ONTAP Discussions

7-mode, CIFS, local accounts and SnapMirror

tyrone_owen_1
2,933 Views

Previous config: IBM N6210, ONTAP 8.1.3P3, 7-mode, no multistore license

 

Current setup: NetApp FAS8020 ONTAP 8.2.4P6 7-mode, no multistore license

 

Previous and current setup:

 

  • CIFS shares located on site A are accessed using a local FAS account, i.e. 'cifs_user'
  • Site A volumes are SnapMirror replicated to Site B
  • On site B SnapMIrror destinantion volumes are shared out using a local FAS account identically named to the site A account, i.e. 'cifs_user

 

Scenario:

 

  1. SnapMirrors were broken and data written into the shares in site B under the site B local account 'cifs_user'
  2. The volumes were then replicated back to site A and the site A volumes made r/w again

Issue:

 

In site A, the data written to the shares whilst in site B is not accessible (permission denied) after mirroring back to site A.

 

From my perspective this should never have worked, so I'm not after any evidence to support this. However I am told that it has worked under the 'previous configuration' mentioned at the top of this post so I am struggling to find an answer as to how it could have possibly worked previously. For example, have there been any changes to ONTAP code that means the newer version is 'stricter' with ACL permissions? Could the ONTAP upgrade or head swap from N6210 to FAS8020 changed a system/volume option?

 

Any ideas at all on how this could have worked?

4 REPLIES 4

JGPSHNTAP
2,926 Views

Slightly confusing setup to understand because there is no Domain in play and there is no vfiler DR in play.  I assume both those statements are true, correct?

 

 

 

 

tyrone_owen_1
2,918 Views

Yes, it is a strange setup and if I were at the beginning I would have used a domain service account not local ones. However this is a mature setp, has been configured as outlined and has worked in the past. I do find this difficult to believe however the evidence (documentation) seems to suggest that this is the case.

 

There are no vFilers, the arrays are members of a domain however the shares are accessed and writtent to/read by a local account.

 

Thanks

 

 

 

JGPSHNTAP
2,905 Views

It's a beyond strange setup and not best practice.  

 

But I have no idea how  your issue arises.  Doesn't make sense to me

 

Is it an App writing to the share with a local account.   

tyrone_owen_1
2,892 Views

Yes, it's an app writing into the shares.

 

I can see how it shouldn't work, but I can't figure out how it worked during previous failover/failback tests. I'm thinking mass conspiracy at this moment.

Public