ONTAP Discussions

7-mode, CIFS, local accounts and SnapMirror


Previous config: IBM N6210, ONTAP 8.1.3P3, 7-mode, no multistore license


Current setup: NetApp FAS8020 ONTAP 8.2.4P6 7-mode, no multistore license


Previous and current setup:


  • CIFS shares located on site A are accessed using a local FAS account, i.e. 'cifs_user'
  • Site A volumes are SnapMirror replicated to Site B
  • On site B SnapMIrror destinantion volumes are shared out using a local FAS account identically named to the site A account, i.e. 'cifs_user




  1. SnapMirrors were broken and data written into the shares in site B under the site B local account 'cifs_user'
  2. The volumes were then replicated back to site A and the site A volumes made r/w again



In site A, the data written to the shares whilst in site B is not accessible (permission denied) after mirroring back to site A.


From my perspective this should never have worked, so I'm not after any evidence to support this. However I am told that it has worked under the 'previous configuration' mentioned at the top of this post so I am struggling to find an answer as to how it could have possibly worked previously. For example, have there been any changes to ONTAP code that means the newer version is 'stricter' with ACL permissions? Could the ONTAP upgrade or head swap from N6210 to FAS8020 changed a system/volume option?


Any ideas at all on how this could have worked?



Slightly confusing setup to understand because there is no Domain in play and there is no vfiler DR in play.  I assume both those statements are true, correct?






Yes, it is a strange setup and if I were at the beginning I would have used a domain service account not local ones. However this is a mature setp, has been configured as outlined and has worked in the past. I do find this difficult to believe however the evidence (documentation) seems to suggest that this is the case.


There are no vFilers, the arrays are members of a domain however the shares are accessed and writtent to/read by a local account.







It's a beyond strange setup and not best practice.  


But I have no idea how  your issue arises.  Doesn't make sense to me


Is it an App writing to the share with a local account.   


Yes, it's an app writing into the shares.


I can see how it shouldn't work, but I can't figure out how it worked during previous failover/failback tests. I'm thinking mass conspiracy at this moment.