How to change security style of volume from UNIX to NTFS in ONTAP 9

Applies to

ONTAP 9

Description

This article includes instructions on modifying security style of existing volume/qtree and propagating NTFS permissions to sub-folders and files in  ONTAP 9

Procedure

1. Modify security style of volume or qtree to NTFS:

::> volume modify -vserver vserver_name -volume -security-style ntfs

•     After the security style has been change, the root of the volume will be updated

  Example

  Cluster::> vserver security file-directory show -vserver Vs1 -path  /vol1

  Copied

                  Vserver: Vs1
              File Path: /vol1
      File Inode Number: 96
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:BUILTIN\Administrators
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff-(Inherited)
                           ALLOW-Everyone-0x10000000-OI|CI|IO (Inherited)

• The only change made to any child object is the security style

  Example

  Cluster::> vserver security file-directory show -vserver Vs1 -path  /vol1/new.txt

  Copied

                  Vserver: Vs1
              File Path: /vol1/new.txt
      File Inode Number: 102
         Security Style: ntfs
        Effective Style: unix
         DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: -

2. Perform below steps on windows end to propagate DACL information to sub-folders and files.

• Access share from windows and navigate to Advanced option in security tab under properties
• Click on "Change" next to Owner, select an appropriate user
• Click on "Replace all child object permission entries with inheritable permission entries from this object" option and click Apply

Note: You can add/remove DACL on parent folder based on your requirement before clicking on above option.

• After this process finishes, all child objects will now show NTFS as the effective security style and will have the NTFS ACL applied
• Until this process finishes, ONTAP will enforce UNIX permissions​​​​​​

Additional Information

• Output from file-directory on the qtree and files/folders present under it when security style of qtree is UNIX

Example

::> file-directory show -vserver svm01 -path /vol1/tree3
  (vserver security file-directory show)

Copied

                Vserver: svm01
              File Path: /vol1/tree3
      File Inode Number: 1346562
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
  (vserver security file-directory show)

Copied

                Vserver: svm01
              File Path: /vol1/tree3/folder1
      File Inode Number: 1346564
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -
 

::>file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3/folder1/file2.txt
      File Inode Number: 1346565
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

• Output from file-directory show on qtree and files/folders present under it when security style of qtree is modified to NTFS and without inheriting permission to child objects on a Microsoft Windows client

Example

::> file-directory show -vserver svm01 -path /vol1/tree3
  (vserver security file-directory show)

Copied

                Vserver: svm01
              File Path: /vol1/tree3
      File Inode Number: 1346562
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:BUILTIN\Administrators
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff
                           ALLOW-Everyone-0x10000000-OI|CI|IO

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
  (vserver security file-directory show)

Copied

                Vserver: svm01
              File Path: /vol1/tree3/folder1
      File Inode Number: 1346564
         Security Style: ntfs
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3/folder1/file2.txt
      File Inode Number: 1346565
         Security Style: ntfs
        Effective Style: unix
         DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

• Output from file-directory show on  theqtree and files/folders present under it when security style of qtree is modified to NTFS and with inheriting permission to child objects on a Microsoft Windows client

Example

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
  (vserver security file-directory show)

Copied

                Vserver: svm01
              File Path: /vol1/tree3/folder1
      File Inode Number: 1346564
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8504
                         Owner:BUILTIN\Administrators
                         Group:NASLAB\Domain Users
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff-OI|CI (Inherited)

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
  (vserver security file-directory show)

Copied

                Vserver: svm01
              File Path: /vol1/tree3/folder1/file2.txt
      File Inode Number: 1346565
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8504
                         Owner:BUILTIN\Administrators
                         Group:NASLAB\Domain Users
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff-(Inherited)