ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Ask a Question

CIFS Share not accessible

Divine
‎2023-11-24 03:08 AM
10,084 Views

Hello. 

Please i have an issue with one of the cifs share. We are unable to access it no matter what. When we run the "vserver security file-directory show" command, this is what displays, even though we've given "Everyone" access. We also added the domain admin credentials to the BUILTIN/administrators but it still won't give access. 

 

vserver security file-directory show -vserver svm*********** -path /vol/Library_Project

Vserver: svm_**********
File Path: /vol/Library_Project
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 30
DOS Attributes in Text: ---AD---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 0
UNIX Mode Bits in Text: ---------
ACLs: NTFS Security Descriptor
Control:0x9504
Owner:BUILTIN\administrators
Group:BUILTIN\administrators
DACL - ACEs
DENY-Everyone-0x1f01ff-OI|CI
ALLOW-$$$$$$$$\#########-0x1f01ff-OI|CI
ALLOW-$$$$$$$$\#######-0x1301bf-OI|CI
ALLOW-$$$$$$$$\######-0x1f01ff-OI|CI
ALLOW-$$$$$$$$\######-0x1f01ff-OI|CI
ALLOW-$$$$$$$$\######-0x1301bf-OI|CI

1 ACCEPTED SOLUTION

Ontapforrum
‎2023-11-26 10:27 AM
In response to Divine
9,819 Views

No worries.

 

To be honest, It's a very tricky situation, I don't know what was the need for 'deny' to be in the security group permissions, it is dangerous, simply b'cos it takes precedence.

 

In any case, you might have to try these steps:

1) Take ownership of the share

Windows cmd promt (admin rights):
\>takeown /F x:\path\to\share
2) Remove 'deny'.
If the step 1 succeeds, right-click on the share, properties, select 'security tab', click advanced, change permissions, then select 'deny' and click 'remove'.

or
Try with ONTAP CLI
https://docs.netapp.com/us-en/ontap-cli-97/vserver-security-file-directory-ntfs-dacl-remove.html#description

 

In none works and you keep getting permission denied, then might want to just delete the share/volume and recreate one if there was no data. If there was data, you might want to just vol copy/mirror to another volume and then re-create the share and permissions. [Avoid deny in future]

View solution in original post

11 REPLIES 11

Ontapforrum
‎2023-11-24 03:59 AM
10,066 Views

Following output looks ok?

::> vserver cifs show

::> vserver cifs share show

 

Check the date/time of the NetApp filer

::> 

 

Check the date/time of the Windows DC

 

Make sure the time is with-in 5 mnt difference.

0 Kudos

Divine
‎2023-11-24 05:00 AM
In response to Ontapforrum
10,049 Views

Hi Ontapforum. Other cifs shares are accessible except this one. This is the only share giving us this problem.

0 Kudos

Ontapforrum
‎2023-11-24 05:56 AM
10,033 Views

Do you mind sharing screenshot of the error ? When you say only share giving problem, is it visible ? It is not visible at all ?

 

Can we see output of the CLI for the specific share ?

0 Kudos

Divine
‎2023-11-24 08:37 AM
In response to Ontapforrum
9,980 Views

Hi, please see attached.

Preview file
33 KB
Preview file
42 KB
0 Kudos

Ontapforrum
‎2023-11-25 12:55 PM
In response to Divine
9,926 Views

Thanks for sharing the putty-output, CAUSE is clearly seen in the output of this command.
::> vserver security file-directory show -vserver svm_temssna002 -path /vol/Library_Project
UNDER DACL - ACEs:
DENY-Everyone-0x1f01ff-OI|CI <<-------Cause: DENY permissions will supersede any ALLOW permissions, no matter the user or group.


Workaround:
Since the DENY permission will prevent this, the DENY permission must be removed first. To resolve this issue,  change the owner of the share to a user account (that has MODIFY or FULL CONTROL), not a group, then remove the DENY permission from EVERYONE. That should fix the issue.

0 Kudos

Divine
‎2023-11-25 01:33 PM
In response to Ontapforrum
9,924 Views

Thanks, Ontapforrum. We will try this first thing Monday morning. However, if you don't mind, can you share the command to change the owner of the share? 

0 Kudos

Ontapforrum
‎2023-11-26 10:27 AM
In response to Divine
9,820 Views

No worries.

 

To be honest, It's a very tricky situation, I don't know what was the need for 'deny' to be in the security group permissions, it is dangerous, simply b'cos it takes precedence.

 

In any case, you might have to try these steps:

1) Take ownership of the share

Windows cmd promt (admin rights):
\>takeown /F x:\path\to\share
2) Remove 'deny'.
If the step 1 succeeds, right-click on the share, properties, select 'security tab', click advanced, change permissions, then select 'deny' and click 'remove'.

or
Try with ONTAP CLI
https://docs.netapp.com/us-en/ontap-cli-97/vserver-security-file-directory-ntfs-dacl-remove.html#description

 

In none works and you keep getting permission denied, then might want to just delete the share/volume and recreate one if there was no data. If there was data, you might want to just vol copy/mirror to another volume and then re-create the share and permissions. [Avoid deny in future]

Divine
‎2023-11-27 07:14 AM
In response to Ontapforrum
9,773 Views

Thank you, Ontapforrum. It worked! We used a different admin account to take ownership of the share/file and we removed "deny".

0 Kudos

Ontapforrum
‎2023-11-27 08:38 AM
In response to Divine
9,759 Views

Great stuff. Well done. Thanks for the update.

cedric_renauld
‎2023-11-25 08:25 AM
9,934 Views

Hello, 

Have you check @same time of access the event of the Ontep ?

event show

 

o,

 

0 Kudos

Divine
‎2023-11-25 11:57 AM
In response to cedric_renauld
9,929 Views

We will check and revert. Thanks!

0 Kudos
Announcements
All Community Forums
Public