Copying ACLs from SMB shares

Contributors netapp-bcammett

Cloud Sync can copy access control lists (ACLs) between a source SMB share and a target SMB share, or from a source SMB share to object storage (except for ONTAP S3). If needed, you also have the option to manually preserve ACLs between SMB shares by using robocopy.

Note Cloud Sync doesn’t support copying ACLs back from object storage to SMB shares.

Setting up Cloud Sync to copy ACLs from an SMB server

Copy ACLs from an SMB server by enabling a setting when you create a relationship or after you create a relationship.

What you’ll need

This feature works with any type of data broker: the AWS, Azure, Google Cloud Platform, or on-prem data broker. The on-prem data broker can run any supported operating system.

Steps for a new relationship
  1. From Cloud Sync, click Create New Sync.

  2. Drag and drop SMB Server to the source, choose an SMB server or object storage as the target, and click Continue.

  3. On the SMB Server page:

    1. Enter a new SMB server or select an existing server and click Continue.

    2. Enter credentials for the SMB server.

    3. Select Copy Access Control Lists to the target and click Continue.

      A screenshot that shows the option to enable Copy Access Control Lists to the target.

  4. Follow the remaining prompts to create the sync relationship.

    When you copy ACLs from SMB to object storage, you can choose to copy the ACLs to the object’s tags or on the object’s metadata, depending on the target. For Azure and Google Cloud Storage, only the metadata option is available.

    The following screenshot shows an example of the step where you can make this choice.

    A screenshot of the sixth step in the sync relationship wizard when copying to object storage. You can choose to save the ACLs to the object’s tags or metadata.

Steps for an existing relationship
  1. Hover over the sync relationship and click the action menu.

  2. Click Settings.

  3. Select Copy Access Control Lists to the target.

  4. Click Save Settings.

Result

When syncing data, Cloud Sync preserves the ACLs between the source and target SMB shares, or from a source SMB share to object storage.

Manually copying ACLs between SMB shares

You can manually preserve ACLs between SMB shares by using the Windows robocopy command.

Steps
  1. Identify a Windows host that has full access to both SMB shares.

  2. If either of the endpoints require authentication, use the net use command to connect to the endpoints from the Windows host.

    You must perform this step before you use robocopy.

  3. From Cloud Sync, create a new relationship between the source and target SMB shares or sync an existing relationship.

  4. After the data sync is complete, run the following command from the Windows host to sync the ACLs and ownership:

    robocopy /E /COPY:SOU /secfix [source] [target] /w:0 /r:0 /XD ~snapshots /UNILOG:”[logfilepath]

    Both source and target should be specified using the UNC format. For example: \\<server>\<share>\<path>