ONTAP Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ONTAP Discussions

Start a New Post

What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
‎2017-08-17 03:09 AM

Hi, 

 

As I understand that this property was DEPRECATED, but I still trying to find any information about which security check this CIFS superuser option allows to bypass? 

 

Thanks. 

0 Kudos
Tags (1)
8 Replies
Reply
8 REPLIES 8

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2017-08-17 10:12 PM

Hi there,

 

In order to answer your question most accurately, can you provide a reference in our documentation to the exact functionality you are asking about?

0 Kudos
8 Replies
Reply

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
‎2017-08-19 06:41 AM

Hi, 

 

I'm not sure about exact functionality. In this link, there is a description of how to give a user cifs superuser privileges. 

I'm trying to find what are privileges this all about? 

 

Thanks.

0 Kudos
8 Replies
Reply

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

ninja
‎2018-06-21 03:32 PM

Any reply to this? It would be good to know what security is bypassed by adding a super user.

0 Kudos
8 Replies
Reply

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2018-06-21 08:48 PM

Hi there,

 

As of ONTAP 9.4 the "vserver cifs superuser" commands are deprecated - the preferred method is to add a user to the AD Domain Admins group.

 

Per http://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cifs-nfs-audit%2FGUID-8658509D-AE99-44A6-8CFB-F47D673A7127.html 

 

  • Avoid permission checks

    The user avoids checks on files and directory access.

  • Special locking privileges

    Data ONTAP allows read, write, or modify access to any file regardless of existing locks. If the FPolicy server takes byte range locks on the file, it results in immediate removal of existing locks on the file.

  • Bypass any FPolicy checks

    Access does not generate any FPolicy notifications.

View solution in original post

8 Replies
Reply

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
‎2018-07-12 09:54 AM

Great thanks, 

 

By any chance, are you know and can refer me to the documentation that states, from which version this CIFS superuser property is not supported anymore? 

0 Kudos
8 Replies
Reply

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2018-07-12 08:50 PM

Hi there,

 

We have marked it as deprecated in our current release of ONTAP - to ensure ongoing compatibility, new functionality should not be based around it.

0 Kudos
8 Replies
Reply

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

VARONISSYSTEMS
‎2018-07-16 09:20 AM

Hi,

Thank you a lot for your help and time. 🙂

 

 

Ok, but by any chance, you remember since which cmod version it was deprecated?

(Is it 8.3 or starting from 9.0, I do remember it was available at 8.2, probably 8.3 but I may wrong.)

 


And another question hopes you will able to answer or direct me to the relevant article... 

 

In case I comparing the local Administrators group on CIFS server defined on vserver and the superuser privileges.
What is the difference between the two? (if you have a table comparison will be good if not see example)
I'm interested in File System permission perspective.


For example:
1. I have UserA that member in the local Administrators group.
2. I have UserB that not a member of any local group but has superuser assignment.
3. I have a folder which has not direct permission or ownership for any of that users.
4. I would like to change the ACLs acting as one of those users at a time.

 

 

What will I need to do?
1. In case UserA is it, I will need first to make my self an owner and then change the permissions otherwise will get access denied?
2. In the case of UserB, the change permission will take effect without any prior action?

 

 

Best regards.

0 Kudos
8 Replies
Reply

Re: What are the security checks that cifs superuser privileges, allow Data ONTAP to bypasses?

AlexDawson
A-Team Tech Advisor A-Team Tech Advisor
‎2018-07-16 06:45 PM

I've posed your questions to our expert over at https://community.netapp.com/t5/Network-Storage-Protocols-Discussions/Authentication-amp-Authorization-in-CIFS-Ask-The-Expert-7-16-to-7-30/m-p/141484/ - I'll keep an eye on their answer 🙂

0 Kudos
8 Replies
Reply
Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public