Subscribe
Accepted Solution

What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

Hi, 

 

As I understand that this property was DEPRECATED, but I still trying to find any information about which security check this CIFS superuser option allows to bypass? 

 

Thanks. 

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

Hi there,

 

In order to answer your question most accurately, can you provide a reference in our documentation to the exact functionality you are asking about?

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

Hi, 

 

I'm not sure about exact functionality. In this link, there is a description of how to give a user cifs superuser privileges. 

I'm trying to find what are privileges this all about? 

 

Thanks.

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

Any reply to this? It would be good to know what security is bypassed by adding a super user.

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

Hi there,

 

As of ONTAP 9.4 the "vserver cifs superuser" commands are deprecated - the preferred method is to add a user to the AD Domain Admins group.

 

Per http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cifs-nfs-audit%2FGUID-8658509D-AE99-44A6-8CFB-F47D673A7127.html 

 

  • Avoid permission checks

    The user avoids checks on files and directory access.

  • Special locking privileges

    Data ONTAP allows read, write, or modify access to any file regardless of existing locks. If the FPolicy server takes byte range locks on the file, it results in immediate removal of existing locks on the file.

  • Bypass any FPolicy checks

    Access does not generate any FPolicy notifications.

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

Great thanks, 

 

By any chance, are you know and can refer me to the documentation that states, from which version this CIFS superuser property is not supported anymore? 

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

Hi there,

 

We have marked it as deprecated in our current release of ONTAP - to ensure ongoing compatibility, new functionality should not be based around it.

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

Hi,

Thank you a lot for your help and time. :-)

 

 

Ok, but by any chance, you remember since which cmod version it was deprecated?

(Is it 8.3 or starting from 9.0, I do remember it was available at 8.2, probably 8.3 but I may wrong.)

 


And another question hopes you will able to answer or direct me to the relevant article... 

 

In case I comparing the local Administrators group on CIFS server defined on vserver and the superuser privileges.
What is the difference between the two? (if you have a table comparison will be good if not see example)
I'm interested in File System permission perspective.


For example:
1. I have UserA that member in the local Administrators group.
2. I have UserB that not a member of any local group but has superuser assignment.
3. I have a folder which has not direct permission or ownership for any of that users.
4. I would like to change the ACLs acting as one of those users at a time.

 

 

What will I need to do?
1. In case UserA is it, I will need first to make my self an owner and then change the permissions otherwise will get access denied?
2. In the case of UserB, the change permission will take effect without any prior action?

 

 

Best regards.

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?