How to change security style of volume from UNIX to NTFS in ONTAP 9
Applies to
ONTAP 9
Description
This article includes instructions on modifying security style of existing volume/qtree and propagating NTFS permissions to sub-folders and files in ONTAP 9
Procedure
- Modify security style of volume or qtree to NTFS:
::> volume modify -vserver vserver_name -volume -security-style ntfs
- After the security style has been change, the root of the volume will be updated
- Example
-
Cluster::> vserver security file-directory show -vserver Vs1 -path /vol1
Vserver: Vs1
File Path: /vol1
File Inode Number: 96
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8004
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-Everyone-0x1f01ff-(Inherited)
ALLOW-Everyone-0x10000000-OI|CI|IO (Inherited)
- The only change made to any child object is the security style
- Example
-
Cluster::> vserver security file-directory show -vserver Vs1 -path /vol1/new.txt
Vserver: Vs1
File Path: /vol1/new.txt
File Inode Number: 102
Security Style: ntfs
Effective Style: unix
DOS Attributes: 20
DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: -
- Perform below steps on windows end to propagate DACL information to sub-folders and files.
- Access share from windows and navigate to Advanced option in security tab under properties
- Click on "Change" next to Owner, select an appropriate user
- Click on "Replace all child object permission entries with inheritable permission entries from this object" option and click Apply
Note: You can add/remove DACL on parent folder based on your requirement before clicking on above option.
- After this process finishes, all child objects will now show NTFS as the effective security style and will have the NTFS ACL applied
- Until this process finishes, ONTAP will enforce UNIX permissions
Additional Information
- Output from file-directory on the qtree and files/folders present under it when security style of qtree is UNIX
- Example
-
::> file-directory show -vserver svm01 -path /vol1/tree3
(vserver security file-directory show)Vserver: svm01
File Path: /vol1/tree3
File Inode Number: 1346562
Security Style: unix
Effective Style: unix
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 755
UNIX Mode Bits in Text: rwxr-xr-x
ACLs: -::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
(vserver security file-directory show)Vserver: svm01
File Path: /vol1/tree3/folder1
File Inode Number: 1346564
Security Style: unix
Effective Style: unix
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 755
UNIX Mode Bits in Text: rwxr-xr-x
ACLs: -
::>file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
(vserver security file-directory show)Vserver: svm01
File Path: /vol1/tree3/folder1/file2.txt
File Inode Number: 1346565
Security Style: unix
Effective Style: unix
DOS Attributes: 20
DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 755
UNIX Mode Bits in Text: rwxr-xr-x
ACLs: -
- Output from file-directory show on qtree and files/folders present under it when security style of qtree is modified to NTFS and without inheriting permission to child objects on a Microsoft Windows client
- Example
-
::> file-directory show -vserver svm01 -path /vol1/tree3
(vserver security file-directory show)Vserver: svm01
File Path: /vol1/tree3
File Inode Number: 1346562
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8004
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-Everyone-0x1f01ff
ALLOW-Everyone-0x10000000-OI|CI|IO::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
(vserver security file-directory show)Vserver: svm01
File Path: /vol1/tree3/folder1
File Inode Number: 1346564
Security Style: ntfs
Effective Style: unix
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 755
UNIX Mode Bits in Text: rwxr-xr-x
ACLs: -
::> file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
(vserver security file-directory show)Vserver: svm01
File Path: /vol1/tree3/folder1/file2.txt
File Inode Number: 1346565
Security Style: ntfs
Effective Style: unix
DOS Attributes: 20
DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 755
UNIX Mode Bits in Text: rwxr-xr-x
ACLs: -
- Output from file-directory show on theqtree and files/folders present under it when security style of qtree is modified to NTFS and with inheriting permission to child objects on a Microsoft Windows client
- Example
-
::> file-directory show -vserver svm01 -path /vol1/tree3/folder1
(vserver security file-directory show)Vserver: svm01
File Path: /vol1/tree3/folder1
File Inode Number: 1346564
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8504
Owner:BUILTIN\Administrators
Group:NASLAB\Domain Users
DACL - ACEs
ALLOW-Everyone-0x1f01ff-OI|CI (Inherited)::> file-directory show -vserver svm01 -path /vol1/tree3/folder1/file2.txt
(vserver security file-directory show)Vserver: svm01
File Path: /vol1/tree3/folder1/file2.txt
File Inode Number: 1346565
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 20
DOS Attributes in Text: ---A----
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 1
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8504
Owner:BUILTIN\Administrators
Group:NASLAB\Domain Users
DACL - ACEs
ALLOW-Everyone-0x1f01ff-(Inherited)