Skip to main content

NetApp wins prestigious Coveo Relevance Pinnacle Award. Learn more!

INSIGHT Japan :2023年 1月25日(水)ANAインターコンチネンタルホテル開催 へ参加・申込を行う

NetApp Knowledge Base

NTFS permissions on a CIFS share are not taking effect on a specific user

Views:
4,112
Visibility:
Public
Votes:
9
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Clustered Data ONTAP 8.2+

Issue

  • The user who is able to access the CIFS share even though ACL's don't allow access
  • User has "SeTcbPrivilege" privilege

::> set diag
::*> diag secd authentication show-creds -node cdot-vsim1-01 -vserver svm -win-name

test\user1
    UNIX UID: pcuser <> Windows User: TEST\user1 (Windows Domain User)
    GID: pcuser
    Supplementary GIDs (partial):
    pcuser
    Primary Group SID: TEST\Domain Users (Windows Domain group)

Windows Membership:
    TEST\Domain Users (Windows Domain group)
    Service asserted identity (Windows Well known group)
    BUILTIN\Users (Windows Alias)
    User is also a member of Everyone, Authenticated Users, and Network Users
    Privileges (0x2088):
    SeTcbPrivilege

  • Permissions on the share also show no access for this user

::*> file-directory show -vserver svm -path /vol1/
(vserver security file-directory show)
Vserver: svm
    File Path: /vol1/
    File Inode Number: 64
    Security Style: ntfs
    Effective Style: ntfs
    DOS Attributes: 10
    DOS Attributes in Text: ----D---

Expanded Dos Attributes: -
    UNIX User Id: 0
    UNIX Group Id: 0
    UNIX Mode Bits: 777
    UNIX Mode Bits in Text: rwxrwxrwx
    ACLs: NTFS Security Descriptor

Control:0x9504
    Owner:BUILTIN\Administrators
    Group:BUILTIN\Administrators
    DACL - ACEs
    ALLOW-TEST\Domain Admins-0x1f01ff-OI|CI
<<<< Only domain admins are allowed access.

  • vserver security trace output for the user in question

    "Access is allowed because the operation is trusted and no security is configured while opening existing file or directory. Access is granted for: <permissions>".

 

 

 

 

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

Scan to view the article on your device