Network and Storage Protocols

Need help to access a CIFS share in Unix

mjossupp123

Hi,

I need help with accessing a CIFS share on an Unix server. This share is mixed style in qtree.

The share is accessible from windows server through a specific account "_NASVOLsrv".

This account is mapped to root unix account in the usermap.cfg file. I am able to mount this share but when I try to access this share I get permission denied.

The windows name for the share is nassharet01 while Unix name is /vol/nasvol01.

#cifs access

nassharet01      /vol/nasvol01
                        nascorp\_NASVOLsrv / Full Control
                        nascorp\administrator / Full Control

Usermap.cfg file  have the following entries -

administrator == root

nascorp\_NASVOLsrv == root

nascorp\administrator == root

nas1ft01:/vol/nasvol01
                   633339904 411197072 222142832   65% /nas/nas1ft01/cbmsharet01

# cd /nas/nas1ft01/cbmsharet01
ksh: /nas/nas1ft01/cbmsharet01: permission denied

Any inputs provided for this issue will be greatly appreicated.

Thanks

18 REPLIES 18

RAMACHANDRA_EA

I also facing the same problem. unable to access cifs shares(ntfs qtree) from unix machine. NT user have full access to the shares and mapped that nt user with root. getting permission denied error.

some one please help here to solve this issue.

magnus_emmoth

I am not sure but I think you need to mount the same path in both CIFS and NFS.

CIFS is only for Windows and if you need a mount point in Linux you need to use NFS.

So I believe the answer is that you should just mount the same CIFS shared path with NFS as well.


Magnus

mjossupp123

Thanks, the share is also setup in NFS.

magnus_emmoth

Did you configure the NFS export to have read-write access for all hosts? or you have to specify the host you want to be able to access the NFS export.

Magnus

magnus_emmoth

Did you say the following path is the volume: /vol/nasvol01  ?

Do you have a Qtree in that path? or where is it?

Magnu

mjossupp123

Yes Qtree is there & the volume where the Qtree resides is nasvol01

magnus_emmoth

What is the name of the Qtree?

I had a similar problem and I could not either access the volume, however when I changed the mount path to include the Qtree, everything worked.

Maybe that could help or maybe that is how it is setup already?

So the new NFS mount would be: /vol/nasvol01/'QtreeName'/

Magnus

mjossupp123

nasvol01 is the name of the Qtree.

It is already mounted with the Qtree name

nas1ft01:/vol/nasvol01
                   633339904 411197072 222142832   65% /nas/nas1ft01/cbmsharet01

The fstab file has the following entry on the Unix server -

nas1ft01:/vol/nasvol01 /nas/nas1ft01/cbmsharet01 nfs rw,hard 0 0

magnus_emmoth

The only other thing I can think about is to click the Export All button from NFS-Manage in FilerView, in case you have made a change to the configuration.

Magnus

mjossupp123


I did a export all but that too didnt work.

Do you think anythins is wrong with the mapping that is done in the usermap.cfg file

administrator == root

nascorp\_NASVOLsrv == root

nascorp\administrator == root

The share is accessible on windows server using the domain account "_NASVOLsrv"

This same account is mapped to root.

Do you thin anything is wrong over here.

Thanks.

adamfox

If you think you have a mapping issue, you can use the wcc command to see how your user is being mapped.  In this case, you are looking root could be mapped to a couple of users.

So I would check the folllowing command:

netapp> wcc -u root

And see the mapping.  Then I would go in under CIFS (which I think is working, right?) and see what the local NTFS ACL is on that directory where you are getting permission denied.

That may tell an interesting story.

addanki

Mixed mode security style works a bit different. At any given point the effective security style could be either UNIX or NTFS. Run the following command on the filer console to see the effective permissions and make sure that the user has the required access.

“fsecurity show ”

Srinivas

mjossupp123

nas1ft01*> wcc -u root
Thu Jun 17 07:13:41 EDT [nas1ft01: auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: LSA lookup: Located account "nascorp\administrator" in domain "nascorp"..
(NT - UNIX) account name(s):  (nascorp\administrator - root)
        ***************
        UNIX uid = 0
        user is a member of group daemon (1)
        user is a member of group daemon (1)

        NT membership
                nascorp\administrator
                nascorp\Domain Users
                nascorp\CERTSVC_DCOM_ACCESS
                BUILTIN\Administrators
                BUILTIN\Users
        User is also a member of Everyone, Network Users,
        Authenticated Users
        ***************
nas1ft01*> cifs shares
Name         Mount Point                       Description
----         -----------                       -----------
nassharet01  /vol/nasvol01
                        nas1ft01\cbm / Full Control
                        S-1-5-21-1500466018-1955613541-1209563102-131076 / Full Control
                        nas1ft01\_CBMNASsrv / Full Control
                        nascorp\_CBMNASsrv / Full Control
                        nascorp\administrator / Full Control
nas1ft01*>

nh1ns1t01*> fsecurity show /vol/nasvol01
[/vol/nasvol01 - Directory (inum 64)]
  Security style: NTFS
  Effective style: NTFS

  DOS attributes: 0x0030 (---AD---)

  Unix security:
    uid: 0 (root)
    gid: 0 (daemon)
    mode: 0777 (rwxrwxrwx)

  NTFS security descriptor:
    Owner: BUILTIN\Administrators
    Group: BUILTIN\Administrators
    DACL:
      Allow - nascorp\_CBMNASsrv - 0x001301bf (Modify) - OI|CI
      Allow - nascorp\Domain Admins - 0x001f01ff (Full Control) - OI|CI
      Allow - DEVCORP\G_NAS_CBM_RO_FPDEV - 0x001200a9 (Read and Execute) - OI|CI
      Allow - DEVCORP\G_NAS_CBM_RW_FPDEV - 0x001301bf (Modify) - OI|CI
      Allow - nascorp\NAS_ADMIN - 0x001f01ff (Full Control) - OI|CI
      Allow - nascorp\NAS_CBM_RO - 0x001200a9 (Read and Execute) - OI|CI
      Allow - nascorp\NAS_CBM_RW - 0x001301bf (Modify) - OI|CI
      Allow - nascorp\root - 0x001301bf (Modify) - OI|CI
      Allow - DEVCORP\wrolson - 0x001301bf (Modify) - OI|CI

I am able to cd to the share, but when I do an ll, I get unreadable.

# cd /nas/nas1ft01/cbmsharet01
# ll
. unreadable
total 8

aborzenkov

According to output provided, neither of Windows groups (and users) to which root is mapped has access to directory. So results are completely correct.

mjossupp123

And if I do an fsecurity show for dirs inside the share I get different owners than that on the volume


NTFS security descriptor:
    Owner: DEVCORP\wrolson
    Group: DEVCORP\Domain Users

mjossupp123

The Qtree style is mixed, so that the share can be mounted on both Unix & Windows.

adamfox

That is a big misconception.  Unix and NTFS style qtrees can be mounted by any protocol.  The security style determines which protocol can change permissions on files, which is different from mounting.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public