Network and Storage Protocols

Problems with CIFS / NTFS security settings

benbinskin
5,721 Views

Im at a bit of a loss here, we have a new filer and are in the process of migrating all our existing windows shares into cifs shares, we have been using robo copy to do this for us to ensure all the existing NTFS permissions are carried across.

The setup is quite simple ... two root shares - GroupDrives / UserDrives both set for everyone to access, so that the single point of control is NTFS / ABE

Shares.JPG

UserGroupDirs /vol/UserGroupDirs                User Groups Share
             ... access based enum supported
                        everyone / Full Control
UserHomeDirs /vol/UserHomeDirs                 User Home Drives Share
             ... access based enum supported
                        everyone / Full Control

NTFS security on both shares is the same

     - Domain Admins - Full - This folder, subfolders and files

     - Domain Users - Read - This folder only

     - File Share Admins - Modify - This folder, subfolders and files

     - Helpdesk Admins - Modify - This folder, subfolders and files

SharePermissions.JPG

Security was added to the shares through computer management before the migration began, and we have had no major issues until now.

Here is where the issues start:

     - The checkbox for 'Allow inheritable permissions ...' is unticked and if checked and applied, the settings do not stick.

     - Under the UserHomeDirs share i have another folder shared for terminal services profiles, existing user content is present, but windows will no longer auto create profiles in it as it gives a permission denied error 'does not have access to the resource' during logon for new users. The user account does have access and can create folders manually.

     - We have an AS/400 using a QNTC service account in our AD to access our windows shares, it is a member of domain admins, so should have complete access to the filer (domain admins are also a member of the admins group on the filer) Yet when browsing it can only see the UserHomeDirs share, it cannot see the UserGroupDirs share at all and we have a number of scheduled jobs that drop content in folders under the root share which do not work.

In my haste i have made the error of adding the QNTC account to the NTFS permissions on the root of the UserGroupDirs, simply to give it read only access to the top level share (although it is a member of domain admins and domain admins already has full access) and that has been applying for the last 45 minutes, and for some other reason now the read only box is checked and greyed out, but i can uncheck it (is this because the other security settings are still being applied?)

ReadOnly.JPG

Any thoughts would be greatly appreciated

Cheers - Ben

4 REPLIES 4

cedric_renauld
5,721 Views

Hi,

We have the same Problem with the QNTC ...

Have you some answer ?

Thanks

benbinskin
5,721 Views

Unfortunately no, I have not received any replies.

winchell0
5,721 Views

We had the same issue. IBM said netapp cifs is not supported.

reena
5,721 Views

Ben,

In your case,

1. first of all you are seeing the NTFS security of "/vol/UserGroupDirs", which is the top level folder itself for the volume "UserGroupDirs". Ideally you are not inheriting anything at this level, that's why you're seeing the "Allow inheritable... " box unchecked.

2. For both the shares, the NTFS security is as listed below:

NTFS security on both shares is the same

     - Domain Admins - Full - This folder, subfolders and files

     - Domain Users - Read - This folder only

     - File Share Admins - Modify - This folder, subfolders and files

     - Helpdesk Admins - Modify - This folder, subfolders and files

Here you don't show any read/write permissions for the Domain Users for the subfolders and files, in that case any "terminal services profiles" folder created underneath is not going to see any read/write or change permissions being inherited from the top (UserHomeDirs). I'm thinking that might have been the reason for error for the user profiles.

3. For the QNTC account, in the screenshot shows the "read and execute" permissions for "This folder only", try to make it for all the subfolders and files and see if that helps.

You'd also need to check if for any of the subfolders underneath these 2 top level folders, are inheriting permissions from the top, else you'd need to replace permissions to the child objects from the top level.

Hope this helps,

Reena

Public