Network Storage Protocols Discussions

Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Click Here to post your questions

 

Ask the Expert Session – CIFS 

Grab the opportunity to learn from our Expert and bridge your Knowledge gap. 

Our CIFS Expert will answer your questions and help you solve your issues.

 

Topic: Authentication & Authorization in CIFS

Date: July 16 – 30

Expert: Vijay Ramamurthy

 

Vjiay is an Escalation Engineer with the NAS team.

His 10 years of experience in Information Technology has been with Data Storage.

He is with NetApp for 3 years and has strong domain knowledge in CIFS, NFS, and TCP/IP networking focus areas.

 

Note:

  • Ask questions only related to the above topic.
  • You can expect a response to your questions within 24 hours.
18 REPLIES 18

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Hi Alex,

 

For example:
1. I have UserA that member in the local Administrators group.
2. I have UserB that not a member of any local group but has superuser assignment.
3. I have a folder which has not direct permission or ownership for any of that users.
4. I would like to change the ACLs acting as one of those users at a time.

 

What will I need to do?
1. In case UserA is it, I will need first to make my self an owner and then change the permissions otherwise will get access denied?
That is correct. If the permissions on the file or object doesn't allow userA to change permission then user first needs take ownership of the folder/file and then set the DACL permissions. As the user is a member of BUILTIN\Administrators he will have the "SeTakeOwnershipPrivilege" privilege which will allow him to take ownership.
Any user who is a member of BUILTIN\Administrators will get privilege "SeTakeOwnershipPrivilege". This privilege is required to take ownership of an object without being granted discretionary access.
SeTakeOwnershipPrivilege:- User Right: Take ownership of files or other objects.

Below are the privileges that a BUILTIN\Administrator and "Domain Admins" get by default from ONTAP:
Privileges (0x22b7):
SeBackupPrivilege
SeRestorePrivilege
SeTakeOwnershipPrivilege <<<<
SeSecurityPrivilege
SeChangeNotifyPrivilege

 

2. In the case of UserB, the change permission will take effect without any prior action?
That is correct. If UserB is created as a cifs superuser in ONTAP , this user will be able to change permission without any prior action.
From what i observed in LAB testing is the cifs superuser will bypass the DACL checks and will be granted access.

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Thanks Vijay!

 

 @VARONISSYSTEMS - does this answer your questions?

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Hi,

 

Does ONTAP 9 support CIFS authentication with a non-Microsoft LDAP, like OpenLDAP or Red Hat Directory Server?
I couldn't find any documentation on that.

 

We have a project that needs to maintain their own set of users and groups. They're setting up their own LDAP server on a Linux system. The requirement is to access the data from NetApp NAS using both protocols - NFS and CIFS - and having the NAS taking care of user mapping, etc.

 

 

Kamil

 

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

In 7-mode, there are 4 types of authentication style supported for CIFS such as: "ad" Active Directory, "nt4" Windows NT4, "workgroup" Workgroup and "passwd" Password file, NIS or LDAP.
In C-mode only active directory and Workgroup authentication are supported.

So there is no support for authentication of CIFS users using Openldap or non-microsoft LDAP in Cluster Data ONTAP.

 

How ONTAP handles SMB client authentication ?
Before users can create SMB connections to access data contained on the SVM, they must be authenticated by the domain to which the CIFS server belongs. The CIFS server supports two
authentication methods, Kerberos and NTLM (NTLMv1 or NTLMv2). Kerberos is the default method used to authenticate domain users.

 

Also Multi protocol is supported in ONTAP. So both windows and unix users can access the same volume.

User-mapping rules can also be defined locally in NetApp. 

I dont see any challenges with your requirement. 

 

 

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Thank you Vijay.

 

But the challenge is still there, unless I misunderstood something.
How to allow CIFS clients to access the data if we don't want to / cannot use Active Directory, but other LDAP for authentication?

You already confirmed cDOT does not support non-AD LDAPs for CIFS.

Looks like in cDOT we're missing the feature that was available in 7-mode and would be a perfect fit for my case.

 

Same data needs to be accessible by unix clients via NFS - auth with the same LDAP - but that part should be easy.

 

 

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Hi Experts,

 

Could you please help in understanding what this error is pointing to.

 

This is a log from Security Daemon [SecD] from ONTAP 9.1, event log is recording these errors on day-2-day basis.

