For example: 1. I have UserA that member in the local Administrators group. 2. I have UserB that not a member of any local group but has superuser assignment. 3. I have a folder which has not direct permission or ownership for any of that users. 4. I would like to change the ACLs acting as one of those users at a time.
What will I need to do? 1. In case UserA is it, I will need first to make my self an owner and then change the permissions otherwise will get access denied? That is correct. If the permissions on the file or object doesn't allow userA to change permission then user first needs take ownership of the folder/file and then set the DACL permissions. As the user is a member of BUILTIN\Administrators he will have the "SeTakeOwnershipPrivilege" privilege which will allow him to take ownership. Any user who is a member of BUILTIN\Administrators will get privilege "SeTakeOwnershipPrivilege". This privilege is required to take ownership of an object without being granted discretionary access. SeTakeOwnershipPrivilege:- User Right: Take ownership of files or other objects.
Below are the privileges that a BUILTIN\Administrator and "Domain Admins" get by default from ONTAP: Privileges (0x22b7): SeBackupPrivilege SeRestorePrivilege SeTakeOwnershipPrivilege <<<< SeSecurityPrivilege SeChangeNotifyPrivilege
2. In the case of UserB, the change permission will take effect without any prior action? That is correct. If UserB is created as a cifs superuser in ONTAP , this user will be able to change permission without any prior action. From what i observed in LAB testing is the cifs superuser will bypass the DACL checks and will be granted access.
Does ONTAP 9 support CIFS authentication with a non-Microsoft LDAP, like OpenLDAP or Red Hat Directory Server? I couldn't find any documentation on that.
We have a project that needs to maintain their own set of users and groups. They're setting up their own LDAP server on a Linux system. The requirement is to access the data from NetApp NAS using both protocols - NFS and CIFS - and having the NAS taking care of user mapping, etc.
In 7-mode, there are 4 types of authentication style supported for CIFS such as: "ad" Active Directory, "nt4" Windows NT4, "workgroup" Workgroup and "passwd" Password file, NIS or LDAP. In C-mode only active directory and Workgroup authentication are supported.
So there is no support for authentication of CIFS users using Openldap or non-microsoft LDAP in Cluster Data ONTAP.
How ONTAP handles SMB client authentication ? Before users can create SMB connections to access data contained on the SVM, they must be authenticated by the domain to which the CIFS server belongs. The CIFS server supports two authentication methods, Kerberos and NTLM (NTLMv1 or NTLMv2). Kerberos is the default method used to authenticate domain users.
Also Multi protocol is supported in ONTAP. So both windows and unix users can access the same volume.
User-mapping rules can also be defined locally in NetApp.
Windows domain users reside in Active Directory and Kerberos is the default authentication protocol used by Active Directory for authenticating a user. Also Kerberos is the most secure way of authenticating an user.
CIFS clients who connect to NetApp are authenticated via Kerberos or NTLM in Cluster Data ONTAP.
More details on the authentication can be found below :
In an NFS context, authentication is done by the client not the server. CIFS authentication is the server’s responsibility.
In multi-protocol environment, CIFS users can access UNIX and NTFS security style volume and also NFS users can access UNIX and NTFS security style volumes. This can be accomplished with the help of name-mapping and configuring the directory store for the Unix users.
Could you let me know if the CIFS users you are referring to, are they Windows domain users ?
I still don't understand the requirement of using openLDAP to authenticate CIFS users as the domain users reside in AD and not in openLDAP.
I might need the full SECD log and also an ASUP to check the cause for the error "RESULT_ERROR_CIFS_SMB_PASSWORD_MUST_CHANGE:335" seen in SECD logs. I would recommend to open a support ticket for troubleshooting this problem.
This should work fine. 1) Create a CIFS server on the SVM 2) Create volume and set security style as NTFS. Also create a CIFS shares and set the ACL. 3) Create a LDAP client configuration for the SVM using the LDAP schema. 4) Modify ns-switch files for user and passwd to point to files and LDAP. 5) Create a name-mapping rules locally. 6) Create export rules for the NFS client.
Now when unix user tries to access the export, he will be mapped to windows user based on the name-mapping rules. After the unix->windows user mapping is over , the unix user will get the permissions accordingly on what is allowed for the mapped windows user.