2016-10-10 08:10 AM
the team who create our CIFS shares no longer have access to do this since we migrated vfilers to cDOT NetApp Release 8.3.1 from 7-mode.
They are not domain admins so I set them up as superusers under the relevant SVM:
cifs superuser create -vserver VS1 -domain LIVE -accountname testuser
I believe adding a user as a superuser should allow them to: "Note: Data ONTAP 8.3 allows the administrator to create, modify and delete CIFS shares"
Also, the command to display superusers doesn't appear to work in 8.3.1 _ I haven't found an equivalent yet:
vserver cifs superuser show
Error: "superuser" is not a recognized command
any help advice would be appreciated - thanks Rob
2016-10-11 07:19 AM
thanks. However, our AD team will not allow that for the helpdesk team as it will give them elevated rights across the whole Domain.
I am not an AD guy so cannot argue.
2016-10-11 08:43 AM
Hi Robst -
I think you misunderstand the reply above. The "BUILTIN\ADMINISTRATORS" group is the equivalent of the "Local Admins" group on a Windows server. It is not a domain-wide setting, it is a setting on an SVM that you want to let them create shares on.
An SVM hosting CIFS shares can be considered to be a Windows server in most operational respects. This is one of them. It has a local set of groups and users that can be defined. Just as on a typical Windows server there must be a group/user with appropriate permissions on the server to be able to create new shares. That same type of permission is needed on the SVM.
So a question to explore would be how would the help desk create a share through MMC on any other Windows server in your environment and what permissions/security group are they members of (explicitly or implicitly) on those servers? That's the level of access that will be needed on the SVM as well.
Hope this helps.
Senior Systems Engineer | cStor
NCIE SAN ONTAP, Data Protection
Kudos and accepted solutions are always appreciated.
2016-10-11 06:29 PM
I think the command you are looking for is "cifs superuser show" with the -vserver parameter, not "vserver cifs superuser show". EG
cluster1::> set advanced cluster1::*> cifs superuser create -vserver vserver1 -domain TESTLAB -accountname User1 cluster1::*> cifs superuser show -vserver vserver1 Vserver CIFS Server Domain Account Name -------------- --------------- --------------- ------------ vserver1 VSERVER1 TESTLAB User1
See the following NetApp KB article:
Alternately you might consider using WFA (OnCommand Workflow Automation) to provision CIFS shares instead of using MMC.
2016-10-13 06:19 AM
Bob, thanks for the explanation. Not sure I want them in a group where they have rights to "fully administer the file"?
However, our helpdesk guys were able to create CIFS shares on the same vservers which were on 7-mode:
once migrated to cDOT they can no longer do this and their rights haven't changed. They are still able to create CIFS shares for vservers
still on 7-mode.
Matt, thanks I used that KB to create the cifs superuser for the vserver: cifs superuser create -vserver testvserver -domain LIVE -accountname testuser.
The article states that testuser which is now a superuser should now be able to create CIFS shares. I will explore WFA nest - but would like their published fix to work.
"Can users other than Domain Administrators access an MMC to a Cluster-Mode node?
Yes. To set this up, the user should be added to the vserver as a cifs superuser. This is available in advanced mode."
Example: ::> set advanced
::*> cifs superuser create -vserver vs0 -domain DOMAIN -accountname user
*> cifs superuser show -vserver testvserver
Vserver CIFS Server Domain Account Name
-------------- --------------- --------------- ------------
testvserver testv LIVE testuser
However, the above doesn't solve the problem of the helpdesk not having access to create CIFS shares.