Solved: Re: CIFS only Domain Admin has Access

Tom29 · ‎2015-10-28

Hi Community,

we purchased a new Netapp 8020 AFF with Clustered Data Ontap 8.3.1 installed. It's our first cDot System so I'm pretty new to this stuff.

I've created some CIFS shares for Users on our Windows 2008 R2 Domain.

Accessing the CIFS share with Domain Admin User worked well, but the share isn't accessible as a simple User with Domain User privileges.

After typing the login credentials of the User in the Win Explorer it takes about 15 Second then i get the User/PW promt again.

Adding the User to the Domain Admin Group in Active Directory makes the share accessible immediately.

The Volume is set so Security Style "NTFS".

The User is added to Share Permissions of the CIFS Share (Full Control)

Following Share Options set via OnCommand:

Enable as read/write
Enable Oplocks
Browsable
Notify Change

Disabling the SMB3 Protocol does not change the issue so i turn it back on because of our Windows 2012 Servers.

The vserver cifs options show command delivers following configuration:

Client Session Timeout: 900
                              Copy Offload Enabled: true
                                Default Unix Group: -
                                 Default Unix User: -
                                   Guest Unix User: -
               Are Administrators mapped to 'root': true
           Is Advanced Sparse File Support Enabled: true
                  Direct-Copy Copy Offload Enabled: false
                           Export Policies Enabled: false
                          Is Advertise DFS Enabled: false
                                    Is DAC Enabled: false
                      Is Fake Open Support Enabled: true
                             Is Local Auth Enabled: true
                 Is Local Users and Groups Enabled: true
                               Is Referral Enabled: false
             Is Search Short Names Support Enabled: false
Is Trusted Domain Enumeration And Search Enabled: true
                        Is UNIX Extensions Enabled: false
          Is Use Junction as Reparse Point Enabled: true
    Maximum Length of Data Zeroed by One Operation: 32MB
                               Max Multiplex Count: 255
              Max Same User Session Per Connection: 2050
                 Max Same Tree Connect Per Session: 50
                      Max Opens Same File Per Tree: 800
                          Max Watches Set Per Tree: 100
    NT ACLs on UNIX Security Style Volumes Enabled: true
                                  Read Grants Exec: disabled
                                  Read Only Delete: disabled
                  Reported File System Sector Size: 4096
                                Restrict Anonymous: no-restriction
                              Shadowcopy Dir Depth: 5
                                Shadowcopy Enabled: true
                  Max Buffer Size for SMB1 Message: 65535
                                      SMB2 Enabled: true
                                      SMB3 Enabled: true
                                      WINS Servers: -

PS: i used the search function it delivers me this:

http://community.netapp.com/t5/Network-Storage-Protocols-Discussions/CIFS-only-accessible-by-Domain-Admins/m-p/46472#M4228

But there is no solution to my problem.

Thanks for your response.

aborzenkov · ‎2015-10-30

For CIFS access user mapping from Windows to Unix MUST succeed, even for access to folders with ntfs security style. In Windows-only environment it means, default Unix user MUST be defined as fallback. Which is pretty much confirmed by your disabling of Administrator-to-Unix mapping.

Set default Unix user in properties, make sure this user is also defined in SVM.

View solution in original post

pg2aude · ‎2015-10-30

Got the same Issue. Domain Admins have access, all other domain user do not.

I thougth about Admin<>root mapping...

Just tried setting the option
vserver cifs options modify -vserver vserver_cifs -is-admin-users-mapped-to-root-enabled false... and the same behaviour occurs with the domain admin user at accessing the cifs share.

something is wrong with access credentials ntfs/unix

Any ideas??

aborzenkov · ‎2015-10-30

For CIFS access user mapping from Windows to Unix MUST succeed, even for access to folders with ntfs security style. In Windows-only environment it means, default Unix user MUST be defined as fallback. Which is pretty much confirmed by your disabling of Administrator-to-Unix mapping.

Set default Unix user in properties, make sure this user is also defined in SVM.

Tom29 · ‎2015-11-02

Thank's aborzenkov

this sloved my problem.

Have a nice Day

MICKEHOE · ‎2016-04-18

Hi Guys,

We are having the exact smae problem here. Could you give some more detail on how exactly you resolved this??

Thanks

Michael.

georgevj · ‎2016-04-20

use the following command to see if there is any unix user accounts existsing within your SVM.

cluster::> vserver services name-service unix-user show -vserver SVM_NAME

There must be a user account called 'pcuser'. If not, create one by "vserver services name-service unix-user create" command.

After that, you may set the default unix user value by,

cifs options modify -vserver SVM_NAME -default-unix-user pcuser

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.
Cannot find the answer you need? No need to open a support case - just CHAT and we’ll handle it for you.