Skip to main content
NetApp Knowledge Base

User is unable to access CIFS share due to insufficient file-level permissions

  1. Last updated
  2. Save as PDF
Views:
1,013
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • CIFS
  • NTFS

Issue

  • User tries to access CIFS share:  Access Denied
  • Users unable to modify or delete files after migration from 7mode to cluster mode and getting permission denied error
  • Share-level permission to access the share is sufficient:

Example:

::> cifs share show -share-name vol 
Vserver        Share             Path       Properties Comment  ACL
-------------- ------------- -------------  ---------- -------- -----------
svm1            vol          /vol           oplocks    -        user1 / Full Control
                                            browsable
                                            changenotify
                                            show-previous-versions
  • File-level permissions indicate user1 is not listed in DACL:

Example:

::> file-directory show -vserver svm1 -path /vol
                Vserver: svm1
              File Path: /vol
      File Inode Number: 64
         Security Style: ntfs
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor
                         Control:0x8004
                         Owner:BUILTIN\Administrators
                         Group:BUILTIN\Administrators
                         DACL - ACEs
                           ALLOW-User2-0x1f01ff

  • Security trace may show errors such as:

    Access is denied. The requested permissions are not granted by the ACE
    Access is denied by an explicit ACE
    Access is denied by an inherited ACE
     
  • Packet traces collected shows Tree Connect fails with STATUS_ACCESS_DENIED due to misconfiguration on the share ACL: 

No.    Source        Destination   Protocol    NT Status               Info
258    10.11.12.1    10.11.12.2    SMB2                                Tree Connect Request Tree: \\10.11.12.2\share_name
259    10.11.12.2    10.11.12.1    SMB2        STATUS_ACCESS_DENIED    Tree Connect Response, Error: STATUS_ACCESS_DENIED

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.