Saturday, 25 July 2015

PowerShell Script Scheduler / Automator

This little script is designed for those occasions where you want to schedule / automate the running of a PowerShell script, but are stymied by Enterprise restrictions preventing you from setting up standard Windows scheduled tasks. This PowerShell script will schedule on a daily basis (specific minute - but not exactly on the minute - of a specific hour of specific days of the week.) It’s simple and solves a problem. It does require the user running the script (and whatever script the script needs to run), to remain logged in (and I’d recommend logged into the console session); and after a reboot, the user will need to be logged back in again and the scheduler re-started (perhaps a simple batch file to kick it of.)

The code (formatted for blogger) is below. As always, copy and paste into a text editor and save as say “PS-Script-Scheduler.ps1”.

###########################################
# PowerShell Script Scheduler / Automator #
############################################################
# + Include PS script to be scheduled and all switches.    #
# + Mandatory switches: -Script, -Minute, -Hour, -Days     #
# + Do not abbreviate days of the week!                    #
# + If you don't specify -Runs or set it to 0,             #
#   the program runs infinitely until terminated.          #
# + Usage example:                                         #
# .\PS-Script-Scheduler.ps1 -Script ".\script.ps1 -Sw1"    #
#     -Minute 0 -Hour 6 -Days Tuesday,Friday               #
############################################################

Param(
[Parameter(Mandatory=$true)][String]$Script,
[Parameter(Mandatory=$true)][String]$Minute,
[Parameter(Mandatory=$true)][String]$Hour,
[Parameter(Mandatory=$true)][System.Array]$Days,
[Int]$Runs
)

[Int]$RunsCount = 0
[Boolean]$Triggered = $FALSE
while($TRUE){
# The Script Scheduler checks time every 60 seconds
Start-Sleep 60
$Date = Get-Date
If(!$Triggered){
If($Date.Minute -ge [Int]$Minute){
If($Date.Hour -eq [Int]$Hour){
Foreach($Day in $Days){
If($Date.Dayofweek -eq $Day){
Invoke-Expression $Script
$Triggered = $TRUE
$RunsCount++
"TRIGGERED at $Date"
"Invoked expression:"
"$Script"
}
}
}
}
}
If($Triggered){
If($Date.Hour -ne $Hour){
# Reset the trigger
$Triggered = $FALSE
}
}
If($Runs){
If($RunsCount -ge $Runs){ EXIT }
}
}

Thursday, 23 July 2015

Initialize-NcObjectProperty, -Template and Get-NcVol

When you’re building PowerShell tools for your Enterprise using the Data ONTAP PowerShell Toolkit, it’s important to understand the use of Initialize-NcObjectProperty and -Template. Together, these allow you to limit the amount of data pulled from your Cluster, and this can massively speed up your scripts, as well as save processing load on the Cluster Nodes. Without using -Template you pull all the information that Get-Nc* command can grab. And the best example is Get-NcVol.

It’s always easiest to demonstrate things with an example, so here’s an example using -Template to gather minimal attributes, and query for just "rw" volumes.

$Attributes = Get-NcVol -Template
$Query = Get-NcVol -Template
Initialize-NcObjectProperty -object $Query -name VolumeIdAttributes
$Query.VolumeIdAttributes.Type = "rw"
$RWvolumes = Get-NcVol -Attributes $Attributes -Query $Query

To understand where to use Initialize-NcObjectProperty, a very useful script is Display-All.ps1. Basically, anything with two dots "..", if you want to obtain that information as an attribute or use it for a query, whatever’s the dot "." above you must initialize. Below is an example of using Display-All for a Get-NcVol request (as you see, a simple Get-NcVol for just one volume brings back and a lot of info):

