Network and Storage Protocols

managing cifs security access

infinitiguy
23,932 Views

Hi,

I'm starting to migrate NTFS data from an old emc san to a netapp 3020.  Ive created a volume with ntfs security and created a share with full permissions (everyone).  If I then go to a windows machine and connect to the share to manage security, if I make additions to the security tab (like add my user account with full access), I get a warning stating "Remotely setting permissions on the folder at the root of the share removes all inherited permissions from the root folder and all subfolders.  to set permissions without removing inherited permissions, clikc No and either change the permissions on a child folder or make the change while logged in locally.  Do you want to continue?

I did a little looking and it seems to be the way that microsofts cifs client handles the share at a root level.

My question is... what is the recommended way to manage NTFS security on a netapp filer since there really is no windows "local" box that the share is connected to.

Cheers,

-Derek

12 REPLIES 12

ekashpureff
23,890 Views

Derek -

You can log in to the filer using 'Computer Management' and administer localy to edit the share level permissions.

Control Panel - Administrative Tools - Computer Management

Rt click on 'Computer Management(Local)' and select 'Connect to another computer' from the menu.

You can administer the NetApp as you would any Windows file server ...

I hope this response has been helpful to you.

At your service,

Eugene Kashpureff
NetAppU Instructor and Independent Consultant
(P.S. I appreciate points for helpful or correct answers.)

infinitiguy
23,890 Views

Hi Eugene,

I didn't get notified of this response, otherwise I would've replied earlier!

My account that I'm logged in as actually doesn't have access to get to the filer... which is fine.. I can fix that on my side.

I took a screenshot of a general share managed by computer management.

So are you saying that editing the security on that share through computer management as opposed to just through the cifs share will prevent that error from happening and it will essentially be treated as a local connection?

It looks like subfolder security will be able to be modified without issue.

If you can confirm this - which I believe you pretty much did in your previous post, that would be grand!

Cheers,

-Derek

infinitiguy
23,890 Views

I was able to access my filer via mmc... was fumbling the server name wrong before.

however, I get the same error when trying to remove a user and apply the changes.  All the other permissions (netapp\administrator, and domain admins) are inherited permissions...  so I certainly don't want those removed because then I would have no permissions!

Any thoughts?

Cheers,

-Derek

ekashpureff
23,890 Views

Derek -

There's a difference between share level permissions and permissions on the files/folders in the shares.

Only share level permissions are managed on the NetApp. Windows is used to manage the files and folders.

Share level permissions are managed by clicking on the share permissions tab, rather than the security tab.

Share permissions can also be managed on the CLI with 'cifs access', or through FilerView or using System Manager.

I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff

Fastlane NetApp Instructor and Independent Consultant
(P.S. I appreciate points for helpful or correct answers.)

infinitiguy
23,890 Views

Hi Eugene,

I know that there's a difference between share level and security (file/folder level) permissions.

I've set the share permissions on the netapp through filerview.  What I want to do now is understand the proper way to manage the security permissions. 

I think computer management/mmc is the correct way and the behavior I'm getting is buggy microsoft code... at least that's what I'm going to stick by

yurec_has
23,891 Views

I also  have a problem with the distribution rights for NetApp protocol CIFS:  inheritance from the parent, prohibit reading of certain sub-folders and  all other transactions that may commit in Windows.

infinitiguy
23,890 Views

Hi again,

I just wanted to complete the thread...  everything is working the way I expect now.  It's been a long time since I've dealt with netapp, and windows security permissions so I was a bit foggy on how everything worked.  Through computer management I can now successfully edit my filter security permissions without any issues.

Thanks for the help!

infinitiguy
23,889 Views

one more quick thing.  What governs who can manage a filer via mmc?

I have a test filer that I didn't set up that I don't seem to have access to whereas the other filers I do.  What option grants access? 

ekashpureff
23,890 Views

Members of the 'Administrators' group as defined in /etc/lclgroups.cfg can manage the filer.


I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

infinitiguy
12,921 Views

How does that list get generated?  If I look at that file on a filer I do have access to I see a bunch of SID's.  I'd be surprised if someone had to look up the sids and put them in place... unless that is how it works? 

ekashpureff
12,921 Views

The file is generated by CIFS setup.

SIDs and user names can be translated with the 'cifs lookup' command.

(or through FilerView)

You can specify additional users and groups during CIFS setup as well.


I hope this response has been helpful to you.

At your service,


Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

rdenyer001
12,921 Views

Hi All,

We had  some interesting  permission issues on user home directories   and  found this post  while investigatting the issue.

We have a requirement  where  some people require access  to other peoples  home directories,  e.g.  PAs accessing  their managers home directories.

We did the  "normal"  management  thing and granted access  via  MMC.

We thought this was all fine until  we noticed that  these people had been given access to everyones home directories.

here is our home directory layout

/vol/vol1/users/user1

/vol/vol1/users/user2

/vol/vol1/users/user3

/vol/vol1/users/user4

if user2 needs access to the user1 home directory we use  MMC  to add user2 to the user1 directory , what then happens is  user2 also gets the same access to  user3 and user4.

our cifs_homedir.cfg   is  as follows

/vol/vol1/users

our  cifsconfig_share.cfg has the following

cifs shares -add "HOME" "/vol/vol0/home" -comment "Default Share"
cifs access "HOME" S-NONE "nosd"

(this can probably be removed)

and

cifs shares -add "users" "/vol/vol1/users" -comment "Created on 1/07/2010"
cifs access "users" S-NONE "nosd"

This does not  happen if we  grant access  to  other shares   that  are not "home" directories.

Is there something  different  with the way  home directories are treated  ?

Regards,

Richard

Public