ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Highlighted

What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
‎2017-08-17 03:09 AM

Hi, 

 

As I understand that this property was DEPRECATED, but I still trying to find any information about which security check this CIFS superuser option allows to bypass? 

 

Thanks. 

Reply
Tags (1)
8 Replies
0 Likes
8 REPLIES 8
Highlighted

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

AlexDawson
NetApp
‎2017-08-17 10:12 PM

Hi there,

 

In order to answer your question most accurately, can you provide a reference in our documentation to the exact functionality you are asking about?

Reply
8 Replies
0 Likes
Highlighted

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
‎2017-08-19 06:41 AM

Hi, 

 

I'm not sure about exact functionality. In this link, there is a description of how to give a user cifs superuser privileges. 

I'm trying to find what are privileges this all about? 

 

Thanks.

Reply
8 Replies
0 Likes
Highlighted

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

ninja
‎2018-06-21 03:32 PM

Any reply to this? It would be good to know what security is bypassed by adding a super user.

Reply
8 Replies
0 Likes
Highlighted

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

AlexDawson
NetApp
‎2018-06-21 08:48 PM

Hi there,

 

As of ONTAP 9.4 the "vserver cifs superuser" commands are deprecated - the preferred method is to add a user to the AD Domain Admins group.

 

Per http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cifs-nfs-audit%2FGUID-8658509D-AE99-44A6-8CFB-F47D673A7127.html 

 

  • Avoid permission checks

    The user avoids checks on files and directory access.

  • Special locking privileges

    Data ONTAP allows read, write, or modify access to any file regardless of existing locks. If the FPolicy server takes byte range locks on the file, it results in immediate removal of existing locks on the file.

  • Bypass any FPolicy checks

    Access does not generate any FPolicy notifications.

View solution in original post

Reply
8 Replies
Highlighted

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
‎2018-07-12 09:54 AM

Great thanks, 

 

By any chance, are you know and can refer me to the documentation that states, from which version this CIFS superuser property is not supported anymore? 

Reply
8 Replies
0 Likes
Highlighted

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

AlexDawson
NetApp
‎2018-07-12 08:50 PM

Hi there,

 

We have marked it as deprecated in our current release of ONTAP - to ensure ongoing compatibility, new functionality should not be based around it.

Reply
8 Replies
0 Likes
Highlighted

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
‎2018-07-16 09:20 AM

Hi,

Thank you a lot for your help and time. 🙂

 

 

Ok, but by any chance, you remember since which cmod version it was deprecated?

(Is it 8.3 or starting from 9.0, I do remember it was available at 8.2, probably 8.3 but I may wrong.)

 


And another question hopes you will able to answer or direct me to the relevant article... 

 

In case I comparing the local Administrators group on CIFS server defined on vserver and the superuser privileges.
What is the difference between the two? (if you have a table comparison will be good if not see example)
I'm interested in File System permission perspective.


For example:
1. I have UserA that member in the local Administrators group.
2. I have UserB that not a member of any local group but has superuser assignment.
3. I have a folder which has not direct permission or ownership for any of that users.
4. I would like to change the ACLs acting as one of those users at a time.

 

 

What will I need to do?
1. In case UserA is it, I will need first to make my self an owner and then change the permissions otherwise will get access denied?
2. In the case of UserB, the change permission will take effect without any prior action?

 

 

Best regards.

Reply
8 Replies
0 Likes
Highlighted

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

AlexDawson
NetApp
‎2018-07-16 06:45 PM

I've posed your questions to our expert over at https://community.netapp.com/t5/Network-Storage-Protocols-Discussions/Authentication-amp-Authorization-in-CIFS-Ask-The-Expert-7-16-to-7-30/m-p/141484/ - I'll keep an eye on their answer 🙂

Reply
8 Replies
0 Likes
Start a New Post
Check out the KB!
Knowledge Base
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2020 NetApp
Let us know