 

The erorr says very clear : FAILURE: CIFS authentication failed, is it the passsword with which CIFS server is joined to the AD ? It says - SMB_PASSWORD_MUST_CHANGE: Is it the AD password ?

 

ERROR:

RESULT_ERROR_CIFS_SMB_PASSWORD_MUST_CHANGE:335 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348


Security Daemon [secD log from cDOT 9.1]
+++++++++++++++++++++++++++++++++++++++++++++

00000012.00209282 0fea2360 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] CIFS SMB2 Share mapping - Client Ip = 10.x.x.x
00000012.00209283 0fea2360 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] [ 0 ms] Login attempt by domain user 'Dxxx\Administrator' using NTLMv1 style security
00000012.00209284 0fea2360 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] [ 1] Successfully connected to ip 10.x,x,x, port 445 using TCP
00000012.00209285 0fea2360 Fri Jul 20 2018 08:38:09 7 +01:00 [kern_secd:info:5480] [ 7] Successfully authenticated with DC

00000012.0020e41d 0ff356d5 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] | [000.015.336] ERR : RESULT_ERROR_CIFS_SMB_PASSWORD_MUST_CHANGE:335 in handleAuthenticateMsg() at src/NtlmsspCtx.cpp:912
00000012.0020e41e 0ff356d5 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] | [000.015.344] ERR : RESULT_ERROR_CIFS_SMB_PASSWORD_MUST_CHANGE:335 in acceptContext() at src/NtlmsspCtx.cpp:296
00000012.0020e41f 0ff356d5 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] | [000.015.352] ERR : RESULT_ERROR_CIFS_SMB_PASSWORD_MUST_CHANGE:335 in acceptContext() at src/SpnegoCtx.cpp:244
00000012.0020e420 0ff356d5 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] | [000.015.361] ERR : RESULT_ERROR_CIFS_SMB_PASSWORD_MUST_CHANGE:335 in secd_rpc_auth_extended_1_svc() at src/authentication/secd_rpc_auth.cpp:1168
00000012.0020e421 0ff356d5 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] | [000.015.372] ERR : CIFS authentication failed { in secd_rpc_auth_extended_1_svc() at src/authentication/secd_rpc_auth.cpp:1196 }
00000012.0020e422 0ff356d5 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] | [000.015.389] debug: SecD RPC Server sending reply to RPC 151: secd_rpc_auth_extended { in secdSendRpcResponse() at src/server/secd_rpc_server.cpp:1888 }
00000012.0020e423 0ff356d5 Fri Jul 20 2018 08:38:09 +01:00 [kern_secd:info:5480] | [000.015.564] ERR : RESULT_ERROR_CIFS_SMB_PASSWORD_MUST_CHANGE:335 in getFailureCode() at src/utils/secd_thread_task_journal.cpp:348


00000012.00209287 0fea2360 Thu Jul 19 2018 15:53:07 +01:00 [kern_secd:info:5480] [ 9] Login attempt by local user 'Dxxxx\Administrator' using NTLMv1 style security
00000012.00209288 0fea2360 Thu Jul 19 2018 15:53:07 +01:00 [kern_secd:info:5480] **[ 10] FAILURE: CIFS authentication failed


++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

Thanks,

-AP

Re: Authentication & Authorization in CIFS - Ask The Expert - 7/16 to 7/30!

Welcome Bkamil,

 

Windows domain users reside in Active Directory and Kerberos is the default authentication protocol used by Active Directory for authenticating a user.
Also Kerberos is the most secure way of authenticating an user.


CIFS clients who connect to NetApp are authenticated via Kerberos or NTLM in Cluster Data ONTAP.

 

More details on the authentication can be found below :

How ONTAP handles SMB client authentication
http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-nfs%2FGUID-AA67607D-30F8-484C-A8D3-F0CA842465BB.html

 

How ONTAP handles NFS client authentication
http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.cdot-famg-nfs%2FGUID-AA67607D-30F8-484C-A8D3-F0CA842465BB.html

 

In an NFS context, authentication is done by the client not the server.
CIFS authentication is the server’s responsibility.

 

In multi-protocol environment, CIFS users can access UNIX and NTFS security style volume and also NFS users can access UNIX and NTFS security style volumes. This can be accomplished with the help of name-mapping and configuring the directory store for the Unix users.

 

Could you let me know if the CIFS users you are referring to, are they Windows domain users ?

I still don't understand the requirement of using openLDAP to authenticate CIFS users as the domain users reside in AD and not in openLDAP.

 

Forums