PS C:\> display-all (get-ncvol -Name cvol001) -all
.Name                          = cvol001
.Volume64bitUpgradeAttributes  =
.VolumeAntivirusAttributes
..OnAccessPolicy               = default
.VolumeAutobalanceAttributes   =
.VolumeAutosizeAttributes
..GrowThresholdPercent         = 85
..IncrementPercent             =
..IncrementSize                = 107372544
..IsEnabled                    = False
..MaximumSize                  = 2576977920
..MinimumSize                  = 2147483648
..Mode                         = off
..Reset                        =
..ShrinkThresholdPercent       = 50
.VolumeCloneAttributes         =
.VolumeDirectoryAttributes
..I2pEnabled                   = True
..IndexDirEnabled              =
..MaxDirSize                   = 16723968
..RootDirGen                   = 7802560
.VolumeExportAttributes
..Policy                       = TEST
.VolumeFlexcacheAttributes     =
.VolumeHybridCacheAttributes
..CachingPolicy                =
..Eligibility                  = read_write
..WriteCacheIneligibilityReaso =
.VolumeIdAttributes
..Comment                      =
..ConstituentRole              =
..ContainingAggregateName      = aggr1
..ContainingAggregateUuid      = aff39dba-eef6-4e8e-b3e3-86657a55b8d6
..CreationTime                 = 1428069446
..CreationTimeDT               = 04/03/2015 14:57:26
..Dsid                         = 1026
..Fsid                         = 1026
..InstanceUuid                 = 8256b65f-ce2e-4665-847c-72cbee62895a
..JunctionParentName           =
..JunctionPath                 =
..Msid                         = 2147484674
..Name                         = cvol001
..NameOrdinal                  = base
..Node                         =
..ProvenanceUuid               = 8256b65f-ce2e-4665-847c-72cbee62895a
..Style                        = flex
..Type                         = rw
..Uuid                         = 5c2628eb-da09-11e4-b88a-123478563412
.VolumeInfinitevolAttributes   =
.VolumeInodeAttributes
..BlockType                    = 64_bit
..FilesPrivateUsed             = 509
..FilesTotal                   = 62244
..FilesUsed                    = 116
..InodefilePrivateCapacity     = 31142
..InodefilePublicCapacity      = 31142
.VolumeLanguageAttributes
..IsConvertUcodeEnabled        = True
..IsCreateUcodeEnabled         = True
..Language                     = en (English)
..LanguageCode                 = en
..NfsCharacterSet              = iso-8859-1|iso-8859-1|Thu Oct  1 22:00:53 GMT 1998
..OemCharacterSet              = cp850|cp850|Thu Oct  1 22:00:53 GMT 1998
.VolumeMirrorAttributes
..IsDataProtectionMirror       = False
..IsLoadSharingMirror          = False
..IsMoveMirror                 = False
..IsReplicaVolume              = False
..MirrorTransferInProgress     = False
..RedirectSnapshotId           = 0
.VolumePerformanceAttributes
..ExtentEnabled                = off
..FcDelegsEnabled              = True
..IsAtimeUpdateEnabled         = True
..MaxWriteAllocBlocks          = 0
..MinimalReadAhead             = False
..ReadRealloc                  = off
.VolumeQosAttributes           =
.VolumeSecurityAttributes
..Style                        = ntfs
..VolumeSecurityUnixAttributes
...GroupId                     =
...Permissions                 = 0
...UserId                      =
.VolumeSisAttributes
..CompressionSpaceSaved        = 0
..DeduplicationSpaceSaved      = 0
..DeduplicationSpaceShared     = 0
..IsSisLoggingEnabled          = False
..IsSisVolume                  = False
..PercentageCompressionSpaceSa = 0
..PercentageDeduplicationSpace = 0
..PercentageTotalSpaceSaved    = 0
..TotalSpaceSaved              = 0
.VolumeSnapshotAttributes
..AutoSnapshotsEnabled         = True
..SnapdirAccessEnabled         = True
..SnapshotCloneDependencyEnabl = False
..SnapshotCount                = 18
..SnapshotPolicy               = 1M_2W_13N_23H
.VolumeSnapshotAutodeleteAttributes
..Commitment                   = try
..DeferDelete                  = user_created
..DeleteOrder                  = oldest_first
..DestroyList                  = none
..IsAutodeleteEnabled          = False
..Prefix                       = (not specified)
..TargetFreeSpace              = 20
..Trigger                      = volume
.VolumeSpaceAttributes
..FilesystemSize               = 2147483648
..IsFilesysSizeFixed           = False
..IsSpaceGuaranteeEnabled      = True
..OverwriteReserve             = 0
..OverwriteReserveRequired     = 0
..OverwriteReserveUsed         = 0
..OverwriteReserveUsedActual   = 0
..PercentageFractionalReserve  = 0
..PercentageSizeUsed           = 5
..PercentageSnapshotReserve    = 5
..PercentageSnapshotReserveUse = 2
..PhysicalUsed                 =
..PhysicalUsedPercent          =
..Size                         = 2147483648
..SizeAvailable                = 2039791616
..SizeAvailableForSnapshots    = 2145214464
..SizeTotal                    = 2040111104
..SizeUsed                     = 319488
..SizeUsedBySnapshots          = 1949696
..SnapshotReserveSize          = 107372544
..SpaceFullThresholdPercent    = 98
..SpaceGuarantee               = none
..SpaceMgmtOptionTryFirst      = volume_grow
..SpaceNearlyFullThresholdPerc = 95
.VolumeStateAttributes
..BecomeNodeRootAfterReboot    = False
..ForceNvfailOnDr              =
..IgnoreInconsistent           = False
..InNvfailedState              = False
..IsClusterVolume              = True
..IsConstituent                = False
..IsInconsistent               = False
..IsInvalid                    = False
..IsJunctionActive             =
..IsMoving                     = False
..IsNodeRoot                   = False
..IsNvfailEnabled              = False
..IsQuiescedInMemory           = False
..IsQuiescedOnDisk             = False
..IsUnrecoverable              = False
..IsVolumeInCutover            = False
..State                        = online
.VolumeStripingAttributes      =
.VolumeTransitionAttributes
..IsCopiedForTransition        = False
..IsTransitioned               = False
..TransitionBehavior           = none
.VolumeVmAlignAttributes       =
.Aggregate                     = aggr1
.Available                     = 2039791616
.Dedupe                        = False
.FilesTotal                    = 62244
.FilesUsed                     = 116
.IsInfiniteVolume              = False
.JunctionPath                  =
.State                         = online
.TotalSize                     = 2147483648
.Used                          = 5

