Mailing List Archive

Setting permissions on NTFS CIFS share, users not found?
Hello
I am unsure if this is an AD or a ONTAP config problem, but I thought I'd ask. I have not run into this before. Brand new cluster (9.4P4), brand new SVM, pretty minimal config.

# Standard issue create CIFS server, allow anyone to connect through default export -policy
# Create a volume to test with, NTFS security, and a CIFS share on top of it
MyCluster::> vserver cifs create -vserver MySvm -cifs-server MyNas -domain MyAdDomain.Business.com (joined it to MyAdDomain.Business.Com)
MyCluster::> vserver export-policy rule create -policyname default -clientmatch 0.0.0.0/0 -rorule any -rwrule any -superuser any -vserver MySvm -protocol cifs
MyCluster::> volume create -volume cifs_test -aggregate MyCluster_02_SATA_1 -size 1g -junction-path /cifs_test -security-style ntfs -vserver MySvm
MyCluster::> vserver cifs share create -share-name cifs_test -path /cifs_test -vserver MySvm

# Test AD SID resolution from the filer, forwards and backwards
MyCluster::> set diagnostic

MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyUserName
S-1-5-21-348434689-563360211-3986294115-29846
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-29846
MyAdDomain\MyUserName (Windows User)

MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyAdDomain\aGroupIamAmemberOf
S-1-5-21-348434689-563360211-3986294115-1154
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-1154
MyAdDomain\aGroupIamAmemberOf (Windows Domain group)


So far so good. CIFS share permission by default is Everyone/Full. NTFS permission by default is Everyone/Full. I am able to connect to the share at \\MyNas\cifs_test and create a directory. The test directory has permission of Everyone/Full as viewed by right clicking on the test directory, selecting Properties, and viewing the Security tab. If I click on Advanced, I see the Owner correctly set to MyUserName as defined in AD. The Permissions tab in the Advanced window has Allow/Everyone/Full Control.

Now, here is the problem. if I click on 'Add', the Permission Entry window pops up and I need to Select A Principal. When I Select A Principal and enter a known-good username into the 'Enter the object name to select' field and click Check Names, I get 'An object with the following name cannot be found.. blahblahblah'. I've tried with multiple users, multiple groups, all with the same result. I know these objects (users, groups) exist. The 'From this location' box in the window that pops up is referencing MyAdDomain.Business.Com, and the Object Type is User/Group/Built In SP.

Is this a failure of something in our AD environment and our workstations, or is this a failure somewhere in ONTAP land? I'm leaning towards something screwed up in our AD environment because of the diag secd test from above working, but I'm not sure. Any ideas?



Ian Ehrenwald
Senior Infrastructure Engineer
Hachette Book Group, Inc.
1.617.263.1948 / ian.ehrenwald@hbgusa.com

This may contain confidential material. If you are not an intended recipient, please notify the sender, delete immediately, and understand that no disclosure or reliance on the information herein is permitted. Hachette Book Group may monitor email to and from our network.

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters
Re: Setting permissions on NTFS CIFS share, users not found? [ In reply to ]
Can you add the test user to a share on a Windows server?

On Fri, Jan 18, 2019 at 5:30 PM Ian Ehrenwald <Ian.Ehrenwald@hbgusa.com>
wrote:

