Solved: CIFS local group issue with 9.1

sraudonis · ‎2017-05-27

Hi,

i upgraded a 2240 from 7mode to cdot, with 8.3.2p11 i made a complete init and after a minimal config i upgraded to 9.1p3. Here i have a strange issue with CIFS.

At the SystemManager i created a new CIFS SVM, on the first screen i entered all infos, the second screen with the AD join i skipped and on the third screen i enterd a password for the vsadmin and then i completed the wizard.

On the shell i entered:

vserver cifs create -vserver cifs-test  -cifs-server cifs-test -workgroup test

So i created a minimal CIFS configuration. Now i entered this command to see the rights of the local Administrator user:

diag secd authentication show-creds -node san-cl01-02 -vserver cifs-test  -win-name administrator

UNIX UID: pcuser <> Windows User: CIFS-TEST\Administrator (Windows Local User)

GID: pcuser
Supplementary GIDs:
  pcuser

Windows Membership:
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2000):
  SeChangeNotifyPrivilege

My problems:

- Why is the mapping to "pcuser", not "root"?

- Why isn't there listed the "BUILTIN\Administrators" group at Windows membership?

On a other 2240 with 9.1p3 i got with a new SVM with a workgroup this result:

diag secd authentication show-creds -node na-cl01-01 -vserver test-cifs -win-name administrator

UNIX UID: root <> Windows User: TEST-CIFS\Administrator (Windows Local User)

GID: daemon
Supplementary GIDs:
  daemon

Windows Membership:
  BUILTIN\Administrators (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2237):
  SeBackupPrivilege
  SeRestorePrivilege
  SeTakeOwnershipPrivilege
  SeSecurityPrivilege
  SeChangeNotifyPrivilege

This happens on every CIFS SVM i create. Even when i add a different SVM to the AD, the local groups don't work.

This is the local Administrators group:

My user, the Administrator of the CIFS SVM and the Domain Administrators are member.

Enter i the command again, i got this result:

diag secd authentication show-creds -node san-cl01-02 -vserver svm-cifs1 -win-name xx\basys_raudonis

UNIX UID: pcuser <> Windows User: XX\basys_raudonis (Windows Domain User)

GID: pcuser
Supplementary GIDs:
  pcuser

Windows Membership:
  XX\User-Standard (Windows Domain group)
  XX\Domänen-Benutzer (Windows Domain group)
  XX\Domänen-Admins (Windows Domain group)
  XX\User-WorkerOffice (Windows Domain group)
  XX\Abgelehnte RODC-Kennwortreplikationsgruppe (Windows Alias)
  Vom Dienst bestätigte ID (Windows Well known group)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2000):
  SeChangeNotifyPrivilege

So i got all AD Groups, but no local Groups. But there must be "BUILTIN\Users" and "BUILTIN\Administrators".

The main problem with this is, i can't access directory's that only grant access to the local Administrators group.

What goes wrong here? Have i missed something?

Kind regards

Stefan

sraudonis · ‎2017-05-27

I took a very log telephone call with the support. There i a known issue whan upgrading from 7Mode to ONTAP 9, finaly after we made a configuration reload and a restart of the CIFS SVM all is working fine.

View solution in original post

sraudonis · ‎2017-05-27

I took a very log telephone call with the support. There i a known issue whan upgrading from 7Mode to ONTAP 9, finaly after we made a configuration reload and a restart of the CIFS SVM all is working fine.

JacobV · ‎2017-10-24

Hello , Could you please provide us exactly what was done to fix this issue ?

Is this just by rebooting of CIFS services fixed this issue ?

Arunkumar_G · ‎2021-12-16

Hi,

I had a same problem in my environment & reconfigured the below setting along with Cifs restart which solved this problem

vserver cifs options show -vserver <XXXXXX> -fields is-admin-users-mapped-to-root-enabled