SMB Users Unable to Write to UNIX Security‑Style CIFS Shares After LDAP Integration
Applies to
- ONTAP 9
- CIFS/SMB
- LDAP
Issue
- After LDAP/LDAPS (port 636) is configured for name‑service lookups, users getting "
ACCESS DENIED" when writing or creating file/folders. Read access working as expected.
- SMB user mapped to default UNIX user `
pcuser`
::> secd authentication show-creds -vserver <SVM> -win-name <DOMAIN\user>
UNIX UID: pcuserWindows User: <DOMAIN\user>GID: pcuserSupplementary GIDs:pcuser
- Underlying directory uses UNIX 755 permissions
::> vserver security file-directory show -vserver <SVM> -path /vol/home/user
UNIX Mode Bits: 755UNIX Mode Bits in Text: rwxr-xr-xUNIX User Id: <user_uid>UNIX Group Id: <user_gid>
- Effective permissions show no write access
::> vserver security file-directory show-effective-permissions -vserver <SVM> -win-user-name <user> -path /vol/home/user
Effective File or Directory Permission: 0x1200b9ReadRead EAWrite EAExecuteRead AttributesRead ControlSynchronize
- ns-switch includes LDAP before NIS/files
::> vserver services name-service ns-switch show -vserver <SVM> -database passwd,grouppasswd: files,ldap,nisgroup : files,ldap,nis
- LDAP cannot resolve UNIX users (no RFC2307 attributes)
::> vserver services name-service getpwbyname -vserver <SVM> -username <user>
Error: command failed: Failed to resolve <user>.Reason: Entry not found for "username: <user>".
- Explicit win → unix name‑mapping rules were properly configured