Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Preventing access from some Windows clients to a CIFS share

2012-06-13
05:18 AM
8,346 Views
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
IHAC who needs to narrow acces to some shares from only a few Windows clients.
The behavior they want is the same as for a NFS mount only available to some NFS clients.
This Netapp controller is NTFS-only, so there is only NTFS qtrees and no unix right anywhere.
What is available today on their controller:
- every share has some security ACL specifying users and groups who can acces the share.
- the issue is that shares are available from any Windows client in the domain
What theyr would like:
- For some shares, they want only some PCs to have access to the share.
Anyone has an idea ?
Best regards,
Regis
Solved! See The Solution
1 ACCEPTED SOLUTION
migration has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you are looking to restrict the access to the share from some client PCs even though the user logged in has access to it. unfortunately, you cannot apply client based restrictions on the shares. Windows allows user based restrictions so is OnTAP.
Otherway is to restric the users who has access to the shares loging into those client machines through local access in the security policy but not share base.
8 REPLIES 8
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You have a CIFS share option: cifs.enable_share_browsing. It's ON by default. This feature when turned off, prevents users from seeing directories they do not have permission to access. Please let me know if this works.
Cheers,
Sudheer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can also enable per cifs share with cifs shares –change share -accessbasedenum
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Scott and Sudheer
Hi,
The goal was to restrict access of the share to only some PCs, so a user can acces to the share from PC1 but can not from PC2.
So "cifs shares" command or "cifs access" commands are no help here, neither is the browsing option.
Regis
migration has accepted the solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you are looking to restrict the access to the share from some client PCs even though the user logged in has access to it. unfortunately, you cannot apply client based restrictions on the shares. Windows allows user based restrictions so is OnTAP.
Otherway is to restric the users who has access to the shares loging into those client machines through local access in the security policy but not share base.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you kodavali,this what I try to do.
I was thinking using the "IP-qual" tag in the usermap.cfg file but I think it won't help here since it is a ntfs-only filer.
So I will say to the customer, it is not possible due to CIFS limitation.
Regis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Probably not something that helps you right nw but might be good to know for the future:
This can be done in Data ONTAP Cluster-Mode using export policies - these works for all file protocols.
--erik
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sterna
You're right: it might be useful in the future. This customer has an old filer running ONTAP 7.3.6 and won't update it before they buy another one.
Regis
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Regis,
I think you might have solution till now.
export-policy is for IP access limitation, you can create/apply it at the vserver or volume level.
ACL is for user id level limitation.
Thanks
Glen
