NTFS permissions on a CIFS share are not taking effect on a specific user
Applies to
ONTAP 9
Issue
- The user who is able to access the CIFS share even though ACL's don't allow access
- User has SeTcbPrivilege privilege
Example:
::> set diag
::*> diag secd authentication show-creds -node cdot-vsim1-01 -vserver svm -win-name
test\user1
UNIX UID: pcuser <> Windows User: TEST\user1 (Windows Domain User)
GID: pcuser
Supplementary GIDs (partial):
pcuser
Primary Group SID: TEST\Domain Users (Windows Domain group)
Windows Membership:
TEST\Domain Users (Windows Domain group)
Service asserted identity (Windows Well known group)
BUILTIN\Users (Windows Alias)
User is also a member of Everyone, Authenticated Users, and Network Users
Privileges (0x2088):
SeTcbPrivilege
::> cifs users-and-groups privilege show
Vserver User or Group Name Privileges
-------------- ---------------------------- -------------------
svm DEMO\backdoor SeTcbPrivilege
- Permissions on the share also show no access for this user
::*> file-directory show -vserver svm -path /vol1/
(vserver security file-directory show)
Vserver: svm
File Path: /vol1/
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x9504
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-TEST\Domain Admins-0x1f01ff-OI|CI
Note: highlighted line means only domain admins are allowed access
-
vserver
security trace
output for the user in question"Access is allowed because the operation is trusted and no security is configured while opening existing file or directory. Access is granted for: <permissions>".