Subscribe

Netapp CIFS share not accessible by domain users whereas accessible by domain admins

Hi guys,

 

I have netapp cluster mode in the environment and I have an issue with CIFS shares, most of users who are domain admins. they are able to access the cifs share folders but the domain users are not able to access the folder. can anyone help me out if i need to do any settings to fix the issue.

 

regards

VK

 

Re: Netapp CIFS share not accessible by domain users whereas accessible by domain admins

There are two important factors for CIFS shares, the Share ACL and the NTFS permissions.

 

So let's start with both

 

What is the share ACL

 

And what are the NTFS permissions.

 

Also, why are people domain administrators?  

Re: Netapp CIFS share not accessible by domain users whereas accessible by domain admins

Hi,

 

You haven't provided enough information to help identify the cause of the issue for troubleshooting. Can you please share the results of the following commands?

 

 

cluster1::> vserver cifs share show -vserver vserver1 -share-name volume1$ -fields acl
vserver  share-name  acl
-------- ----------- -----------------------------------------------------------
vserver1 volume1$ "BUILTIN\Administrators / Full Control","Everyone / Change"

cluster1::> qtree show -vserver vserver1
Vserver    Volume        Qtree        Style        Oplocks   Status
---------- ------------- ------------ ------------ --------- --------
vserver1   volume1    ""           ntfs         enable    normal
vserver1   volume1    qtree1    ntfs         enable    normal

cluster1::> local-group show-members -vserver vserver1 -group-name "BUILTIN\Administrators"

Vserver        Group Name                   Members
-------------- ---------------------------- ------------------------
vserver1       BUILTIN\Administrators       VSERVER1\Administrator
                                            CONTOSO\Vserver Admins

C:\>icacls \\vserver1\volume1$
\\vserver1\volume1$ BUILTIN\Administrators:(OI)(CI)(F)
\\vserver1\volume1$ CONTOSO\Data Admins:(OI)(CI)(F)

Successfully processed 1 files; Failed processing 0 files

 

 

Note: The default AD group "Domain Admins" should not be used to managed access to data on your CIFS vservers. See the following

 

https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/plan/security-best-practices/appendix-f--securing-domain-admins-groups-in-activ...

 

"Domain Admins are, by default, members of the local Administrators groups on all member servers and workstations in their respective domains"

 

When you perform a CIFS setup on a vserver it becomes a "member server" within the domain which you join it to and by default the domain admins group are automatically added as members of the local administrators group on the vserver. Just because this is the default setting, it does NOT mean you should leave it that way. For example, the default permissions when you create an NTFS volume are "Everyone\Full Control". This is to ensure you have access to connect to the volume in order to secure the NTFS permissions and delegate administrative access to your data (during that process you should remove remove "Everyone\Full Control" and delegate administrative access to your data to an AD group)

 

So once you have joined the domain I recommend you delegate administrative access to your vservers, EG create a "Vserver Admins" AD group explicilty for the purpose of delegating administrative control of your vservers and add that group to the local Administrators group on your vservers then remove the "Domain Admins" group. EG:

 

 

cluster1::> local-group add-members -vserver vserver1 -group-name "BUILTIN\Administrators" -member-names "CONTOSO\Vserver Admins"

cluster1::> local-group remove-members -vserver vserver1 -group-name "BUILTIN\Administrators" -member-names "CONTOSO\Domain Admins"

The "Domain Admins" group is for Active Directory administration, it should NOT be used for data administration.

 

 

/Matt

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.