Monday, 20 July 2015

UNIX/Linux Files/Folders where 777 Permissions is a No No

Running “chmod -R 777 /” on a UNIX/Linux system is destructive (see Why is “chmod -R 777 /” destructive? for a very good write up). The following post is an attempt to list all the Files/Folders where having 777 permissions on them will stop certain things working.

Note: I don’t say break since by design certain UNIX/Linux applications will simply not work if they see the 777 - maximum permissive - permission on certain files/folders, to keep the user safe.

Please feel free to add comments with other Files/Folders, and I will endeavour to update the list.

Files/Folders [Sources]

/usr/bin/sudo [2][3]
/etc/mail (SendMail) [3]
/.ssh [3][4][5][7]
/tmp [3]
/var/tmp [3]
/dev [3]
/proc [3]
~ [4][6]
/home/{your_user} [4]
authorized_keys [4][5][13]
authorized_keys2 [7]
sssd.conf [8]
/authorizedkeys [9]
authorized-keys [9]
$HOME/.ssh [10]
id_dsa [10]
id_rsa [10]
id_dsa.pub [10]
id_rsa.pub [10]
known_hosts [10]
/var/www/RESTRICTED_DIR [11]
/root [12]

+ sockets [3]
+ pipes [3]

References

[8] JP

Sunday, 19 July 2015

Investigating the Effect of NTACL Display Permissive Permissions

I needed to investigate the effect of the NTACL Display Permissive Permissions option, that’s by default turned off in 7-Mode, but tuneable; effectively on in cDOT until 8.3.1, and not tuneable; and then by default off in cDOT 8.3.1 and tuneable again.

