Network and Storage Protocols
Network and Storage Protocols
Hello, I am trying to mount a snapvaulted volume and can't get acces: "Access is denied. The requested permissions are not granted by the ACE while opening existing file or directory."
The original filer "A" (SVM) is in Domain TEST and had permissions on the folder for groups of Domain TEST.
Destination filer "B" (SVM) is in Domain PROD (trusted by TEST) , I mounted the snapvaulted vol, created the share but cannot get to the files
Groups allowed permissions to the share in domain TEST include Foreign Security Principals (FSP) from domain PROD. They resolve to groups from PROD , my user is a member of one of these groups. I can access the original share in domain TEST while logged with the same user account
I manually added my username into the security settings of the source folder (TEST) and ran and update of the SnapVault. I hoped that now the filer "B" in PROD would be able to resolve the newly added SID to my username in the domain. Yet I still get the same error.
I am not sure if there is any configuration from which the filer would know that the NTFS ACLs must be solved by
Is this even possible?
Solved! See The Solution
Hello.
I did look into trusted domains but it seemed to be related to user-mapping from Unix to Windows. From "Configuring multidomain name-mapping searches"
This enables Data ONTAP to search every bidirectional trusted domain to find a match when performing UNIX user to Windows user name mapping.
Since I am using only Windows names I did not think it would be relevant. Anyway here's what the command returns:
Home Domain Trusted Domains
------------------------------ ------------------------------------------------
PROD.CORP.COMPANY.BIZ CORP.COMPANY.BIZ, SOME.COMPANY..BIZ,
PROD.CORP.COMPANY.BIZ
(TEST domain does not appear)
I imagine I can't use fsecurity to apply new security settings given that the volume is snapvaulted .
I ran "icacls" from my workstation to both folders:
Thanks for your reply.
EDIT: Ran update again, the destination folder now has an entry for PROD\Username that Filer "B" can resolve so I gained access to the share.
Aviador -
What do you see using the 'vserver cifs domain trusts show' command' ?
See also the man pages for all the vserver cifs domain commands:
https://library.netapp.com/ecmdocs/ECMP1511539/html/vserver/cifs/domain/toc.html
I hope this response has been helpful to you.
At your service,
Eugene E. Kashpureff, Sr.
Independent NetApp Consultant http://www.linkedin.com/in/eugenekashpureff
Senior NetApp Instructor, FastLane US http://www.fastlaneus.com/
(P.S. I appreciate 'kudos' on any helpful posts.)
Hello.
I did look into trusted domains but it seemed to be related to user-mapping from Unix to Windows. From "Configuring multidomain name-mapping searches"
This enables Data ONTAP to search every bidirectional trusted domain to find a match when performing UNIX user to Windows user name mapping.
Since I am using only Windows names I did not think it would be relevant. Anyway here's what the command returns:
Home Domain Trusted Domains
------------------------------ ------------------------------------------------
PROD.CORP.COMPANY.BIZ CORP.COMPANY.BIZ, SOME.COMPANY..BIZ,
PROD.CORP.COMPANY.BIZ
(TEST domain does not appear)
I imagine I can't use fsecurity to apply new security settings given that the volume is snapvaulted .
I ran "icacls" from my workstation to both folders:
Thanks for your reply.
EDIT: Ran update again, the destination folder now has an entry for PROD\Username that Filer "B" can resolve so I gained access to the share.