unix Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1 UNIX Mode Bits: 755 UNIX Mode Bits in Text: rwxr-xr-x ACLs: -

::>file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt (vserver security file-directory show)

Vserver: svm01 File Path: /vol1/tree3/folder1/file2.txt File Inode Number: 1346565 Security Style: unix Effective Style: unix DOS Attributes: 20 DOS Attributes in Text: ---A---- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1 UNIX Mode Bits: 755 UNIX Mode Bits in Text: rwxr-xr-x ACLs: -

Output from file-directory show on qtree and files/folders present under it when security style of qtree is modified to NTFS and without inheriting permission to child objects on a Microsoft Windows client

Example

::> file-directory show -vserver svm01 -path /vol1/tree3 (vserver security file-directory show)

Vserver: svm01 File Path: /vol1/tree3 File Inode Number: 1346562 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8004 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-Everyone-0x1f01ff ALLOW-Everyone-0x10000000-OI|CI|IO

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1 (vserver security file-directory show)

Vserver: svm01 File Path: /vol1/tree3/folder1 File Inode Number: 1346564 Security Style: ntfs Effective Style: unix DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1 UNIX Mode Bits: 755 UNIX Mode Bits in Text: rwxr-xr-x ACLs: - ::> file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt (vserver security file-directory show)

Vserver: svm01 File Path: /vol1/tree3/folder1/file2.txt File Inode Number: 1346565 Security Style: ntfs Effective Style: unix DOS Attributes: 20 DOS Attributes in Text: ---A---- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1 UNIX Mode Bits: 755 UNIX Mode Bits in Text: rwxr-xr-x ACLs: -

Output from file-directory show on theqtree and files/folders present under it when security style of qtree is modified to NTFS and with inheriting permission to child objects on a Microsoft Windows client

Example

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1 (vserver security file-directory show)

Vserver: svm01 File Path: /vol1/tree3/folder1 File Inode Number: 1346564 Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8504 Owner:BUILTIN\Administrators Group:NASLAB\Domain Users DACL - ACEs ALLOW-Everyone-0x1f01ff-OI|CI (Inherited)

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt (vserver security file-directory show)

Vserver: svm01 File Path: /vol1/tree3/folder1/file2.txt File Inode Number: 1346565 Security Style: ntfs Effective Style: ntfs DOS Attributes: 20 DOS Attributes in Text: ---A---- Expanded Dos Attributes: - UNIX User Id: 0 UNIX Group Id: 1 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor Control:0x8504 Owner:BUILTIN\Administrators Group:NASLAB\Domain Users DACL - ACEs ALLOW-Everyone-0x1f01ff-(Inherited)