2017-05-27 04:46 AM
i upgraded a 2240 from 7mode to cdot, with 8.3.2p11 i made a complete init and after a minimal config i upgraded to 9.1p3. Here i have a strange issue with CIFS.
At the SystemManager i created a new CIFS SVM, on the first screen i entered all infos, the second screen with the AD join i skipped and on the third screen i enterd a password for the vsadmin and then i completed the wizard.
On the shell i entered:
vserver cifs create -vserver cifs-test -cifs-server cifs-test -workgroup test
So i created a minimal CIFS configuration. Now i entered this command to see the rights of the local Administrator user:
diag secd authentication show-creds -node san-cl01-02 -vserver cifs-test -win-name administrator UNIX UID: pcuser <> Windows User: CIFS-TEST\Administrator (Windows Local User) GID: pcuser Supplementary GIDs: pcuser Windows Membership: User is also a member of Everyone, Authenticated Users, and Network Users Privileges (0x2000): SeChangeNotifyPrivilege
- Why is the mapping to "pcuser", not "root"?
- Why isn't there listed the "BUILTIN\Administrators" group at Windows membership?
On a other 2240 with 9.1p3 i got with a new SVM with a workgroup this result:
diag secd authentication show-creds -node na-cl01-01 -vserver test-cifs -win-name administrator UNIX UID: root <> Windows User: TEST-CIFS\Administrator (Windows Local User) GID: daemon Supplementary GIDs: daemon Windows Membership: BUILTIN\Administrators (Windows Alias) User is also a member of Everyone, Authenticated Users, and Network Users Privileges (0x2237): SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege SeSecurityPrivilege SeChangeNotifyPrivilege
This happens on every CIFS SVM i create. Even when i add a different SVM to the AD, the local groups don't work.
This is the local Administrators group:
My user, the Administrator of the CIFS SVM and the Domain Administrators are member.
Enter i the command again, i got this result:
diag secd authentication show-creds -node san-cl01-02 -vserver svm-cifs1 -win-name xx\basys_raudonis UNIX UID: pcuser <> Windows User: XX\basys_raudonis (Windows Domain User) GID: pcuser Supplementary GIDs: pcuser Windows Membership: XX\User-Standard (Windows Domain group) XX\Domänen-Benutzer (Windows Domain group) XX\Domänen-Admins (Windows Domain group) XX\User-WorkerOffice (Windows Domain group) XX\Abgelehnte RODC-Kennwortreplikationsgruppe (Windows Alias) Vom Dienst bestätigte ID (Windows Well known group) User is also a member of Everyone, Authenticated Users, and Network Users Privileges (0x2000): SeChangeNotifyPrivilege
So i got all AD Groups, but no local Groups. But there must be "BUILTIN\Users" and "BUILTIN\Administrators".
The main problem with this is, i can't access directory's that only grant access to the local Administrators group.
What goes wrong here? Have i missed something?
Solved! See The Solution
2017-05-27 11:57 AM
I took a very log telephone call with the support. There i a known issue whan upgrading from 7Mode to ONTAP 9, finaly after we made a configuration reload and a restart of the CIFS SVM all is working fine.