Network and Storage Protocols

Cannot view/assign filer local accounts when editing NTFS permissions through Windows.

simon_austin
5,809 Views

Hi all,

I am currently trying to recreate one of our production setups in a test environment but I appear to be off track somewhere which I am hoping someone can help with. Sorry but this is going to be a bit long winded.

The filer is operating in a Workgroup setup and this was selected during "cifs setup". It is a FAS3020 cluster with ONTAP 7.3.5.1P5. The client machine I am working from is Windows 2008 R2. Qtree security on the share is set to NTFS.

As per the subject line I am unable to assign local filer accounts to the NTFS ACLs in Windows. I have no issues creating the share permissions and connecting to the share. The NTFS permissions have defaulted to Everyone full control so I have no problem creating folders, files etc. I am also able to control the share permissions via Computer Management.

However, when I go through the routine of Security/Edit Permissions/Add and try and enter the name of any local user account on the filer I am prompted for a password. Now I have tried every combination of domain\user and user@domain with various administrative users on the filer. Regardless of what I type, including blatantly incorrect credentials, it just comes back that it can't find the local account I am trying to add.

I have attached a couple screenshots to aid my description. Now if I instead click "Advanced/Find now" instead of entering a user name I am given a list of of default groups and active 'states' to choose from (e.g. Authenticated Users, INTERACTIVE, ANONYMOUS) but I can't see any of the local accounts.

Now as I said at the start we currently have a prod setup with local accounts that was configured before my time at the company. Now when I try and modify this setup by adding additional local accounts to the NTFS ACLs I get the same issue, UNLESS I do it from the Administrative Host, from which all local filer accounts are visible when modifying the ACLs and I DO NOT need to enter a password.

So it  would seem like a permissions issue, or perhaps the administrative host setting?  but this wasn't my understanding of what the administrative host was, and even if it was, the test cluster had its administrative host set to blank, which I assumed ment any host was an admin host. Regardless, I have tried changing "options admin.hosts" to the IP of the server I have been working from, and it still doesn't allow me to see the users and still prompts me for a username and password (that is apparently never enough).

The production cluster that I can modify from the admin host is 3140 running 7.3.2. I have done a side by side comparison off all options under priv set advanced and I cannot see anything relevant that is mismatched between the two setups.

If anyone has any ideas, I would be very very grateful... heck I'm impressed if you just read the entire post

Simon

3 REPLIES 3

kodavali
5,809 Views

on 2008 R2 machine, try login with a local administrator privliges and try setting permissions on the share.

stsadmin
5,809 Views

Before you start computer manager on the Windows server and connect to the filer, firstly map a drive to the C$ share on the filer, ie \\filername\c$, with a local administrator account credentials, ie filername\root password. Now when you connect to the filer via computer manager you should be able to manage permissions.

As a matter of interest I always use Windows 2003 computer manager as I find Windows 2008 throws a number of access denied messages when setting permissions even though it goes on to works!

simon_austin
5,809 Views

Thank you both for your suggestions. I had been logging in with the local Administrator account and had been mapping the test share with local filer admin credentials without success. I tried mapping \\filername\c$ with a local filer admin prior to using computer manager as per your suggestion and unfortunately this did not work either.

I have, however, managed to get it working... and it all seems very very weird. I had been trying to emulate the setup that was working to figure out what possible difference there could be, and nothing was helping. In the end the difference was that it wouldn't work if I was logged in as the local 'Administrator' account on the Windows machine... I had to use ANY other user that was a member of the Windows machine's 'Administrators' group!

I have no idea why that is, but I verified it from 3 different Windows 2008 boxes (one vanilla, two R2) and two unique cluster setups. 'Administrator' account doesn't work, but 'named' admin users do. Furthermore, it didn't matter what filer account I used to map the share as long as it had full control share permissions, even accounts in the 'guests' local group on the filer (which is how it should be). I would of tested 2003 but I do not have a 2003 servers in either environment.

If anyone has any ideas as to this behaviour, I am very curious... but also very relieved to have found a 'solution'.

Public