ONTAP Discussions

problems with group and mapping

grocanar
2,902 Views

Hi 

 

i m using datap onta 8.3.1P2 

i have the following problem

 

i have volume that use security style unix that are accessed by some of our user through CIFS.

 

it s the same AD that it is used for security style unix and security style CIFS.

 

this AD group Seq-epigen is constructed with

- individual member

- inclusion of the group solexa.

 

The people who is directly included in the group as a person have the supplementary gid seq-epigen

 

diag secd authentication show-creds -node cng_n04 -vserver cng_svm_01 -win-name AD-CNG\leduc

 

UNIX UID: leduc <> Windows User: AD-CNG\leduc (Windows Domain User)

GID: cng
Supplementary GIDs:
cng
BioInfo
solexa
LabMeetingCNGro
Seq-Epigen
g_sav
g_info
g_joe
g_remod385_ircm
CrimeNGS

Windows Membership:
AD-CNG\CERTSVC_DCOM_ACCESS (Windows Alias)
AD-CNG\g_remod385_ircm (Windows Domain group)
AD-CNG\TerminalConnection (Windows Domain group)
AD-CNG\LabMeetingCNGro (Windows Domain group)
AD-CNG\BioInfo (Windows Domain group)
AD-CNG\g_info (Windows Domain group)
AD-CNG\g_principal_cng (Windows Domain group)
AD-CNG\SeqFollowUp (Windows Domain group)
AD-CNG\cng (Windows Domain group)
AD-CNG\Domain Users (Windows Domain group)
AD-CNG\depotBioinfo (Windows Domain group)
AD-CNG\mas_spec (Windows Domain group)
AD-CNG\CrimeNGS (Windows Domain group)
AD-CNG\SuiviGA (Windows Domain group)
AD-CNG\g_sav (Windows Domain group)
AD-CNG\g_joe (Windows Domain group)
AD-CNG\Seq-Epigen (Windows Domain group)
AD-CNG\solex_bioinfo (Windows Domain group)
AD-CNG\depotSeqIllumina (Windows Domain group)
AD-CNG\solexa (Windows Domain group)
AD-CNG\BioInfo (Windows Domain group)
AD-CNG\mas_spec (Windows Domain group)
BUILTIN\Users (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2080):
SeChangeNotifyPrivilege

 

the people who are in the group seq-epigen through the inclusion of the group solexa doesn't get the supplementary GID seq-epigen.

here an example

 

diag secd authentication show-creds -node cng_n04 -vserver cng_svm_01 -win-name AD-CNG\lechner

 

UNIX UID: lechner <> Windows User: AD-CNG\lechner (Windows Domain User)

GID: cng
Supplementary GIDs:
cng
solexa
LabMeetingCNGro
g_sav
cimlimsReports
g_prjinfo
g_remod385_ircm

 

 

 

Windows Membership:
AD-CNG\admin_babelfish (Windows Alias)
AD-CNG\CERTSVC_DCOM_ACCESS (Windows Alias)
AD-CNG\CQdbCNG (Windows Domain group)
AD-CNG\g_remod385_ircm (Windows Domain group)
AD-CNG\TerminalConnection (Windows Domain group)
AD-CNG\LabMeetingCNGro (Windows Domain group)
AD-CNG\LimsSolexa (Windows Domain group)
AD-CNG\teamProdCng (Windows Domain group)
AD-CNG\depotSeqExome (Windows Domain group)
AD-CNG\AchatHighT (Windows Domain group)
AD-CNG\LimsSolexaAdm (Windows Domain group)
AD-CNG\depotProductionCNG (Windows Domain group)
AD-CNG\g_principal_cng (Windows Domain group)
AD-CNG\illuminaHD (Windows Domain group)
AD-CNG\Domain Users (Windows Domain group)
AD-CNG\g_prjinfo (Windows Domain group)
AD-CNG\depotGenIllumina (Windows Domain group)
AD-CNG\mas_spec (Windows Domain group)
AD-CNG\cimlimsReports (Windows Domain group)
AD-CNG\SuiviGA (Windows Domain group)
AD-CNG\followup (Windows Domain group)
AD-CNG\adonix (Windows Domain group)
AD-CNG\g_sav (Windows Domain group)
AD-CNG\TAPuser (Windows Domain group)
AD-CNG\Seq-Epigen (Windows Domain group)
AD-CNG\depotSeqIllumina (Windows Domain group)
AD-CNG\Arketypers (Windows Domain group)
AD-CNG\solexa (Windows Domain group)
AD-CNG\I.E.users (Windows Domain group)
AD-CNG\babelfish (Windows Domain group)
AD-CNG\Arketypers (Windows Domain group)
AD-CNG\babelfish (Windows Domain group)
AD-CNG\CQdbCNG (Windows Domain group)
AD-CNG\mas_spec (Windows Domain group)
AD-CNG\lechner (Windows User)
AD-CNG\adonix (Windows Domain group)
AD-CNG\I.E.users (Windows Domain group)
BUILTIN\Users (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2080):
SeChangeNotifyPrivilege

 

 

 my problem is that i have restricted the access of a directory to only members of the group Seq_epigen

lechner is a member of the group but can't access to it as she s trying to access it through a CIFS share

 

Is there a way to support nested group in this configuration? .

 

 

 

 

1 ACCEPTED SOLUTION

Tanya_Bisht
2,193 Views

For nested group to function correctly, you need to configure Data ONTAP to enable RFC2307bis support.

Below document explains the same:

https://library.netapp.com/ecmdocs/ECMP1610208/html/GUID-B1CCBCC8-9FF0-4270-A4F4-679BE315C58A.html

 

View solution in original post

1 REPLY 1

Tanya_Bisht
2,194 Views

For nested group to function correctly, you need to configure Data ONTAP to enable RFC2307bis support.

Below document explains the same:

https://library.netapp.com/ecmdocs/ECMP1610208/html/GUID-B1CCBCC8-9FF0-4270-A4F4-679BE315C58A.html

 

Public