CIFS access denied when user domain group scope is domain local
Applies to
- ONTAP 9
- Active Directory Security Groups
Issue
- Users are not able to access CIFS shares
- Vserver is joined to Domain DOMB and the trusted domain is DOMA
- Configure domain user group in share permission
- User cannot be granted security group information when the user belongs to DOMA
- The following is an example of configuring CIFS
#Trusted Domain A
Domain: DomainA.local
User: usera
Group: testgroupa(Group scope is domain local)
#Domain B
Domain: DomainB.local
User: userb
Group: testgroupb(Group scope is domain local)
#NetApp CIFS(Fail to login CIFS share due to permission deny)
CIFS Server: testcifs
Join Domain: DomainB.local
Share: cifsshare
Permission: DomainA\testgroupa
LAB_NA::*> secd authentication show-creds -node LAB_NA-01 -vserver testcifs -win-name domainA\usera
UNIX UID: pcuser <> Windows User: domainA\usera (Windows Domain User)
GID: pcuser
Supplementary GIDs:
pcuser
Primary Group SID: DomainA\Domain Users (Windows Domain group)
Windows Membership: >>> usera cannot be granted security group.
LEOLAB\Domain Users (Windows Domain group)
(Windows Well known group)
NT AUTHORITY\ (Windows Well known group)
User is also a member of Everyone, Authenticated Users, and Network Users
Privileges (0x2000):
SeChangeNotifyPrivilege