ONTAP Discussions

7-mode, CIFS, local accounts and SnapMirror

tyrone_owen_1

Previous config: IBM N6210, ONTAP 8.1.3P3, 7-mode, no multistore license

 

Current setup: NetApp FAS8020 ONTAP 8.2.4P6 7-mode, no multistore license

 

Previous and current setup:

 

  • CIFS shares located on site A are accessed using a local FAS account, i.e. 'cifs_user'
  • Site A volumes are SnapMirror replicated to Site B
  • On site B SnapMIrror destinantion volumes are shared out using a local FAS account identically named to the site A account, i.e. 'cifs_user

 

Scenario:

 

  1. SnapMirrors were broken and data written into the shares in site B under the site B local account 'cifs_user'
  2. The volumes were then replicated back to site A and the site A volumes made r/w again

Issue:

 

In site A, the data written to the shares whilst in site B is not accessible (permission denied) after mirroring back to site A.

 

From my perspective this should never have worked, so I'm not after any evidence to support this. However I am told that it has worked under the 'previous configuration' mentioned at the top of this post so I am struggling to find an answer as to how it could have possibly worked previously. For example, have there been any changes to ONTAP code that means the newer version is 'stricter' with ACL permissions? Could the ONTAP upgrade or head swap from N6210 to FAS8020 changed a system/volume option?

 

Any ideas at all on how this could have worked?

4 REPLIES 4

JGPSHNTAP

Slightly confusing setup to understand because there is no Domain in play and there is no vfiler DR in play.  I assume both those statements are true, correct?

 

 

 

 

tyrone_owen_1

Yes, it is a strange setup and if I were at the beginning I would have used a domain service account not local ones. However this is a mature setp, has been configured as outlined and has worked in the past. I do find this difficult to believe however the evidence (documentation) seems to suggest that this is the case.

 

There are no vFilers, the arrays are members of a domain however the shares are accessed and writtent to/read by a local account.

 

Thanks

 

 

 

JGPSHNTAP

It's a beyond strange setup and not best practice.  

 

But I have no idea how  your issue arises.  Doesn't make sense to me

 

Is it an App writing to the share with a local account.   

tyrone_owen_1

Yes, it's an app writing into the shares.

 

I can see how it shouldn't work, but I can't figure out how it worked during previous failover/failback tests. I'm thinking mass conspiracy at this moment.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public