> Hello
> I am unsure if this is an AD or a ONTAP config problem, but I thought I'd
> ask. I have not run into this before. Brand new cluster (9.4P4), brand
> new SVM, pretty minimal config.
>
> # Standard issue create CIFS server, allow anyone to connect through
> default export -policy
> # Create a volume to test with, NTFS security, and a CIFS share on top of
> it
> MyCluster::> vserver cifs create -vserver MySvm -cifs-server MyNas -domain
> MyAdDomain.Business.com (joined it to MyAdDomain.Business.Com)
> MyCluster::> vserver export-policy rule create -policyname default
> -clientmatch 0.0.0.0/0 -rorule any -rwrule any -superuser any -vserver
> MySvm -protocol cifs
> MyCluster::> volume create -volume cifs_test -aggregate
> MyCluster_02_SATA_1 -size 1g -junction-path /cifs_test -security-style ntfs
> -vserver MySvm
> MyCluster::> vserver cifs share create -share-name cifs_test -path
> /cifs_test -vserver MySvm
>
> # Test AD SID resolution from the filer, forwards and backwards
> MyCluster::> set diagnostic
>
> MyCluster::*> diag secd authentication translate -node MyCluster-02
> -vserver MySvm -win-name MyUserName
> S-1-5-21-348434689-563360211-3986294115-29846
> MyCluster::*> diag secd authentication translate -node MyCluster-02
> -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-29846
> MyAdDomain\MyUserName (Windows User)
>
> MyCluster::*> diag secd authentication translate -node MyCluster-02
> -vserver MySvm -win-name MyAdDomain\aGroupIamAmemberOf
> S-1-5-21-348434689-563360211-3986294115-1154
> MyCluster::*> diag secd authentication translate -node MyCluster-02
> -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-1154
> MyAdDomain\aGroupIamAmemberOf (Windows Domain group)
>
>
> So far so good. CIFS share permission by default is Everyone/Full. NTFS
> permission by default is Everyone/Full. I am able to connect to the share
> at \\MyNas\cifs_test and create a directory. The test directory has
> permission of Everyone/Full as viewed by right clicking on the test
> directory, selecting Properties, and viewing the Security tab. If I click
> on Advanced, I see the Owner correctly set to MyUserName as defined in AD.
> The Permissions tab in the Advanced window has Allow/Everyone/Full Control.
>
> Now, here is the problem. if I click on 'Add', the Permission Entry
> window pops up and I need to Select A Principal. When I Select A Principal
> and enter a known-good username into the 'Enter the object name to select'
> field and click Check Names, I get 'An object with the following name
> cannot be found.. blahblahblah'. I've tried with multiple users, multiple
> groups, all with the same result. I know these objects (users, groups)
> exist. The 'From this location' box in the window that pops up is
> referencing MyAdDomain.Business.Com, and the Object Type is
> User/Group/Built In SP.
>
> Is this a failure of something in our AD environment and our workstations,
> or is this a failure somewhere in ONTAP land? I'm leaning towards
> something screwed up in our AD environment because of the diag secd test
> from above working, but I'm not sure. Any ideas?
>
>
>
> Ian Ehrenwald
> Senior Infrastructure Engineer
> Hachette Book Group, Inc.
> 1.617.263.1948 / ian.ehrenwald@hbgusa.com
>
> This may contain confidential material. If you are not an intended
> recipient, please notify the sender, delete immediately, and understand
> that no disclosure or reliance on the information herein is permitted.
> Hachette Book Group may monitor email to and from our network.
>
> _______________________________________________
> Toasters mailing list
> Toasters@teaparty.net
> http://www.teaparty.net/mailman/listinfo/toasters
>
Re: Setting permissions on NTFS CIFS share, users not found? [ In reply to ]
Good morning
I'm thinking this is an AD/environmental problem. I tried this same test from home connected to my workplace VPN and did not encounter the same issue. Add another ticket to the queue, it'll get looked at some day :)

________________________________________
From: Basil <basilberntsen@gmail.com>
Sent: Saturday, January 19, 2019 9:50:29 AM
To: Ian Ehrenwald
Cc: Toasters
Subject: Re: Setting permissions on NTFS CIFS share, users not found?

Can you add the test user to a share on a Windows server?

On Fri, Jan 18, 2019 at 5:30 PM Ian Ehrenwald <Ian.Ehrenwald@hbgusa.com<mailto:Ian.Ehrenwald@hbgusa.com>> wrote:
Hello
I am unsure if this is an AD or a ONTAP config problem, but I thought I'd ask. I have not run into this before. Brand new cluster (9.4P4), brand new SVM, pretty minimal config.