The notes below are fairly raw lab re-creation steps, and they test 5 things.

What permissions does a UNIX client see when it’s accessing an NTFS qtree, to a file that the UNIX-NT mapped user has only got NT modify permissions?

1) On 7-Mode 8.1.2P4 with the option off
2) On 7-Mode 8.1.2P4 with the option on
3) On cDOT 8.2.3 (the option does not exist but is effectively on)
4) On cDOT 8.3.1 with the option off (default)
5) On cDOT 8.3.1 with the option on

And the conclusion we reach is that cDOT 8.3.1 behaves exactly like 7-Mode did with this option.

######################
######################
## Setting up in AD ##
######################
######################

See screenshot for New User MRSFTP.

######################
######################
## Set up on CENTOS ##
######################
######################

[root@localhost ~]# groupadd SFTPGROUP -g 12345
[root@localhost ~]# useradd SFTPUSER -u 12345 -g 12345 -p

###################################
###################################
## Re-creating on 7-Mode 8.1.2P4 ##
###################################
###################################

# N.B. We already have NFS and CIFS running on our 7-Mode system. To check:
#
# > nfs status
# NFS server is running.
#
# > cifs restart
# CIFS is already running.
#
# Also, we're using the default options nfs.ntacl_display_permissive_perms off. To check:
#
# > priv set diag
# *> options nfs.ntacl_display_permissive_perms
# nfs.ntacl_display_permissive_perms off

vol create TEST777 -s none aggr1 2g
qtree security /vol/TEST777 # Verify that the volume is NTFS security style
cifs shares -add TEST777 /vol/TEST777
cifs shares TEST777 # By default it gets everyone / Full Control
cifs access -delete TEST777 everyone
cifs access TEST777 "BUILTIN\Administrators" Full Control
cifs access TEST777 "NT AUTHORITY\Authenticated Users" Change
qtree create /vol/TEST777/FTPSHARE
qtree security /vol/TEST777/FTPSHARE # Verify that the qtree is NTFS security style
cifs shares -add FTPSHARE /vol/TEST777/FTPSHARE
cifs shares FTPSHARE # By default it gets everyone / Full Control
cifs access -delete FTPSHARE everyone
cifs access FTPSHARE "BUILTIN\Administrators" Full Control
cifs access FTPSHARE "NT AUTHORITY\Authenticated Users" Change
exportfs -p rw=10.10.10.64,root=10.10.10.64 /vol/TEST777/FTPSHARE
wrfile -a /etc/passwd SFTPUSER::12345:12345::/:
wrfile -a /etc/usermap.cfg LAB\MRSFTP == SFTPUSER

##################################
# Setting QTREE NTFS PERMISSIONS #
##################################

See screenshot

#####################
# Testing on CENTOS #
#####################

[root@localhost ~]# mkdir /mnt/7M812_FTPSHARE
[root@localhost ~]# mount 10.10.10.204:/vol/TEST777/FTPSHARE /mnt/7M812_FTPSHARE
[root@localhost ~]# cd /mnt/7M812_FTPSHARE
bash: cd: /mnt/7M812_FTPSHARE: Permission denied
[root@localhost ~]# su SFTPUSER
[SFTPUSER@localhost root]$ cd /mnt/7M812_FTPSHARE
[SFTPUSER@localhost 7M812_FTPSHARE]$ mkdir .ssh
[SFTPUSER@localhost 7M812_FTPSHARE]$ cd .ssh
[SFTPUSER@localhost .ssh]$ touch authorized_keys
[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 07:36 .
drwx------. 4 root     root      4.0K Jul 19 07:35 ..
-rwx------. 1 SFTPUSER SFTPGROUP    0 Jul 19 07:36 authorized_keys

