Network and Storage Protocols

cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Network and Storage Protocols

Ask a Question

Preventing access from some Windows clients to a CIFS share

REGIS_GARRUCHET
‎2012-06-13 05:18 AM
8,346 Views

Hi,

IHAC who needs to narrow acces to some shares from only a few Windows clients.

The behavior they want is the same as for a NFS mount only available to some NFS clients.

This Netapp controller is NTFS-only, so there is only NTFS qtrees and no unix right anywhere.

What is available today on their controller:

- every share has some security ACL specifying users and groups who can acces the share.

- the issue is that shares are available from any Windows client in the domain

What theyr would like:

- For some shares, they want only some PCs to have access to the share.

Anyone has an idea ?

Best regards,

Regis

0 Kudos
View By:
1 ACCEPTED SOLUTION
migration has accepted the solution

kodavali
NetApp
‎2012-06-13 11:57 PM
8,346 Views

I believe you are looking to restrict the access to the share from some client PCs even though the user logged in has access to it. unfortunately, you cannot apply client based restrictions on the shares. Windows allows user based restrictions so is OnTAP.

Otherway is to restric the users who has access to the shares loging into those client machines through local access in the security policy but not share base.

View solution in original post

0 Kudos
8 REPLIES 8

SUDHEER_H21
‎2012-06-13 01:08 PM
8,346 Views

Hi,

You have a CIFS share option: cifs.enable_share_browsing. It's ON by default. This feature when turned off, prevents users from seeing directories they do not have permission to access. Please let me know if this works.

Cheers,

Sudheer.

0 Kudos

scottgelb
NetApp A-Team
‎2012-06-13 01:15 PM
In response to SUDHEER_H21
8,346 Views

You can also enable per cifs share with cifs shares –change share -accessbasedenum

0 Kudos

REGIS_GARRUCHET
‎2012-06-14 12:04 AM
In response to scottgelb
8,346 Views

@Scott and Sudheer

Hi,

The goal was to restrict access of the share to only some PCs, so a user can acces to the share from PC1 but can not from PC2.

So "cifs shares" command or "cifs access" commands are no help here, neither is the browsing option.

Regis

0 Kudos
migration has accepted the solution

kodavali
NetApp
‎2012-06-13 11:57 PM
8,347 Views

I believe you are looking to restrict the access to the share from some client PCs even though the user logged in has access to it. unfortunately, you cannot apply client based restrictions on the shares. Windows allows user based restrictions so is OnTAP.

Otherway is to restric the users who has access to the shares loging into those client machines through local access in the security policy but not share base.

0 Kudos

REGIS_GARRUCHET
‎2012-06-14 12:07 AM
In response to kodavali
8,346 Views

Thank you kodavali,this what I try to do.

I was thinking using the "IP-qual" tag in the usermap.cfg file but I think it won't help here since it is a ntfs-only filer.

So I will say to the customer, it is not possible due to CIFS limitation.

Regis

0 Kudos

stjerna
NetApp
‎2012-06-14 06:14 AM
8,346 Views

Probably not something that helps you right nw but might be good to know for the future:

This can be done in Data ONTAP Cluster-Mode using export policies - these works for all file protocols.

--erik

REGIS_GARRUCHET
‎2012-06-14 08:08 AM
In response to stjerna
8,346 Views

@sterna

You're right: it might be useful in the future. This customer has an old filer running ONTAP 7.3.6 and won't update it before they buy another one.

Regis

0 Kudos

GLENYU5820
‎2013-03-18 04:36 PM
8,346 Views

Hi Regis,

I think you might have solution till now.

export-policy is for IP access limitation, you can create/apply it at the vserver or volume level.

ACL is for user id level limitation.

Thanks

Glen

0 Kudos
Announcements
All Community Forums
Public