ONTAP Discussions

Ownership Issues in CIFS share Ontap 9.6

sbmmiller
11,675 Views

We are trying to robocopy data to our AFF-A220 but we cannot copy ownership info. It fails unless I exclude copying ownership. At this point, I am the owner of the data. In the AFF-A220, I cannot change the ownership to "FILER\Administrators" - it fails with  "Unable to set new owner on folder. This security ID many not be assigned as the owner of this object." Why can I not assign "Administrators" as the owner? In fact, I cannot change the owner at all, to any other owner, local or domain accounts.  If other people copy files over, it makes them the owner as well, but I am able to take ownership. But if I try to change it to someone else, it fails again. Whats going on?

 

I created a local administrator account, assigned it full access to the CIFS share then I assigned it full access to the root folder.  I see that on the folders with inheritance enabled, it does pick up the account ok. However I still cant change ownership.  

1 ACCEPTED SOLUTION

sbmmiller
11,406 Views

The issue was that only DOMAIN ADMINS are added into the "BUILTIN\Administrators" account on the SVM by default. Once I added my account into this group WA LA it works OK now. 

 

ONTAP: Storage > SVM > click svm > CIFS > Host Users and Groups > Windows > BUILTIN\Administrators > Edit > Members (ADD YOUR ACCOUNT.)

View solution in original post

6 REPLIES 6

GidonMarcus
11,639 Views

Hi,

 

Can you please confirm:

1) that the user taking the ownership has full control access on the share. (cmd: cifs share show)

2) the volume/qtree has NTFS security style and not UNIX.   (cmd: qtree security *)

3) turn on sectrace (cmd: vserver security trace filter create -index 1) and provide the error message upon taking ownership failure.  (cmd: vserver security trace trace-result show)

 

Thanks

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

sbmmiller
11,625 Views

Administrators / Full Control (browsable,changenotify,opslocks,show-previous-versions)

/vol/C_Users has ntfs security style and oplocks are enabled.

At the root level, the ownership is correct. I am trying to replace child objects right now with the root folder permissions. It will wipe out some folder settings but its ok right now since we dont have too much data in it. Then I can try the command if this doesnt work. 

sbmmiller
11,620 Views

3) turn on sectrace (cmd: vserver security trace filter create -index 1) and provide the error message upon taking ownership failure.  (cmd: vserver security trace trace-result show)

 

I am able to do the first part, vserver security trace filter create -index 1 - and I go into windows explorer and try to change ownership and it fails. vserver security trace trace-result show doesnt show anything. 

 

I thought the CIFS share the owner is supposed to be automatically given to the Local Administrator? Anyone who copies files over to the share is the owner.  

sbmmiller
11,535 Views

So what I found is that a Domain Admin can make the changes I want to make but I cannot. Even if the share + ntfs permissions allow me or a group I am in, full control. 

GidonMarcus
11,464 Views

it could be that someone changed this GPO settings.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn221976(v=ws.11)

Gidi Marcus (Linkedin) - Storage and Microsoft technologies consultant - Hydro IT LTD - UK

sbmmiller
11,407 Views

The issue was that only DOMAIN ADMINS are added into the "BUILTIN\Administrators" account on the SVM by default. Once I added my account into this group WA LA it works OK now. 

 

ONTAP: Storage > SVM > click svm > CIFS > Host Users and Groups > Windows > BUILTIN\Administrators > Edit > Members (ADD YOUR ACCOUNT.)

Public