Solved: Snapvault across domains: CIFS acces denied on destination

aviador · ‎2016-12-15

Hello, I am trying to mount a snapvaulted volume and can't get acces: "Access is denied. The requested permissions are not granted by the ACE while opening existing file or directory."

The original filer "A" (SVM) is in Domain TEST and had permissions on the folder for groups of Domain TEST.

Destination filer "B" (SVM) is in Domain PROD (trusted by TEST) , I mounted the snapvaulted vol, created the share but cannot get to the files

Groups allowed permissions to the share in domain TEST include Foreign Security Principals (FSP) from domain PROD. They resolve to groups from PROD , my user is a member of one of these groups. I can access the original share in domain TEST while logged with the same user account

I manually added my username into the security settings of the source folder (TEST) and ran and update of the SnapVault. I hoped that now the filer "B" in PROD would be able to resolve the newly added SID to my username in the domain. Yet I still get the same error.

I am not sure if there is any configuration from which the filer would know that the NTFS ACLs must be solved by

Getting the right groups from domain TEST
Solving the members (FSP that points to PROD groups)
Match the incoming user-name (mine) to the members of one of the groups in the PROD domain from the step above.

Is this even possible?

aviador · ‎2016-12-15

Hello.

I did look into trusted domains but it seemed to be related to user-mapping from Unix to Windows. From "Configuring multidomain name-mapping searches"

This enables Data ONTAP to search every bidirectional trusted domain to find a match when performing UNIX user to Windows user name mapping.

Since I am using only Windows names I did not think it would be relevant. Anyway here's what the command returns:

Home Domain                                       Trusted Domains
------------------------------ ------------------------------------------------
PROD.CORP.COMPANY.BIZ           CORP.COMPANY.BIZ,   SOME.COMPANY..BIZ,
                                                             PROD.CORP.COMPANY.BIZ

(TEST domain does not appear)

I imagine I can't use fsecurity to apply new security settings given that the volume is snapvaulted .

I ran "icacls" from my workstation to both folders:

Filer "A" (TEST) folder returns "No match between account names and SID" plus a match for my PROD\username that I added yesterday evening
Filer "B" (PROD) only returns the "No match between account names and SID" even though after running snapvault update I expected it to have my PROD\username as well.

Thanks for your reply.

EDIT: Ran update again, the destination folder now has an entry for PROD\Username that Filer "B" can resolve so I gained access to the share.

View solution in original post

ekashpureff · ‎2016-12-15

Aviador -

What do you see using the 'vserver cifs domain trusts show' command' ?

See also the man pages for all the vserver cifs domain commands:

https://library.netapp.com/ecmdocs/ECMP1511539/html/vserver/cifs/domain/toc.html

I hope this response has been helpful to you.

At your service,

Eugene E. Kashpureff, Sr.
Independent NetApp Consultant http://www.linkedin.com/in/eugenekashpureff
Senior NetApp Instructor, FastLane US http://www.fastlaneus.com/
(P.S. I appreciate 'kudos' on any helpful posts.)

aviador · ‎2016-12-15