CIFS-Access to admin$ share

bloehlein · ‎2013-02-14

Hi,

I'm trying to get access to the admin$-share like the share c$ in 7-mode, but i can't get it to work. The CIFS-User is mapped to root (uid 0 / gid 0) and was defined as cifs superuser, but both didn't help.

Mapping of the user-defined share with the same share-path works fine... Something else I can do? ONTAP release is 8.1.2P1

st228::*> vserver cifs share access-control create -share admin$ -user-or-group Everyone -permission Full_Control

Error: command failed: Failed to create ACE on CIFS share admin$. Reason: The share permission cannot be set on administrative shares.

st228::*> vserver cifs share show

Vserver Share Path Properties Comment ACL

-------------- ------------- ----------------- ---------- -------- -----------

test_bl_2 admin$ / browsable - -

test_bl_2 ipc$ / browsable - -

test_bl_2 vsroot / oplocks - Everyone / Full Control

browsable

changenotify

3 entries were displayed.

Best regards,

Bernd

mrinal · ‎2013-02-14

Hi Bernd,

Have a look at this FAQ, https://kb.netapp.com/support/index?page=content&id=3012797. The considerations will guide you though the configuration settings that need to be checked.

bloehlein · ‎2013-02-14

Hi Mrinal,

normal CIFS-Access to a user-defined share with sharepath "/" is working just fine, so user-mapping, export-policies etc are configured correctly.

But I can't get the administrative share admin$ to work, neither with a domain administrator, nor with a regular domain-user which has cifs superuser privileges configured.

Didn't find anything about admin$ and ipc$ in the ONTAP-documentation, is this working in 8.1 or will we have to wait for future releases?

Best regards,

Bernd

mrinal · ‎2013-02-15

Hi Berd,

I do not have a good answer for why the system-defined shares cannot be modified. My suggestion would be to create a new $ share. This will allow you to set custom permissions on it.

bloehlein · ‎2013-02-15

Hi Mrinal,

can you tell me what purpose those both administrative shares have? They seem pretty useless since no user can map them and the documentation doesn't talk about them at all

Best regards,

Bernd

mrinal · ‎2013-02-19

That is a good question. I do not have an answer. Others might.

eric8 · ‎2013-02-19

From the Windows XP HTML Help file:

Special shared resources

Depending on the configuration of your computer, some or all of the following special shared resources are created for administrative and system use. These shared resources are not visible from My Computer, but you can view them by using Shared Folders. In most cases, you should not delete or modify special shared resources.

You may see some or all of the following administrative shared resources in the Shares folder:

drive letter$

A shared resource that enables administrators to connect to the root directory of a drive. The root directories appear in the Shared Folder column in the Shares folder as A$, B$, C$, D$, and so on. For example, you can access drive D by clicking D$.

ADMIN$

A resource that is used during remote administration of a computer. The path of this resource is always the path to the system root (the directory in which the operating system is installed: for example, C:\Windows).

IPC$

A resource that shares the named pipes that are essential for communication between programs. You use IPC$ during remote administration of a computer and when you view a computer's shared resources. You cannot delete this resource.

[...]

I believe in 7-mode systems these "hidden" shares would allow remote administration through the Computer Management MMC console snap-in, to add, remove or modify CIFS Shares, local users & groups, etc. I am pretty certain these functions are not supported through MMC in Clustered ONTAP; use the CLI or System Manager GUI instead.