Skip to main content
NetApp Knowledge Base

Unauthorized Windows User Accessing Unix Security-Style Volume

  1. Last updated
  2. Save as PDF
Views:
28
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
NAS
Last Updated:

Applies to

  • ONTAP 9
  • CIFS

Issue

Users without permissions are able to access and perform actions on a CIFS share that has a Unix security style, even after permissions were modified.
  1. Collect the file-directory show output of folder(s) or file(s) involved:

vserver security file-directory show –vserver <vserver> -path <Path>

cluster1::*> vserver security file-directory show -vserver svm0 -path /home0
             Vserver: svm0
              File Path: /home0/
      File Inode Number: 13918
         Security Style: unix
        Effective Style: unix
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
           UNIX User Id: 1010
          UNIX Group Id: 111
         UNIX Mode Bits: 770
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: -

2. Capture a sectrace with the trace allow flag enabled to observe successful outcomes and inspect the Windows session permissions to identify the Unix user in use.

Node            Index Filter Details             Reason
--------------- ----- -------------------------- ------------------------------
cluster1-01    1   Access is denied by UNIX
                      permissions                permissions while opening
                                                 existing file or directory.
                                                 Access is not granted for:
                                                 "Synchronize", "Write DAC",
                                                 "Read Control", "Delete",
                                                 "Write Attributes", "Delete
                                                 Child", "Execute", "Write EA",
                                                 "Read EA", "Append", "Write",
                                                 "Read"
                      Protocol: cifs
                      Volume: -
                      Share: home0
                      Path: /home0
                      Win-User: DEMO\user1
                      UNIX-User: pcuser
                      Session-ID: 10652701968591486984

Example:

 cifs session show -node * -vserver svm0 -session-id 10652701968591486984 -show-win-unix-creds

Vserver: svm0

                            Node: cluster1-01
                      Session ID: 10652701968591486984
                   Connection ID: 1489010350
    Incoming Data LIF IP Address: 10.216.29.119
          Workstation IP Address: 10.216.29.238
        Authentication Mechanism: Kerberos
           User Authenticated as: domain-user
                    Windows User: DEMO\user1
                       UNIX User: pcuser
                     Open Shares: 1
                      Open Files: 3
                      Open Other: 0
                  Connected Time: 2d 17h 43m 34s
                       Idle Time: 2d 16h 37m 3s
                Protocol Version: SMB3_1
          Continuously Available: No
               Is Session Signed: false
                    NetBIOS Name: -
           SMB Encryption Status: unencrypted
               Large MTU Enabled: true
                Connection Count: 1
        Windows UNIX Credentials:
 UNIX UID: pcuser <> Windows User: DEMO\user1 (Windows Domain User)

 GID: pcuser
 Supplementary GIDs:
  pcuser

 Windows Membership:
  DEMO\Group Policy Creator Owners (Windows Domain group)
  DEMO\Domain Users (Windows Domain group)
  Authentication authority asserted identity (Windows Well known group)
  BUILTIN\Users (Windows Alias)
 User is also a member of Everyone, Authenticated Users, and Network Users

 Privileges (0x22b7):
  SeChangeNotifyPrivilege

3. Get cifs share properties 

cluster1-01::> cifs share show -vserver scoa -share-name audit

                                      Vserver: svm0
                                        Share: home0
                     CIFS Server NetBIOS Name: svm0
                                         Path: /home0
                             Share Properties: oplocks
                                               browsable
                                               changenotify
                                               show-previous-versions
                           Symlink Properties: symlinks
                      File Mode Creation Mask: -
                 Directory Mode Creation Mask: -
                                Share Comment:
                                    Share ACL: Authenticated Users/ Full Control
                File Attribute Cache Lifetime: -
                                  Volume Name: home
                                Offline Files: manual
                Vscan File-Operations Profile: standard
            Maximum Tree Connections on Share: 4294967295
                   UNIX Group for File Create: allowtestgroup
 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.