Ski> Thanks for your reply. You're welcome, always glad to help out when I can.
Ski> On 06/27/2011 01:19 PM, John Stoffel wrote: >>>>>>> "Ski" == Ski Kacoroski<kacoro...@gmail.com> writes: >> I think what you're trying to do isn't going to work well, if only >> because NFS and NTFS have such different permissions models. The >> closest you might get is to use NFSv4, but I'm sure there are still >> problems there. Ski> Agreed >> In my experience, mixed mode qtrees leads to all kinds of hell, >> because a user applies NTFS ACLs, then a unix user tries to access the >> file and can't, even though the Unix permissions look fine, because >> they NTFS ACLs deny the access. >> >> And it's hell to debug. In this case, it might be smarted to use your >> Unix web server to access the Netapp purely through CIFS, and to give >> the web server process access. Ski> I agree with you on Mixed mode. I played with it over 10 years Ski> ago and it was a mess back then. I don't know anyone who's gotten mixed mode to work well. Ski> 2. What settings do I need so a process can write via NFS and Ski> folks can read the files from CIFS. >> >> Do you want to allow the users to re-set permissions from the CIFS >> side? And do your usernames/password match between NFS/CIFS land? Ski> I already keep the passwords in sync between unix and AD. The users do Ski> not make any permission changes. I have a unix database that writes out Ski> reports to our current NAS via NFS. Users can then see the reports via Ski> CIFS. Users can also put spreadsheets into an upload directory via CIFs Ski> and the unix database will read them in. Ok, so it sounds like you've got a very locked down process here, so it should be possible to do what you want. The only gotcha might be in setting permissions on new files when written on the Unix side, to match the NTFS ACLs you want them to have. And that's the kicked I think. >> Again, I'd probably just NOT share the volume via NFS that's running >> CIFS and instead use smbfs on linux (or some other Unixy OS) to mount >> the CIFS filesystem. Ski> I could do this I suppose. Just lots more work on the cut over. Yes, it would be more work. What is your existing setup using for a NAS? >> Another reason I suggest all this is that you're in a school >> environment, and students tend to have lots of time to spend looking >> for holes in your security. So making your setup as *simple* as >> possible is key. Because through simplicity comes better management >> and it's easier to verify you got things locked down properly. Ski> I agree with KISS. I was just trying to get as close to what we have Ski> now because other than the NAS system not being supported any more, it Ski> works pretty well. What NAS system are you using? John _______________________________________________ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