# Standard issue create CIFS server, allow anyone to connect through default export -policy
# Create a volume to test with, NTFS security, and a CIFS share on top of it
MyCluster::> vserver cifs create -vserver MySvm -cifs-server MyNas -domain MyAdDomain.Business.com<https://protect-us.mimecast.com/s/eNxNCQWK5WHXJ6EvhM-rpJ?domain=myaddomain.business.com> (joined it to MyAdDomain.Business.Com<https://protect-us.mimecast.com/s/MhMxCR6K56tGyrk4HODg8z?domain=myaddomain.business.com>)
MyCluster::> vserver export-policy rule create -policyname default -clientmatch 0.0.0.0/0<https://protect-us.mimecast.com/s/D_1jCVO20OU2zlLquQwG_z?domain=0.0.0.0> -rorule any -rwrule any -superuser any -vserver MySvm -protocol cifs
MyCluster::> volume create -volume cifs_test -aggregate MyCluster_02_SATA_1 -size 1g -junction-path /cifs_test -security-style ntfs -vserver MySvm
MyCluster::> vserver cifs share create -share-name cifs_test -path /cifs_test -vserver MySvm

# Test AD SID resolution from the filer, forwards and backwards
MyCluster::> set diagnostic

MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyUserName
S-1-5-21-348434689-563360211-3986294115-29846
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-29846
MyAdDomain\MyUserName (Windows User)

MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyAdDomain\aGroupIamAmemberOf
S-1-5-21-348434689-563360211-3986294115-1154
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-1154
MyAdDomain\aGroupIamAmemberOf (Windows Domain group)


So far so good. CIFS share permission by default is Everyone/Full. NTFS permission by default is Everyone/Full. I am able to connect to the share at \\MyNas\cifs_test and create a directory. The test directory has permission of Everyone/Full as viewed by right clicking on the test directory, selecting Properties, and viewing the Security tab. If I click on Advanced, I see the Owner correctly set to MyUserName as defined in AD. The Permissions tab in the Advanced window has Allow/Everyone/Full Control.

Now, here is the problem. if I click on 'Add', the Permission Entry window pops up and I need to Select A Principal. When I Select A Principal and enter a known-good username into the 'Enter the object name to select' field and click Check Names, I get 'An object with the following name cannot be found.. blahblahblah'. I've tried with multiple users, multiple groups, all with the same result. I know these objects (users, groups) exist. The 'From this location' box in the window that pops up is referencing MyAdDomain.Business.Com<https://protect-us.mimecast.com/s/MhMxCR6K56tGyrk4HODg8z?domain=myaddomain.business.com>, and the Object Type is User/Group/Built In SP.

Is this a failure of something in our AD environment and our workstations, or is this a failure somewhere in ONTAP land? I'm leaning towards something screwed up in our AD environment because of the diag secd test from above working, but I'm not sure. Any ideas?



Ian Ehrenwald
Senior Infrastructure Engineer
Hachette Book Group, Inc.
1.617.263.1948 / ian.ehrenwald@hbgusa.com<mailto:ian.ehrenwald@hbgusa.com>

This may contain confidential material. If you are not an intended recipient, please notify the sender, delete immediately, and understand that no disclosure or reliance on the information herein is permitted. Hachette Book Group may monitor email to and from our network.

_______________________________________________
Toasters mailing list
Toasters@teaparty.net<mailto:Toasters@teaparty.net>
http://www.teaparty.net/mailman/listinfo/toasters<https://protect-us.mimecast.com/s/TxcSCPNK5NC0J4rzc0N6Su?domain=teaparty.net>
This may contain confidential material. If you are not an intended recipient, please notify the sender, delete immediately, and understand that no disclosure or reliance on the information herein is permitted. Hachette Book Group may monitor email to and from our network.

_______________________________________________
Toasters mailing list
Toasters@teaparty.net
http://www.teaparty.net/mailman/listinfo/toasters