2012-06-13 05:18 AM
IHAC who needs to narrow acces to some shares from only a few Windows clients.
The behavior they want is the same as for a NFS mount only available to some NFS clients.
This Netapp controller is NTFS-only, so there is only NTFS qtrees and no unix right anywhere.
What is available today on their controller:
- every share has some security ACL specifying users and groups who can acces the share.
- the issue is that shares are available from any Windows client in the domain
What theyr would like:
- For some shares, they want only some PCs to have access to the share.
Anyone has an idea ?
Solved! SEE THE SOLUTION
2012-06-13 01:08 PM
You have a CIFS share option: cifs.enable_share_browsing. It's ON by default. This feature when turned off, prevents users from seeing directories they do not have permission to access. Please let me know if this works.
2012-06-13 11:57 PM
I believe you are looking to restrict the access to the share from some client PCs even though the user logged in has access to it. unfortunately, you cannot apply client based restrictions on the shares. Windows allows user based restrictions so is OnTAP.
Otherway is to restric the users who has access to the shares loging into those client machines through local access in the security policy but not share base.
2012-06-14 12:04 AM
@Scott and Sudheer
The goal was to restrict access of the share to only some PCs, so a user can acces to the share from PC1 but can not from PC2.
So "cifs shares" command or "cifs access" commands are no help here, neither is the browsing option.
2012-06-14 12:07 AM
Thank you kodavali,this what I try to do.
I was thinking using the "IP-qual" tag in the usermap.cfg file but I think it won't help here since it is a ntfs-only filer.
So I will say to the customer, it is not possible due to CIFS limitation.
2012-06-14 06:14 AM
Probably not something that helps you right nw but might be good to know for the future:
This can be done in Data ONTAP Cluster-Mode using export policies - these works for all file protocols.
2012-06-14 08:08 AM
You're right: it might be useful in the future. This customer has an old filer running ONTAP 7.3.6 and won't update it before they buy another one.
2013-03-18 04:36 PM
I think you might have solution till now.
export-policy is for IP access limitation, you can create/apply it at the vserver or volume level.
ACL is for user id level limitation.