Skip to main content
NetApp Knowledge Base

NTFS permissions on a CIFS share are not taking effect on a specific user

  1. Last updated
  2. Save as PDF
Views:
5,732
Visibility:
Public
Votes:
9
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

ONTAP 9

Issue

  • The user who is able to access the CIFS share even though ACL's don't allow access
  • User has SeTcbPrivilege privilege

Example:

::> set diag
::*> diag secd authentication show-creds -node cdot-vsim1-01 -vserver svm -win-name

test\user1
    UNIX UID: pcuser <> Windows User: TEST\user1 (Windows Domain User)
    GID: pcuser
    Supplementary GIDs (partial):
    pcuser
    Primary Group SID: TEST\Domain Users (Windows Domain group)

Windows Membership:
    TEST\Domain Users (Windows Domain group)
    Service asserted identity (Windows Well known group)
    BUILTIN\Users (Windows Alias)
    User is also a member of Everyone, Authenticated Users, and Network Users
    Privileges (0x2088):
    SeTcbPrivilege

::> cifs users-and-groups privilege show
Vserver        User or Group Name           Privileges
-------------- ---------------------------- -------------------
svm            DEMO\backdoor                SeTcbPrivilege

 

  • Permissions on the share also show no access for this user

::*> file-directory show -vserver svm -path /vol1/
(vserver security file-directory show)
Vserver: svm
    File Path: /vol1/
    File Inode Number: 64
    Security Style: ntfs
    Effective Style: ntfs
    DOS Attributes: 10
    DOS Attributes in Text: ----D---

Expanded Dos Attributes: -
    UNIX User Id: 0
    UNIX Group Id: 0
    UNIX Mode Bits: 777
    UNIX Mode Bits in Text: rwxrwxrwx
    ACLs: NTFS Security Descriptor

Control:0x9504
    Owner:BUILTIN\Administrators
    Group:BUILTIN\Administrators
    DACL - ACEs
    ALLOW-TEST\Domain Admins-0x1f01ff-OI|CI 

Note: highlighted line means only domain admins are allowed access

  • vserver security trace output for the user in question

    "Access is allowed because the operation is trusted and no security is configured while opening existing file or directory. Access is granted for: <permissions>".

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.