ONTAP Discussions

problems with group and mapping

grocanar

Hi 

 

i m using datap onta 8.3.1P2 

i have the following problem

 

i have volume that use security style unix that are accessed by some of our user through CIFS.

 

it s the same AD that it is used for security style unix and security style CIFS.

 

this AD group Seq-epigen is constructed with

- individual member

- inclusion of the group solexa.

 

The people who is directly included in the group as a person have the supplementary gid seq-epigen

 

diag secd authentication show-creds -node cng_n04 -vserver cng_svm_01 -win-name AD-CNG\leduc

 

UNIX UID: leduc <> Windows User: AD-CNG\leduc (Windows Domain User)

GID: cng
Supplementary GIDs:
cng
BioInfo
solexa
LabMeetingCNGro
Seq-Epigen
g_sav
g_info
g_joe
g_remod385_ircm
CrimeNGS

Windows Membership:
AD-CNG\CERTSVC_DCOM_ACCESS (Windows Alias)
AD-CNG\g_remod385_ircm (Windows Domain group)
AD-CNG\TerminalConnection (Windows Domain group)
AD-CNG\LabMeetingCNGro (Windows Domain group)
AD-CNG\BioInfo (Windows Domain group)
AD-CNG\g_info (Windows Domain group)
AD-CNG\g_principal_cng (Windows Domain group)
AD-CNG\SeqFollowUp (Windows Domain group)
AD-CNG\cng (Windows Domain group)
AD-CNG\Domain Users (Windows Domain group)
AD-CNG\depotBioinfo (Windows Domain group)
AD-CNG\mas_spec (Windows Domain group)
AD-CNG\CrimeNGS (Windows Domain group)
AD-CNG\SuiviGA (Windows Domain group)
AD-CNG\g_sav (Windows Domain group)
AD-CNG\g_joe (Windows Domain group)
AD-CNG\Seq-Epigen (Windows Domain group)
AD-CNG\solex_bioinfo (Windows Domain group)
AD-CNG\depotSeqIllumina (Windows Domain group)
AD-CNG\solexa (Windows Domain group)
AD-CNG\BioInfo (Windows Domain group)
AD-CNG\mas_spec (Windows Domain group)
BUILTIN\Users (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2080):
SeChangeNotifyPrivilege

 

the people who are in the group seq-epigen through the inclusion of the group solexa doesn't get the supplementary GID seq-epigen.

here an example

 

diag secd authentication show-creds -node cng_n04 -vserver cng_svm_01 -win-name AD-CNG\lechner

 

UNIX UID: lechner <> Windows User: AD-CNG\lechner (Windows Domain User)

GID: cng
Supplementary GIDs:
cng
solexa
LabMeetingCNGro
g_sav
cimlimsReports
g_prjinfo
g_remod385_ircm

 

 

 

Windows Membership:
AD-CNG\admin_babelfish (Windows Alias)
AD-CNG\CERTSVC_DCOM_ACCESS (Windows Alias)
AD-CNG\CQdbCNG (Windows Domain group)
AD-CNG\g_remod385_ircm (Windows Domain group)
AD-CNG\TerminalConnection (Windows Domain group)
AD-CNG\LabMeetingCNGro (Windows Domain group)
AD-CNG\LimsSolexa (Windows Domain group)
AD-CNG\teamProdCng (Windows Domain group)
AD-CNG\depotSeqExome (Windows Domain group)
AD-CNG\AchatHighT (Windows Domain group)
AD-CNG\LimsSolexaAdm (Windows Domain group)
AD-CNG\depotProductionCNG (Windows Domain group)
AD-CNG\g_principal_cng (Windows Domain group)
AD-CNG\illuminaHD (Windows Domain group)
AD-CNG\Domain Users (Windows Domain group)
AD-CNG\g_prjinfo (Windows Domain group)
AD-CNG\depotGenIllumina (Windows Domain group)
AD-CNG\mas_spec (Windows Domain group)
AD-CNG\cimlimsReports (Windows Domain group)
AD-CNG\SuiviGA (Windows Domain group)
AD-CNG\followup (Windows Domain group)
AD-CNG\adonix (Windows Domain group)
AD-CNG\g_sav (Windows Domain group)
AD-CNG\TAPuser (Windows Domain group)
AD-CNG\Seq-Epigen (Windows Domain group)
AD-CNG\depotSeqIllumina (Windows Domain group)
AD-CNG\Arketypers (Windows Domain group)
AD-CNG\solexa (Windows Domain group)
AD-CNG\I.E.users (Windows Domain group)
AD-CNG\babelfish (Windows Domain group)
AD-CNG\Arketypers (Windows Domain group)
AD-CNG\babelfish (Windows Domain group)
AD-CNG\CQdbCNG (Windows Domain group)
AD-CNG\mas_spec (Windows Domain group)
AD-CNG\lechner (Windows User)
AD-CNG\adonix (Windows Domain group)
AD-CNG\I.E.users (Windows Domain group)
BUILTIN\Users (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users

Privileges (0x2080):
SeChangeNotifyPrivilege

 

 

 my problem is that i have restricted the access of a directory to only members of the group Seq_epigen

lechner is a member of the group but can't access to it as she s trying to access it through a CIFS share

 

Is there a way to support nested group in this configuration? .

 

 

 

 

1 ACCEPTED SOLUTION

Tanya_Bisht

For nested group to function correctly, you need to configure Data ONTAP to enable RFC2307bis support.

Below document explains the same:

https://library.netapp.com/ecmdocs/ECMP1610208/html/GUID-B1CCBCC8-9FF0-4270-A4F4-679BE315C58A.html

 

View solution in original post

1 REPLY 1

Tanya_Bisht

For nested group to function correctly, you need to configure Data ONTAP to enable RFC2307bis support.

Below document explains the same:

https://library.netapp.com/ecmdocs/ECMP1610208/html/GUID-B1CCBCC8-9FF0-4270-A4F4-679BE315C58A.html

 

View solution in original post

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public