Network and Storage Protocols

CIFS Share Authentication

Golazo
4,535 Views

Hi there,

 

We are having an issue with users authentication on CIFS shared folders.

 

The workflow is as follows:

 

We have many CIFS shares that has permissions set as everyone "full access".

We create a new user in AD.

User login into domain using this AD account.

We add this user to a group in AD that has full rights to the CIFS shares.

The user cannot access the shares. It gets access denied.

 If the user logs off and log back on into Windows, it can access the share succesfully.

 

This happens to every CIFS share in the environment. Customer is running 8.2.2P2.

 

Thank you for your time!

2 REPLIES 2

hariprak
4,513 Views

Hi,

 

Hope the below KB article helps, which describes about how to troubleshoot Microsoft Client permission issues on a NetApp 7-Mode storage system

https://kb.netapp.com/support/index?page=content&id=1012304

 

Thanks

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

mbeattie
4,449 Views

Hi,

 

You mentioned your process is:

 

  1. create a new user in AD.
  2. login into domain using the AD account.
  3. add the user to a group in AD that has full rights to the CIFS shares.

Have you considered changing this process? I would advise:

 

  1. create a new user in AD.
  2. add user to a group in AD that has full rights to the CIFS shares.
  3. login into domain using AD account.

The reason why i suggest adding the AD user to the AD group BEFORE the user logs on to the domain is to ensure the SID of AD group that is used to control access to the CIFS share is included in the users kerberos ticket which is granted to user at logon by a domain controller. If the user logs on and they are NOT a member of the AD group that controlls access to the CIFS share then the group SID will not be in the users kerberos ticket... hence when the user requests to access the resource they will recieve "access denied" but when they log off\logon (and recieve a new kerberos ticket containing the SID of the AD groups that controlls access to the share) they can access the share.

 

Hope that helps

 

/matt

 

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Public