###################################
# And if we switch the option on? #
###################################

priv set diag
options nfs.ntacl_display_permissive_perms on

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 07:36 .
drwxrwxrwx. 4 root     root      4.0K Jul 19 07:35 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP    0 Jul 19 07:36 authorized_keys

#########################################
# And if we switch the option back off? #
#########################################

priv set diag
options nfs.ntacl_display_permissive_perms on

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 07:36 .
drwx------. 4 root     root      4.0K Jul 19 07:35 ..
-rwx------. 1 SFTPUSER SFTPGROUP    0 Jul 19 07:36 authorized_keys

###############################
###############################
## Re-creating on cDOT 8.2.3 ##
###############################
###############################

# We already have a Vserver setup, and running NFS and CIFS, with an NTFS security style rootvol which is used the default export-policy. To check:
#
# ::> nfs show -vserver CIFSV1 -fields access
# vserver access
# ------- ------
# CIFSV1  true
#
# ::> cifs show -vserver CIFSV1 -fields status-admin
# vserver status-admin
# ------- ------------
# CIFSV1  up
#
# ::> volume show -vserver CIFSV1 -volume rootvol -fields security-style,policy
# vserver volume  policy  security-style
# ------- ------- ------- --------------
# CIFSV1  rootvol default ntfs

volume create  -vserver CIFSV1 -volume TEST777 -aggregate N1_aggr1 -size 2g -security-style NTFS
volume mount -vserver CIFSV1 -volume TEST777 -junction-path /TEST777
cifs share create -vserver CIFSV1 -share-name TEST777 -path /TEST777 -share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs share access-control delete -vserver CIFSV1 -share TEST777 -user-or-group Everyone
cifs share access-control create -vserver CIFSV1 -share TEST777 -user-or-group "BUILTIN\Administrators" -permission Full_Control
cifs share access-control create -vserver CIFSV1 -share TEST777 -user-or-group "NT AUTHORITY\Authenticated Users" -permission change
qtree create -vserver CIFSV1 -volume TEST777 -qtree FTPSHARE -security-style NTFS
cifs share create -vserver CIFSV1 -share-name FTPSHARE -path /TEST777/FTPSHARE -share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs share access-control delete -vserver CIFSV1 -share FTPSHARE -user-or-group Everyone
cifs share access-control create -vserver CIFSV1 -share FTPSHARE -user-or-group "BUILTIN\Administrators" -permission Full_Control
cifs share access-control create -vserver CIFSV1 -share FTPSHARE -user-or-group "NT AUTHORITY\Authenticated Users" -permission change
export-policy create -vserver CIFSV1 -policyname READONLY
export-policy rule create -vserver CIFSV1 -policyname READONLY -ruleindex 1 -protocol nfs -clientmatch 0.0.0.0/0 -rorule any -rwrule never -anon 65534 -superuser none -allow-suid true -allow-dev true
export-policy rule create -vserver CIFSV1 -policyname READONLY -ruleindex 2 -protocol cifs -clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none -allow-suid true -allow-dev true
volume modify -vserver CIFSV1 -volume TEST777 -policy READONLY
export-policy create -vserver CIFSV1 -policyname TEST777_FTPSHARE
export-policy rule create -vserver CIFSV1 -policyname TEST777_FTPSHARE -ruleindex 1 -protocol any -clientmatch 10.10.10.64 -rorule sys -rwrule sys -anon 65534 -superuser sys -allow-suid true -allow-dev true
qtree modify -vserver CIFSV1 -volume TEST777 -qtree FTPSHARE -export-policy TEST777_FTPSHARE
unix-group create -vserver CIFSV1 -name SFTPGROUP -id 12345
unix-user create -vserver CIFSV1 -user SFTPUSER -id 12345 -primary-gid 12345
name-mapping create -vserver CIFSV1 -direction unix-win -position 10 -pattern SFTPUSER -replacement LAB\\MRSFTP
name-mapping create -vserver CIFSV1 -direction win-unix -position 10 -pattern LAB\\MRSFTP -replacement SFTPUSER

