Re: managing cifs security access

infinitiguy · ‎2010-11-08

Hi,

I'm starting to migrate NTFS data from an old emc san to a netapp 3020. Ive created a volume with ntfs security and created a share with full permissions (everyone). If I then go to a windows machine and connect to the share to manage security, if I make additions to the security tab (like add my user account with full access), I get a warning stating "Remotely setting permissions on the folder at the root of the share removes all inherited permissions from the root folder and all subfolders. to set permissions without removing inherited permissions, clikc No and either change the permissions on a child folder or make the change while logged in locally. Do you want to continue?

I did a little looking and it seems to be the way that microsofts cifs client handles the share at a root level.

My question is... what is the recommended way to manage NTFS security on a netapp filer since there really is no windows "local" box that the share is connected to.

Cheers,

-Derek

ekashpureff · ‎2010-11-08

Derek -

You can log in to the filer using 'Computer Management' and administer localy to edit the share level permissions.

Control Panel - Administrative Tools - Computer Management

Rt click on 'Computer Management(Local)' and select 'Connect to another computer' from the menu.

You can administer the NetApp as you would any Windows file server ...

I hope this response has been helpful to you.

At your service,

Eugene Kashpureff
NetAppU Instructor and Independent Consultant
(P.S. I appreciate points for helpful or correct answers.)

infinitiguy · ‎2010-11-11

Hi Eugene,

I didn't get notified of this response, otherwise I would've replied earlier!

My account that I'm logged in as actually doesn't have access to get to the filer... which is fine.. I can fix that on my side.

I took a screenshot of a general share managed by computer management.

So are you saying that editing the security on that share through computer management as opposed to just through the cifs share will prevent that error from happening and it will essentially be treated as a local connection?

It looks like subfolder security will be able to be modified without issue.

If you can confirm this - which I believe you pretty much did in your previous post, that would be grand!

Cheers,

-Derek

infinitiguy · ‎2010-11-11

I was able to access my filer via mmc... was fumbling the server name wrong before.

however, I get the same error when trying to remove a user and apply the changes. All the other permissions (netapp\administrator, and domain admins) are inherited permissions... so I certainly don't want those removed because then I would have no permissions!

Any thoughts?

Cheers,

-Derek

ekashpureff · ‎2010-11-11

Derek -

There's a difference between share level permissions and permissions on the files/folders in the shares.

Only share level permissions are managed on the NetApp. Windows is used to manage the files and folders.

Share level permissions are managed by clicking on the share permissions tab, rather than the security tab.

Share permissions can also be managed on the CLI with 'cifs access', or through FilerView or using System Manager.

I hope this response has been helpful to you.

At your service,

Eugene E. Kashpureff

Fastlane NetApp Instructor and Independent Consultant
(P.S. I appreciate points for helpful or correct answers.)

infinitiguy · ‎2010-11-11

Hi Eugene,

I know that there's a difference between share level and security (file/folder level) permissions.

I've set the share permissions on the netapp through filerview. What I want to do now is understand the proper way to manage the security permissions.

I think computer management/mmc is the correct way and the behavior I'm getting is buggy microsoft code... at least that's what I'm going to stick by

yurec_has · ‎2010-11-11

I also have a problem with the distribution rights for NetApp protocol CIFS: inheritance from the parent, prohibit reading of certain sub-folders and all other transactions that may commit in Windows.

infinitiguy · ‎2010-11-12

Hi again,

I just wanted to complete the thread... everything is working the way I expect now. It's been a long time since I've dealt with netapp, and windows security permissions so I was a bit foggy on how everything worked. Through computer management I can now successfully edit my filter security permissions without any issues.

Thanks for the help!

infinitiguy · ‎2010-11-30

one more quick thing. What governs who can manage a filer via mmc?

I have a test filer that I didn't set up that I don't seem to have access to whereas the other filers I do. What option grants access?

ekashpureff · ‎2010-11-30

Members of the 'Administrators' group as defined in /etc/lclgroups.cfg can manage the filer.

I hope this response has been helpful to you.

At your service,

Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

infinitiguy · ‎2010-11-30

How does that list get generated? If I look at that file on a filer I do have access to I see a bunch of SID's. I'd be surprised if someone had to look up the sids and put them in place... unless that is how it works?

ekashpureff · ‎2010-11-30

The file is generated by CIFS setup.

SIDs and user names can be translated with the 'cifs lookup' command.

(or through FilerView)

You can specify additional users and groups during CIFS setup as well.

I hope this response has been helpful to you.

At your service,

Eugene E. Kashpureff
ekashp@kashpureff.org
Fastlane NetApp Instructor and Independent Consultant
http://www.fastlaneus.com/ http://www.linkedin.com/in/eugenekashpureff

(P.S. I appreciate points for helpful or correct answers.)

rdenyer001 · ‎2011-02-16

Hi All,

We had some interesting permission issues on user home directories and found this post while investigatting the issue.

We have a requirement where some people require access to other peoples home directories, e.g. PAs accessing their managers home directories.

We did the "normal" management thing and granted access via MMC.

We thought this was all fine until we noticed that these people had been given access to everyones home directories.

here is our home directory layout

/vol/vol1/users/user1

/vol/vol1/users/user2

/vol/vol1/users/user3

/vol/vol1/users/user4

if user2 needs access to the user1 home directory we use MMC to add user2 to the user1 directory , what then happens is user2 also gets the same access to user3 and user4.

our cifs_homedir.cfg is as follows

/vol/vol1/users

our cifsconfig_share.cfg has the following

cifs shares -add "HOME" "/vol/vol0/home" -comment "Default Share"
cifs access "HOME" S-NONE "nosd"

(this can probably be removed)

and

cifs shares -add "users" "/vol/vol1/users" -comment "Created on 1/07/2010"
cifs access "users" S-NONE "nosd"

This does not happen if we grant access to other shares that are not "home" directories.

Is there something different with the way home directories are treated ?

Regards,

Richard

managing cifs security access

Get ready to power on