How to change security style of volume from UNIX to NTFS in ONTAP 9
Applies to
ONTAP 9
Description
This article includes instructions on modifying security style of existing volume/qtree and propagating NTFS permissions to sub-folders and files in ONTAP 9
Procedure
- Modify security style of volume or qtree to NTFS:
::> volume modify -vserver vserver_name -volume -security-style ntfs
- After the security style has been change, the root of the volume will be updated
- Example
-
Cluster::> vserver security file-directory show -vserver Vs1 -path /vol1
Vserver: Vs1
File Path: /vol1
File Inode Number: 96
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8004
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-Everyone-0x1f01ff-(Inherited)
ALLOW-Everyone-0x10000000-OI|CI|IO (Inherited)
- The only change made to any child object is the security style
- Example
-
Cluster::> vserver security file-directory show -vserver Vs1 -path /vol1/new.txt
Vserver: Vs1
File Path: /vol1/new.txt
File Inode Number: 102
Security Style: ntfs
Effective Style: unix
DOS Attributes: 20
DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: -
- Perform below steps on windows end to propagate DACL information to sub-folders and files.
- Access share from windows and navigate to Advanced option in security tab under properties
- Click on "Change" next to Owner, select an appropriate user
- Click on "Replace all child object permission entries with inheritable permission entries from this object" option and click Apply
Note: You can add/remove DACL on parent folder based on your requirement before clicking on above option.
- After this process finishes, all child objects will now show NTFS as the effective security style and will have the NTFS ACL applied
- Until this process finishes, ONTAP will enforce UNIX permissions