Network and Storage Protocols

Windows 2003 Machine Account (Local System) access to CIFS share

greg_upton
6,402 Views

Hi Guys,

We are currently looking to migrate a Microsoft SCCM file store from the local SCCM server to a CIFS share on NetApp 7.3.2.

The issue we have found during testing is that the Windows machine account (Local System Account) on that Windows 2003 server is unable to access the CIFS share.

We have updated the ACLs to include the Windows machine account access to both the CIFS share and the containing files - but still we are unable to even list the files.

The command "cifs shares" shows that the Windows machine account has "Full Control" and the everyone group also has "Full Control".

Sectrace shows "Access denied because 'Read' permission (0x1) is not granted on file or directory (Access denied by the share-level ACL) - Status: 1:188743680:32:192"

Windows Active Directory User accounts access the CIFS share without any issues.

I am concerned that there is some limitation with Windows Machine Account (Local System Account) access to CIFS shares.

Does anyone have any experience with this type of CIFS access ?

Thanks

6 REPLIES 6

aborzenkov
6,402 Views

I believe, there was NetApp knowledge base and the problem definitely was discussed here already. IIRC this won’t work, account needs to be proper user account, not the machine one. Unfortunately I can’t find references right now, try to search kb/communities.

daehnrich_bsh
6,402 Views

http://communities.netapp.com/message/53431#53431 we have a similiar problem, access with machine account work. But not with PowerShell Script.

The first Problem we had with the Access was NTLM, you have to deactivate it.

shaunjurr
6,402 Views

Hi,

If you want to create a CIFS share that is meant to be accessed only by a machine account, you can map the IP address of the server to a local account on the filer in usermap.cfg and then add that user with useradmin and finally add full control for that user on the share.  You may want to add other rights to the share for administration of files.  I found it helpful to make the shares hidden to reduce the chance of others accessing the file.

We've done this for Notes storage on a set of filers for a lot of years.  It seemed like a hack at the time, but it has been suprisingly stable.

10.10.10.10:"" => sccmuser      (a backend storage IP subnet to limit access via IP spoofing can be a good idea)

useradmin user add sccmuser -g administrators -c "SCCM server"  (or some other more limited group)

cifs access <sccm_share> sccmuser Full Controll

Something like this should get things rolling.

The documentation says that machine accounts should be able to access the data.  Not sure if you've looked at that specifically or not.

niedermeier
6,402 Views

Hi Shaunjurr,

we have the same problem with our new netapp to get access to a share with the computeraccount. We tried your way with the usermap.cfg. It seems to work half the way. We get an authenticaton message to input our credentials from the sccmuser. Should this not happen automatically and how can this be done?

AGUMADAVALLI
6,402 Views

In general to confirm the user is valid user or not. We can use the command called "getXXbyYY getpwbyname_r root or <username>"

If you see the output, you will know that user is valid user to access the filer or not.

thank you,

AK G

AGUMADAVALLI
6,402 Views

more over enable the cifs audit : options cifs.audit.enable on

browse thru the /etc/messages for audit logs or you can rdfile /etc/log/adtlog.evt

thank you,

AK G

Public