Skip to main content
NetApp Knowledge Base

How to change security style of volume from UNIX to NTFS in ONTAP 9

Views:
9,418
Visibility:
Public
Votes:
2
Category:
ontap-9
Specialty:
nas
Last Updated:
4/25/2025, 9:03:25 AM

Applies to

ONTAP 9

Description

This article includes instructions on modifying security style of existing volume/qtree and propagating NTFS permissions to sub-folders and files in  ONTAP 9

Procedure

  1. Modify security style of volume or qtree to NTFS:

::> volume modify -vserver vserver_name -volume -security-style ntfs

  •     After the security style has been change, the root of the volume will be updated
    Example

    Cluster::> vserver security file-directory show -vserver Vs1 -path  /vol1

                    Vserver: Vs1
                  File Path: /vol1
          File Inode Number: 96
             Security Style: ntfs
            Effective Style: ntfs
             DOS Attributes: 10
     DOS Attributes in Text: ----D---
    Expanded Dos Attributes: -
               UNIX User Id: 0
              UNIX Group Id: 0
             UNIX Mode Bits: 777
     UNIX Mode Bits in Text: rwxrwxrwx
                       ACLs: NTFS Security Descriptor
                             Control:0x8004
                             Owner:BUILTIN\Administrators
                             Group:BUILTIN\Administrators
                             DACL - ACEs
                               ALLOW-Everyone-0x1f01ff-(Inherited)
                               ALLOW-Everyone-0x10000000-OI|CI|IO (Inherited)

  • The only change made to any child object is the security style
    Example

    Cluster::> vserver security file-directory show -vserver Vs1 -path  /vol1/new.txt

                    Vserver: Vs1
                  File Path: /vol1/new.txt
          File Inode Number: 102
             Security Style: ntfs
            Effective Style: unix
             DOS Attributes: 20
     DOS Attributes in Text: ---A----
    Expanded Dos Attributes: -
               UNIX User Id: 0
              UNIX Group Id: 1
             UNIX Mode Bits: 777
     UNIX Mode Bits in Text: rwxrwxrwx
                       ACLs: -

  1. Perform below steps on windows end to propagate DACL information to sub-folders and files.
  • Access share from windows and navigate to Advanced option in security tab under properties
  • Click on "Change" next to Owner, select an appropriate user
  • Click on "Replace all child object permission entries with inheritable permission entries from this object" option and click Apply

Note: You can add/remove DACL on parent folder based on your requirement before clicking on above option.

clipboard_e24a4389b7b57c5c1cea300657c50907c.png

  • After this process finishes, all child objects will now show NTFS as the effective security style and will have the NTFS ACL applied
  • Until this process finishes, ONTAP will enforce UNIX permissions​​​​​​

Additional Information

  • Output from file-directory on the qtree and files/folders present under it when security style of qtree is UNIX
Example

::> file-directory show -vserver svm01 -path /vol1/tree3
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3
      File Inode Number: 1346562
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3/folder1
      File Inode Number: 1346564
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

 

::>file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3/folder1/file2.txt
      File Inode Number: 1346565
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

  • Output from file-directory show on qtree and files/folders present under it when security style of qtree is modified to NTFS and without inheriting permission to child objects on a Microsoft Windows client
Example

::> file-directory show -vserver svm01 -path /vol1/tree3
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3
      File Inode Number: 1346562
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:BUILTIN\Administrators
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff
                           ALLOW-Everyone-0x10000000-OI|CI|IO

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3/folder1
      File Inode Number: 1346564
         Security Style: ntfs
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3/folder1/file2.txt
      File Inode Number: 1346565
         Security Style: ntfs
        Effective Style: unix
         DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 755
 UNIX Mode Bits in Text: rwxr-xr-x
                   ACLs: -

  • Output from file-directory show on  theqtree and files/folders present under it when security style of qtree is modified to NTFS and with inheriting permission to child objects on a Microsoft Windows client
Example

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3/folder1
      File Inode Number: 1346564
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8504
                         Owner:BUILTIN\Administrators
                         Group:NASLAB\Domain Users
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff-OI|CI (Inherited)

::> file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
  (vserver security file-directory show)

                Vserver: svm01
              File Path: /vol1/tree3/folder1/file2.txt
      File Inode Number: 1346565
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 20
 DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 1
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8504
                         Owner:BUILTIN\Administrators
                         Group:NASLAB\Domain Users
                         DACL - ACEs
                           ALLOW-Everyone-0x1f01ff-(Inherited)

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.