Network and Storage Protocols

CIFS Share Level Permissions Issue

metuckness
15,400 Views

I just got a Clustered Netapp with 8.3.2SP2 on it and it is functioning except when I apply Windows AD security Groups to a CIFS share and remove (uncheck) the everyone access. So I go into the share and edit the permissions and set the security groups I use to restrict access (in this case it is a security group entitled LCCA-IT-NAS - RW and LCCA-IT-NAS - RO. The RW gets full control and the RO gets READ.

 

Once I set those groups and remove the everyone, I cannot access the shares.

 

Any idea what is missing? I have had a heck of a time with this since I got it and being new to Netapp the commands are not like anything I have encountered in Windows and linux.

 

Appreciate the help. Any comannds I need to run to display information to help let me know.

 

Thanks

 

 

1 ACCEPTED SOLUTION

metuckness
15,376 Views

I figured it out. Apparently once a VSERVER is created and volumns are set then the rest of the permissions set are done at the Windows level. So I just went into the properties of the shares and removes the everyone and then added the security groups there with the proper security settings (Read, Read/Write).

View solution in original post

3 REPLIES 3

metuckness
15,386 Views

Also, I cannot access the share even if I type the credentials of a user that is in the security group.

metuckness
15,377 Views

I figured it out. Apparently once a VSERVER is created and volumns are set then the rest of the permissions set are done at the Windows level. So I just went into the properties of the shares and removes the everyone and then added the security groups there with the proper security settings (Read, Read/Write).

bobshouseofcards
15,371 Views

Metuckness -

 

You've hit on one of the key features of CIFS on NetApp.  Once you create an SVM (vServer) you can treat it very much as a Windows file server from management point of view.  CIFS shares have the same "dual" security as does Windows - Share level access and NTFS filesystem level access semantics, which you can mix and match in the same ways as you would on a Windows server.

 

At current levels of cDot (which you have) you can also establish members of the "Local Administrators" group on the SVM so in case someone does something really bad with file permissions, you have a user that can re-take ownership and re-establish the security you want - just as you would on a Windows server.

 

To the greatest extent possible, including honoring relevant GPO settings, an SVM can be considered a "Windows" file server when using CIFS.  Once you're good with that, then the fun can really start.

 

 

 

Bob Greenwald

Senior Systems Engineer | cStor

NCIE SAN ONTAP, Data Protection

 

 

Kudos and accepted solutions are always appreciated.

 

 

Public