I created a vfiler for one of our customers to use as a CIFS server. The customer should be able to administer CIFS by himself over the MMC.
I created a group CIFSAdmins and attached the a new role with the following capabilities: api-cifs-list-*,api-cifs-session-*,api-cifs-share-*,api-quota-*,api-cifs-homedir-*
The strange issue is that with this capabilities an ACCESS DENIED message is displayed on shares. For testing purposes I added the customer to the power user group, everything works fine but the customer is still able to change the members of the local groups. The default capabilities for the power user group is
Allowed Capabilities: cli-cifs*,cli-exportfs*,cli-nfs*,cli-useradmin*,api-cifs-*,api-nfs-*,login-telnet,login-http-admin,login-rsh,login-ssh
So I changed the power role to
Allowed Capabilities: cli-cifs*,api-cifs-*,login-telnet,login-http-admin,login-rsh,login-ssh
but no change happened, still able to create new groups and change the members of the group.
Which capabilities should be allowed on a rule to have the rights to only do CIFS administration tasks?