Network and Storage Protocols

Preventing access from some Windows clients to a CIFS share

REGIS_GARRUCHET
7,933 Views

Hi,

IHAC who needs to narrow acces to some shares from only a few Windows clients.

The behavior they want is the same as for a NFS mount only available to some NFS clients.

This Netapp controller is NTFS-only, so there is only NTFS qtrees and no unix right anywhere.

What is available today on their controller:

- every share has some security ACL specifying users and groups who can acces the share.

- the issue is that shares are available from any Windows client in the domain

What theyr would like:

- For some shares, they want only some PCs to have access to the share.

Anyone has an idea ?

Best regards,

Regis

1 ACCEPTED SOLUTION

kodavali
7,933 Views

I believe you are looking to restrict the access to the share from some client PCs even though the user logged in has access to it. unfortunately, you cannot apply client based restrictions on the shares. Windows allows user based restrictions so is OnTAP.

Otherway is to restric the users who has access to the shares loging into those client machines through local access in the security policy but not share base.

View solution in original post

8 REPLIES 8

SUDHEER_H21
7,933 Views

Hi,

You have a CIFS share option: cifs.enable_share_browsing. It's ON by default. This feature when turned off, prevents users from seeing directories they do not have permission to access. Please let me know if this works.

Cheers,

Sudheer.

scottgelb
7,933 Views

You can also enable per cifs share with cifs shares –change share -accessbasedenum

REGIS_GARRUCHET
7,933 Views

@Scott and Sudheer

Hi,

The goal was to restrict access of the share to only some PCs, so a user can acces to the share from PC1 but can not from PC2.

So "cifs shares" command or "cifs access" commands are no help here, neither is the browsing option.

Regis

kodavali
7,934 Views

I believe you are looking to restrict the access to the share from some client PCs even though the user logged in has access to it. unfortunately, you cannot apply client based restrictions on the shares. Windows allows user based restrictions so is OnTAP.

Otherway is to restric the users who has access to the shares loging into those client machines through local access in the security policy but not share base.

REGIS_GARRUCHET
7,933 Views

Thank you kodavali,this what I try to do.

I was thinking using the "IP-qual" tag in the usermap.cfg file but I think it won't help here since it is a ntfs-only filer.

So I will say to the customer, it is not possible due to CIFS limitation.

Regis

stjerna
7,933 Views

Probably not something that helps you right nw but might be good to know for the future:

This can be done in Data ONTAP Cluster-Mode using export policies - these works for all file protocols.

--erik

REGIS_GARRUCHET
7,933 Views

@sterna

You're right: it might be useful in the future. This customer has an old filer running ONTAP 7.3.6 and won't update it before they buy another one.

Regis

GLENYU5820
7,933 Views

Hi Regis,

I think you might have solution till now.

export-policy is for IP access limitation, you can create/apply it at the vserver or volume level.

ACL is for user id level limitation.

Thanks

Glen

Public