ONTAP Discussions

problem creating cifs shares via MMC on NetApp cDOT Release 8.3.1

robst
4,063 Views

Hi

 

the team who create our CIFS shares no longer have access to do this since we migrated vfilers to cDOT NetApp Release 8.3.1 from 7-mode.

 

They are not domain admins so I set them up as superusers under the relevant SVM:

 

set advanced

cifs superuser create -vserver VS1 -domain LIVE -accountname testuser

 

 

I believe adding a user as a superuser should allow them to: "Note: Data ONTAP 8.3 allows the administrator to create, modify and delete CIFS shares"

 

 

Also, the command to display superusers doesn't appear to work in 8.3.1 _ I haven't found an equivalent yet:

vserver cifs superuser show

Error: "superuser" is not a recognized command

 

any help advice would be appreciated - thanks Rob

 

 

 

 

 

5 REPLIES 5

JGPSHNTAP
4,057 Views

You don't need to be a domain admin.

 

You can add them to builtin\administrators.

 

 

robst
4,007 Views

thanks. However, our AD team will not allow that for the helpdesk team as it will give them elevated rights across the whole Domain. 

I am not an AD guy so cannot argue.

 

  

bobshouseofcards
3,996 Views

Hi Robst -

 

I think you misunderstand the reply above.  The "BUILTIN\ADMINISTRATORS" group is the equivalent of the "Local Admins" group on a Windows server.  It is not a domain-wide setting, it is a setting on an SVM that you want to let them create shares on.

 

An SVM hosting CIFS shares can be considered to be a Windows server in most operational respects.  This is one of them.  It has a local set of groups and users that can be defined.  Just as on a typical Windows server there must be a group/user with appropriate permissions on the server to be able to create new shares.  That same type of permission is needed on the SVM.

 

So a question to explore would be how would the help desk create a share through MMC on any other Windows server in your environment and what permissions/security group are they members of (explicitly or implicitly) on those servers?  That's the level of access that will be needed on the SVM as well.

 

 

 

Hope this helps.

 

Bob Greenwald

Senior Systems Engineer | cStor

NCIE SAN ONTAP, Data Protection

 

 

Kudos and accepted solutions are always appreciated.

 

mbeattie
3,975 Views

Hi Rob,

 

I think the command you are looking for is "cifs superuser show" with the -vserver parameter, not "vserver cifs superuser show". EG

 

cluster1::> set advanced
cluster1::*> cifs superuser create -vserver vserver1 -domain TESTLAB -accountname User1
cluster1::*> cifs superuser show -vserver vserver1
Vserver        CIFS Server     Domain          Account Name
-------------- --------------- --------------- ------------
vserver1       VSERVER1        TESTLAB         User1

See the following NetApp KB article:

 

https://kb.netapp.com/support/s/article/faq-using-windows-mmc-in-clustered-data-ontap?language=en_US

 

Alternately you might consider using WFA (OnCommand Workflow Automation) to provision CIFS shares instead of using MMC.

 

/Matt

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

robst
3,952 Views

Thanks all.

Bob, thanks for the explanation. Not sure I want them in a group where they have rights to "fully administer the file"?

However, our helpdesk guys were able to create CIFS shares on the same vservers which were on 7-mode:
once migrated to cDOT they can no longer do this and their rights haven't changed. They are still able to create CIFS shares for vservers
still on 7-mode.

 

Matt, thanks I used that KB to create the cifs superuser for the vserver: cifs superuser create -vserver testvserver -domain LIVE -accountname testuser.
The article states that testuser which is now a superuser should now be able to create CIFS shares. I will explore WFA nest - but would like their published fix to work.


"Can users other than Domain Administrators access an MMC to a Cluster-Mode node?

Yes. To set this up, the user should be added to the vserver as a cifs superuser. This is available in advanced mode."

Example: ::> set advanced
::*> cifs superuser create -vserver vs0 -domain DOMAIN -accountname user

*> cifs superuser show -vserver testvserver
Vserver        CIFS Server     Domain          Account Name
-------------- --------------- --------------- ------------
testvserver    testv           LIVE            testuser

 


However, the above doesn't solve the problem of the helpdesk not having access to create CIFS shares.
Any ideas?

 

 

Public