Skip to main content
NetApp Knowledge Base

How does ONTAP generate permissions for NFS and CIFS clients, when the volume security style is not native to the protocol?

Views:
2,413
Visibility:
Public
Votes:
1
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

ONTAP 9

Answer

NFS clients accessing NTFS security files/folders

NTFS ACLs are translated into the least permissive variant of Unix modebits, and are applied to the Owner, Owner Group, and Other fields as they would apply to a user making a request. Ownership of a file is determined by the UID & GID of the mapped user that wrote the ownership information. The "other" field may be present, depending on if an equivalent SID has explicit permissions (such as Everyone).  This can lead to some confusion if an Administrator assigns an arbitrary owner of an object, as the resulting Unix permissions will reflect their mapping, rather than the new owner's.

The following Access Masks will translate into modebits directly:

  • Read & Execute (r-x),
  • Read (r--),
  • Write (-w-),
  • Modify (rwx),
  • Full Control (rwx),
  • Traverse Folder / Execute File (--x),
  • Create Files / Write Data(-w-),
  • List Folders / Read Data (r--)

Other special permissions don't have a direct translation into Unix modebits. In those cases, it is not possible to express a client's ability to perform such an action with modebits alone.

CIFS clients accessing UNIX security files/folders

Unix permissions are translated into NTFS ACLs, when the option -is-unix-nt-acl-enabled is set to true (default).

These fields are translated into a fake SID by default, showing

  • UNIXPermUid\User
  • UNIXPermGid\Group
  • other
  • the current accessing user

The entry for the current accessing user is a representation of the effective permissions for the user and is not an applied permission on the file/folder.

The resulting NTFS ACL will appear more permissive, compared to the modebits, as there are permissions that do not have a translation. ONTAP tries to preserve the client's expectation with this translation - a Windows user whose mapped user would get rwx would effectively have a Full Control ACL, even though this provides special permissions that a Unix user could not be explicitly given via modebits.

Both translations are performed when permissions are written.

Additional Information

SID/Prefix

 

 

Placeholder Name

 

 

S-1-5-21-2038298172-1297133386-11111-<uidNumber>

 

 

UNIXPermUid

 

 

S-1-5-21-2038298172-1297133386-22222-<gidNumber>

 

 

UNIXPermGid

 

 

S-1-5-21-2038298172-1297133386-33333

 

 

UNIXPerm\other

 

 

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.
  • Was this article helpful?