Subscribe
Accepted Solution

CIFS local group issue with 9.1

[ Edited ]

Hi,

 

i upgraded a 2240 from 7mode to cdot, with 8.3.2p11 i made a complete init and after a minimal config i upgraded to 9.1p3. Here i have a strange issue with CIFS.

 

At the SystemManager i created a new CIFS SVM, on the first screen i entered all infos, the second screen with the AD join i skipped and on the third screen i enterd a password for the vsadmin and then i completed the wizard.

 

On the shell i entered:

 

vserver cifs create -vserver cifs-test  -cifs-server cifs-test -workgroup test

So i created a minimal CIFS configuration. Now i entered this command to see the rights of the local Administrator user:

 

diag secd authentication show-creds -node san-cl01-02 -vserver cifs-test  -win-name administrator

UNIX UID: pcuser <> Windows User: CIFS-TEST\Administrator (Windows Local User)

GID: pcuser
Supplementary GIDs:
  pcuser

Windows Membership:
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2000):
  SeChangeNotifyPrivilege

My problems:

 

- Why is the mapping to "pcuser", not "root"?

- Why isn't there listed the "BUILTIN\Administrators" group at Windows membership?

 

 

On a other 2240 with 9.1p3 i got with a new SVM with a workgroup this result:

 

diag secd authentication show-creds -node na-cl01-01 -vserver test-cifs -win-name administrator

UNIX UID: root <> Windows User: TEST-CIFS\Administrator (Windows Local User)

GID: daemon
Supplementary GIDs:
  daemon

Windows Membership:
  BUILTIN\Administrators (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2237):
  SeBackupPrivilege
  SeRestorePrivilege
  SeTakeOwnershipPrivilege
  SeSecurityPrivilege
  SeChangeNotifyPrivilege

This happens on every CIFS SVM i create. Even when i add a different SVM to the AD, the local groups don't work.

 

This is the local Administrators group:

 

group.jpg

 

My user, the Administrator of the CIFS SVM and the Domain Administrators are member.

 

Enter i the command again, i got this result:

 

diag secd authentication show-creds -node san-cl01-02 -vserver svm-cifs1 -win-name xx\basys_raudonis

UNIX UID: pcuser <> Windows User: XX\basys_raudonis (Windows Domain User)

GID: pcuser
Supplementary GIDs:
  pcuser

Windows Membership:
  XX\User-Standard (Windows Domain group)
  XX\Domänen-Benutzer (Windows Domain group)
  XX\Domänen-Admins (Windows Domain group)
  XX\User-WorkerOffice (Windows Domain group)
  XX\Abgelehnte RODC-Kennwortreplikationsgruppe (Windows Alias)
  Vom Dienst bestätigte ID (Windows Well known group)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2000):
  SeChangeNotifyPrivilege

So i got all AD Groups, but no local Groups. But there must be "BUILTIN\Users" and "BUILTIN\Administrators".

 

The main problem with this is, i can't access directory's that only grant access to the local Administrators group.

 

What goes wrong here? Have i missed something?

 

Kind regards

 

Stefan

 

Re: CIFS local group issue with 9.1

I took a very log telephone call with the support. There i a known issue whan upgrading from 7Mode to ONTAP 9, finaly after we made a configuration reload and a restart of the CIFS SVM all is working fine.