##################################
# Setting QTREE NTFS PERMISSIONS #
##################################

See screenshot

#####################
# Testing on CENTOS #
#####################

[root@localhost ~]# mkdir /mnt/CM823_FTPSHARE
[root@localhost ~]# mount 10.10.10.246:TEST777/FTPSHARE /mnt/CM823_FTPSHARE
[root@localhost ~]# cd /mnt/CM823_FTPSHARE
bash: cd: /mnt/CM823_FTPSHARE: Permission denied
[root@localhost ~]# su SFTPUSER
[SFTPUSER@localhost root]$ cd /mnt/CM823_FTPSHARE
[SFTPUSER@localhost CM823_FTPSHARE]$ mkdir .ssh
[SFTPUSER@localhost CM823_FTPSHARE]$ cd .ssh
[SFTPUSER@localhost .ssh]$ touch authorized_keys
[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 05:22 .
drwxrwxrwx. 3 root     root      4.0K Jul 19 05:21 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP    0 Jul 19 05:22 authorized_keys

#######################################################
# What if we'd set Domain Admins to Modify only also? #
#######################################################

See screenshot

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 05:22 .
drwxrwxrwx. 3 root     root      4.0K Jul 19 05:21 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP    0 Jul 19 05:22 authorized_keys

###############################
###############################
## Re-creating on cDOT 8.3.1 ##
###############################
###############################

# N.B. We already have a Vserver setup, and running NFS and CIFS, with an NTFS security style rootvol which is used the default export-policy
# To check:
#
# ::> nfs show -vserver SVM01 -fields access
# vserver access
# ------- ------
# SVM01   true
#
# ::> cifs show -vserver SVM01 -fields status-admin
# vserver status-admin
# ------- ------------
# SVM01   up
#
# ::> volume show -vserver SVM01 -volume SVM01_root -fields security-style,policy
# vserver volume     policy  security-style
# ------- ---------- ------- --------------
# SVM01   SVM01_root default ntfs
#
# And what is the current setting for "Display maximum NT ACL Permissions to NFS Client"
#
# ::> set adv
# ::*> nfs server show -vserver SVM01 -fields ntacl-display-permissive-perms
# vserver ntacl-display-permissive-perms
# ------- ------------------------------
# SVM01   disabled

volume create  -vserver SVM01 -volume TEST777 -aggregate NACLU6N1_aggr1 -size 2g -security-style NTFS
volume mount -vserver SVM01 -volume TEST777 -junction-path /TEST777
cifs share create -vserver SVM01 -share-name TEST777 -path /TEST777 -share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs share access-control delete -vserver SVM01 -share TEST777 -user-or-group Everyone
cifs share access-control create -vserver SVM01 -share TEST777 -user-or-group "BUILTIN\Administrators" -permission Full_Control
cifs share access-control create -vserver SVM01 -share TEST777 -user-or-group "NT AUTHORITY\Authenticated Users" -permission change
qtree create -vserver SVM01 -volume TEST777 -qtree FTPSHARE -security-style NTFS
cifs share create -vserver SVM01 -share-name FTPSHARE -path /TEST777/FTPSHARE -share-properties oplocks,browsable,changenotify -symlink-properties hide
cifs share access-control delete -vserver SVM01 -share FTPSHARE -user-or-group Everyone
cifs share access-control create -vserver SVM01 -share FTPSHARE -user-or-group "BUILTIN\Administrators" -permission Full_Control
cifs share access-control create -vserver SVM01 -share FTPSHARE -user-or-group "NT AUTHORITY\Authenticated Users" -permission change
export-policy create -vserver SVM01 -policyname READONLY
export-policy rule create -vserver SVM01 -policyname READONLY -ruleindex 1 -protocol nfs -clientmatch 0.0.0.0/0 -rorule any -rwrule never -anon 65534 -superuser none -allow-suid true -allow-dev true
export-policy rule create -vserver SVM01 -policyname READONLY -ruleindex 2 -protocol cifs -clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none -allow-suid true -allow-dev true
volume modify -vserver SVM01 -volume TEST777 -policy READONLY
export-policy create -vserver SVM01 -policyname TEST777_FTPSHARE
export-policy rule create -vserver SVM01 -policyname TEST777_FTPSHARE -ruleindex 1 -protocol any -clientmatch 10.10.10.64 -rorule sys -rwrule sys -anon 65534 -superuser sys -allow-suid true -allow-dev true
qtree modify -vserver SVM01 -volume TEST777 -qtree FTPSHARE -export-policy TEST777_FTPSHARE
unix-group create -vserver SVM01 -name SFTPGROUP -id 12345
unix-user create -vserver SVM01 -user SFTPUSER -id 12345 -primary-gid 12345
name-mapping create -vserver SVM01 -direction unix-win -position 10 -pattern SFTPUSER -replacement LAB\\MRSFTP
name-mapping create -vserver SVM01 -direction win-unix -position 10 -pattern LAB\\MRSFTP -replacement SFTPUSER

