Network and Storage Protocols

CIFS share ignores group permissions

consorcisg
10,657 Views

Hi all,

I've a shared volume (not qtree) with cifs mode.

I've created a AD group (LABWIN\FabricaRetiradesLectura) that has one member: LABWIN\imatges

DISC1> wcc -s LABWIN\imatges

(NT - UNIX) account name(s):  (LABWIN\imatges - imatges)

        ***************

        UNIX uid = 245

        user is a member of group program (100)

        user is a member of group group (50)

        user is a member of group program (100)

        NT membership

                LABWIN\imatges

                LABWIN\Usuarios de Acceso Web remoto de Windows SBS

                LABWIN\Usuarios de fax de Windows SBS

                LABWIN\Windows SBS SharePoint_MembersGroup

                LABWIN\Usuarios del vínculo de Windows SBS

                LABWIN\FabricaRetiradesLectura

                LABWIN\Usuarios del dominio

                BUILTIN\Users

        User is also a member of Everyone, Network Users,

        Authenticated Users

        ***************

DISC1> fsecurity show /vol/FABRICA/proves

[/vol/FABRICA/proves - Directory (inum 161953)]

  Security style: NTFS

  Effective style: NTFS

  DOS attributes: 0x0030 (---AD---)

  Unix security:

    uid: 0 (root)

    gid: 1 (daemon)

    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:

    Owner: BUILTIN\Administrators

    Group: LABWIN\Usuarios del dominio

    DACL:

      Allow - LABWIN\FabricaRetiradesLectura - 0x001f01ff (Full Control) - OI|CI

      Allow - LABWIN\Administrador - 0x001f01ff (Full Control) - OI|CI

Although the folder has NTFS permissions to this group, and the user is a member of the group, I can't access the folder:

DISC1> Mon Jun  4 12:56:48 CEST [DISC1:auth.trace.authenticateUser.loginTrace:info]: AUTH: Login attempt by user imatgesxp$ of domain LABWIN from client machine 192.168.1.56.

Mon Jun  4 12:56:48 CEST [DISC1:auth.trace.spnegoAuthentication.statusMsg:info]: AUTH: SPNEGO- Attempting to map PC user to UNIX user imatgesxp$.

Mon Jun  4 12:56:48 CEST [DISC1:auth.trace.mapNTToUnix:info]: AUTH: Mapping Windows user imatgesxp$ to Unix user pcuser.

Mon Jun  4 12:56:48 CEST [DISC1:auth.trace.authenticateUser.loginAccepted:info]: AUTH: Login by imatgesxp$ from 192.168.1.56 accepted.

Mon Jun  4 12:56:48 CEST [DISC1:sectrace.filter.denied:info]: [sectrace index: 1] Access denied because 'Read Control, Read EA, Read' permission (0x20009) is not granted on file or directory (Access denied because the requested permissions are not granted by the access control entries) - Status: 1:15271460868:32:67 - 192.168.1.56 - NT user name: LABWIN\imatges - UNIX user name: imatges(245) - Qtree security style is NTFS and NT ACL is set on file/directory - Path: /vol/FABRICA/proves

Mon Jun  4 12:56:48 CEST [DISC1:sectrace.filter.denied:info]: [sectrace index: 1] Access denied because 'Read' permission (0x1) is not granted on file or directory (Access denied because the requested permissions are not granted by the access control entries) - Status: 1:239075332:32:192 - 192.168.1.56 - NT user name: LABWIN\imatges - UNIX user name: imatges(245) - Qtree security style is NTFS and NT ACL is set on file/directory - Path: /vol/FABRICA/retirades/*

Mon Jun  4 12:56:49 CEST [DISC1:sectrace.filter.denied:info]: [sectrace index: 1] Access denied because 'Read Control, Read EA, Read' permission (0x20009) is not granted on file or directory (Access denied because the requested permissions are not granted by the access control entries) - Status: 1:15271460868:32:67 - 192.168.1.56 - NT user name: LABWIN\imatges - UNIX user name: imatges(245) - Qtree security style is NTFS and NT ACL is set on file/directory - Path: /vol/FABRICA/retirades

Mon Jun  4 12:56:49 CEST [DISC1:sectrace.filter.denied:info]: [sectrace index: 1] Access denied because 'Read' permission (0x1) is not granted on file or directory (Access denied because the requested permissions are not granted by the access control entries) - Status: 1:239075332:32:192 - 192.168.1.56 - NT user name: LABWIN\imatges - UNIX user name: imatges(245) - Qtree security style is NTFS and NT ACL is set on file/directory - Path: /vol/FABRICA/proves/*

Mon Jun  4 12:56:50 CEST [DISC1:sectrace.filter.denied:info]: [sectrace index: 1] Access denied because 'Read Control, Read EA, Read' permission (0x20009) is not granted on file or directory (Access denied because the requested permissions are not granted by the access control entries) - Status: 1:15271460868:32:67 - 192.168.1.56 - NT user name: LABWIN\imatges - UNIX user name: imatges(245) - Qtree security style is NTFS and NT ACL is set on file/directory - Path: /vol/FABRICA/proves

Sectrace says this:

DISC1> sectrace print-status 1:15271460868:32:67

Access allowed because requested permission is granted on parent directory.

    - Access allowed by an explicit access control entry.

Access denied because requested permission is not granted on file or directory.

    - Access allowed by share-level ACL.

    - Access denied because the requested permissions are not granted by the access control entries.

Am I doing something wrong?

Thank you!

7 REPLIES 7

mehmeterdogan
10,657 Views

Hi,

Are you still issuing the problem? If you figured out this problem then tell me what is the solution

Thank you.

balazs_gluck
10,657 Views

Hey all!

It would be great to know what is causing this .... please help us.

Thanks

stanleyj42
10,657 Views

I was just about to create a post on this very issue.  I am even having issues with users or groups that i add to the cifs not showing up at all.  Im not much on the command line side so i used oncommand to create the share and added our network admins group and all was fine.  I then added an individual user to this share and they show in the oncommand console but the user does not have access. I connected using computer management in windows to look at the share permissions and the users is not listed. 

fas3270 8.0.2P6 7-mode

ashoksan
10,657 Views

Please try the following steps:-

  • Execute 'wcc -s <ntname> -x' command on the filer.

                                       OR

  • Execute 'wcc -x' command on the filer. (wcc -x will invalidate the entire credential cache so be informed that this may result in an increased traffic from filer to AD for a little while till WAFL Credential Cache (wcc) is re populated)
  • If it asks for confirmation, gives 'yes'.

Now, try accessing the volume from the client.

Please let me know if it works.

(For more info, try 'man wcc' on the filer)

robertr
10,657 Views

Hi,

     We experience the same issue. Is this resolve? Appreciate if we can get answer how this issue resolve. Thank you.

it_3
10,657 Views

I tried what Ashok suggested, but it didn't fix the problem.  We have the same issue, any help would be appreciated. This seems like a fairly basic functionality that shouldn't be this difficult to solve.  We had no problem with our old NetApp, it had this functionality out of the box.

SUNNINHO10
10,657 Views

I ran into the same problem after granting a domain group access to a CIFS share. It was only after checking the AD Group Type that I found the root cause -- it was set to Distribution and not to Security.  After changing the Group Type to Security, I was able to access the CIFS share using a user account from within the group.  Hopefully, this solves some of the issues out there.

Public