Network and Storage Protocols

Need help to access a CIFS share in Unix

mjossupp123
12,699 Views

Hi,

I need help with accessing a CIFS share on an Unix server. This share is mixed style in qtree.

The share is accessible from windows server through a specific account "_NASVOLsrv".

This account is mapped to root unix account in the usermap.cfg file. I am able to mount this share but when I try to access this share I get permission denied.

The windows name for the share is nassharet01 while Unix name is /vol/nasvol01.

#cifs access

nassharet01      /vol/nasvol01
                        nascorp\_NASVOLsrv / Full Control
                        nascorp\administrator / Full Control

Usermap.cfg file  have the following entries -

administrator == root

nascorp\_NASVOLsrv == root

nascorp\administrator == root

nas1ft01:/vol/nasvol01
                   633339904 411197072 222142832   65% /nas/nas1ft01/cbmsharet01

# cd /nas/nas1ft01/cbmsharet01
ksh: /nas/nas1ft01/cbmsharet01: permission denied

Any inputs provided for this issue will be greatly appreicated.

Thanks

18 REPLIES 18

magnus_emmoth
12,634 Views

I am not sure but I think you need to mount the same path in both CIFS and NFS.

CIFS is only for Windows and if you need a mount point in Linux you need to use NFS.

So I believe the answer is that you should just mount the same CIFS shared path with NFS as well.


Magnus

mjossupp123
12,634 Views

Thanks, the share is also setup in NFS.

magnus_emmoth
12,634 Views

Did you configure the NFS export to have read-write access for all hosts? or you have to specify the host you want to be able to access the NFS export.

Magnus

magnus_emmoth
12,634 Views

Did you say the following path is the volume: /vol/nasvol01  ?

Do you have a Qtree in that path? or where is it?

Magnu

mjossupp123
12,634 Views

Yes Qtree is there & the volume where the Qtree resides is nasvol01

magnus_emmoth
12,636 Views

What is the name of the Qtree?

I had a similar problem and I could not either access the volume, however when I changed the mount path to include the Qtree, everything worked.

Maybe that could help or maybe that is how it is setup already?

So the new NFS mount would be: /vol/nasvol01/'QtreeName'/

Magnus

mjossupp123
12,636 Views

nasvol01 is the name of the Qtree.

It is already mounted with the Qtree name

nas1ft01:/vol/nasvol01
                   633339904 411197072 222142832   65% /nas/nas1ft01/cbmsharet01

The fstab file has the following entry on the Unix server -

nas1ft01:/vol/nasvol01 /nas/nas1ft01/cbmsharet01 nfs rw,hard 0 0

magnus_emmoth
12,636 Views

The only other thing I can think about is to click the Export All button from NFS-Manage in FilerView, in case you have made a change to the configuration.

Magnus

mjossupp123
10,259 Views


I did a export all but that too didnt work.

Do you think anythins is wrong with the mapping that is done in the usermap.cfg file

administrator == root

nascorp\_NASVOLsrv == root

nascorp\administrator == root

The share is accessible on windows server using the domain account "_NASVOLsrv"

This same account is mapped to root.

Do you thin anything is wrong over here.

Thanks.

mjossupp123
10,258 Views

The Qtree style is mixed, so that the share can be mounted on both Unix & Windows.

adamfox
10,258 Views

That is a big misconception.  Unix and NTFS style qtrees can be mounted by any protocol.  The security style determines which protocol can change permissions on files, which is different from mounting.

adamfox
10,259 Views

If you think you have a mapping issue, you can use the wcc command to see how your user is being mapped.  In this case, you are looking root could be mapped to a couple of users.

So I would check the folllowing command:

netapp> wcc -u root

And see the mapping.  Then I would go in under CIFS (which I think is working, right?) and see what the local NTFS ACL is on that directory where you are getting permission denied.

That may tell an interesting story.

addanki
10,259 Views

Mixed mode security style works a bit different. At any given point the effective security style could be either UNIX or NTFS. Run the following command on the filer console to see the effective permissions and make sure that the user has the required access.

“fsecurity show ”

Srinivas

mjossupp123
10,259 Views

nas1ft01*> wcc -u root
Thu Jun 17 07:13:41 EDT [nas1ft01: auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: LSA lookup: Located account "nascorp\administrator" in domain "nascorp"..
(NT - UNIX) account name(s):  (nascorp\administrator - root)
        ***************
        UNIX uid = 0
        user is a member of group daemon (1)
        user is a member of group daemon (1)

        NT membership
                nascorp\administrator
                nascorp\Domain Users
                nascorp\CERTSVC_DCOM_ACCESS
                BUILTIN\Administrators
                BUILTIN\Users
        User is also a member of Everyone, Network Users,
        Authenticated Users
        ***************
nas1ft01*> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
nassharet01  /vol/nasvol01
                        nas1ft01\cbm / Full Control
                        S-1-5-21-1500466018-1955613541-1209563102-131076 / Full Control
                        nas1ft01\_CBMNASsrv / Full Control
                        nascorp\_CBMNASsrv / Full Control
                        nascorp\administrator / Full Control
nas1ft01*>

nh1ns1t01*> fsecurity show /vol/nasvol01
[/vol/nasvol01 - Directory (inum 64)]
  Security style: NTFS
  Effective style: NTFS

  DOS attributes: 0x0030 (---AD---)

  Unix security:
    uid: 0 (root)
    gid: 0 (daemon)
    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:
    Owner: BUILTIN\Administrators
    Group: BUILTIN\Administrators
    DACL:
      Allow - nascorp\_CBMNASsrv - 0x001301bf (Modify) - OI|CI
      Allow - nascorp\Domain Admins - 0x001f01ff (Full Control) - OI|CI
      Allow - DEVCORP\G_NAS_CBM_RO_FPDEV - 0x001200a9 (Read and Execute) - OI|CI
      Allow - DEVCORP\G_NAS_CBM_RW_FPDEV - 0x001301bf (Modify) - OI|CI
      Allow - nascorp\NAS_ADMIN - 0x001f01ff (Full Control) - OI|CI
      Allow - nascorp\NAS_CBM_RO - 0x001200a9 (Read and Execute) - OI|CI
      Allow - nascorp\NAS_CBM_RW - 0x001301bf (Modify) - OI|CI
      Allow - nascorp\root - 0x001301bf (Modify) - OI|CI
      Allow - DEVCORP\wrolson - 0x001301bf (Modify) - OI|CI

I am able to cd to the share, but when I do an ll, I get unreadable.

# cd /nas/nas1ft01/cbmsharet01
# ll
. unreadable
total 8

mjossupp123
8,694 Views

And if I do an fsecurity show for dirs inside the share I get different owners than that on the volume


NTFS security descriptor:
    Owner: DEVCORP\wrolson
    Group: DEVCORP\Domain Users

aborzenkov
8,694 Views

According to output provided, neither of Windows groups (and users) to which root is mapped has access to directory. So results are completely correct.

RAMACHANDRA_EA
8,693 Views

I also facing the same problem. unable to access cifs shares(ntfs qtree) from unix machine. NT user have full access to the shares and mapped that nt user with root. getting permission denied error.

some one please help here to solve this issue.

Public