# N.B.: The default export-policy in 8.3.X has no rules, hence we create them:

export-policy rule create -vserver SVM01 -policyname default -ruleindex 1 -protocol any -clientmatch 0.0.0.0/0 -rorule any -rwrule any -anon 65534 -superuser none -allow-suid true -allow-dev true

##################################
# Setting QTREE NTFS PERMISSIONS #
##################################

See screenshot

#####################
# Testing on CENTOS #
#####################

[root@localhost ~]# mkdir /mnt/CM831_FTPSHARE_NTACL_DISABLED
[root@localhost ~]# mount 10.10.10.101:TEST777/FTPSHARE /mnt/CM831_FTPSHARE_NTACL_DISABLED
[root@localhost ~]# cd /mnt/CM831_FTPSHARE_NTACL_DISABLED
bash: cd: /mnt/CM831_FTPSHARE_NTACL_DISABLED: Permission denied
[root@localhost ~]# su SFTPUSER
[SFTPUSER@localhost root]$ cd /mnt/CM831_FTPSHARE_NTACL_DISABLED
[SFTPUSER@localhost CM831_FTPSHARE_NTACL_DISABLED]$ mkdir .ssh
[SFTPUSER@localhost CM831_FTPSHARE_NTACL_DISABLED]$ cd .ssh
[SFTPUSER@localhost .ssh]$ touch authorized_keys
[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 06:03 .
drwx------. 3 root     root      4.0K Jul 19 06:03 ..
-rwx------. 1 SFTPUSER SFTPGROUP    0 Jul 19 06:03 authorized_keys

#################################################################
# Changing the NTACL-DISPLAY-PERMISSIVE-PERMS Switch to ENABLED #
#################################################################

set adv
nfs server modify -vserver SVM01 -ntacl-display-permissive-perms enabled

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwxrwxrwx. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 06:03 .
drwxrwxrwx. 3 root     root      4.0K Jul 19 06:03 ..
-rwxrwxrwx. 1 SFTPUSER SFTPGROUP    0 Jul 19 06:03 authorized_keys

#######################################################################
# Changing the NTACL-DISPLAY-PERMISSIVE-PERMS Switch back to DISABLED #
#######################################################################

set adv
nfs server modify -vserver SVM01 -ntacl-display-permissive-perms disabled

#####################
# Testing on CENTOS #
#####################

[SFTPUSER@localhost .ssh]$ ls -alh
total 8.0K
drwx------. 2 SFTPUSER SFTPGROUP 4.0K Jul 19 06:03 .
drwx------. 3 root     root      4.0K Jul 19 06:03 ..
-rwx------. 1 SFTPUSER SFTPGROUP    0 Jul 19 06:03 authorized_keys