Well, we did manage to fix this, with a bit of help from Netapp support. Luckily, we had exported the share from /MIS, so we were able to setup a share pointing to the / instead, then map that using the builtin\administrator account and fix the permissions.
Once that was done, the admin could get back into the /MIS share and work on fixed the permissions for other directories as well. I feel a little stupid for not thinking of just going higher up.
John
Andrei> Well, these two directories have effectively empty DACL Andrei> (Discretionary Access Control List) - the only ACE (Access Andrei> Control Entry) is for inheritance only (flag IO) and does not Andrei> apply to object itself. If DACL exists but is empty, all Andrei> access from any account is denied. Your administrator should Andrei> be able to take ownership of this folder and then set Andrei> permissions. If it does not work, you would need to assign Andrei> appropriate permissions at least to your administrator Andrei> (administrator need at least change access rights permission Andrei> to be able to continue).
Andrei> -----Original Message----- Andrei> From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of John Stoffel Andrei> Sent: Thursday, July 02, 2015 8:01 PM Andrei> To: toasters@teaparty.net Andrei> Subject: Fixing NTFS permissions in cDOT 8.3 CIFS share
Andrei> Guys,
Andrei> I've got a strange problem with a CIFS share on a cDOT 8.3 system. Andrei> It's a small 2250 with some NFS storage for ESX and one volume with a single CIFS share.
Andrei> The local admin to making changes to permissions and managed to lock himself out completely. The top level share name is /MIS, and we can get into sub-folders (luckily!) but can't actually map the top level any more.
Andrei> I've opened a ticket, and I'm reading the man pages at:
Andrei> https://library.netapp.com/ecmdocs/ECMP1196891/html/GUID-3D32772D-B4E8-4497-...
Andrei> but I'm hesitant to make changes. So here's some example info:
Andrei> ntap_019::*> vserver security file-directory show -vserver filestorage -path /MIS
Andrei> Vserver: filestorage Andrei> File Path: /MIS Andrei> Security Style: ntfs Andrei> Effective Style: ntfs Andrei> DOS Attributes: 10 Andrei> DOS Attributes in Text: ----D--- Andrei> Expanded Dos Attributes: - Andrei> Unix User Id: 0 Andrei> Unix Group Id: 0 Andrei> Unix Mode Bits: 0 Andrei> Unix Mode Bits in Text: --------- Andrei> ACLs: NTFS Security Descriptor Andrei> Control:0x9504 Andrei> Owner:BUILTIN\Administrators Andrei> Group:BUILTIN\Administrators Andrei> DACL - ACEs Andrei> ALLOW-FOO\MIT Admins-0x1f01ff-OI|IO
Andrei> ntap_019::*> vserver security file-directory show -vserver filestorage -path /MIS/UserDrives
Andrei> Vserver: filestorage Andrei> File Path: /MIS/UserDrives Andrei> Security Style: ntfs Andrei> Effective Style: ntfs Andrei> DOS Attributes: 10 Andrei> DOS Attributes in Text: ----D--- Andrei> Expanded Dos Attributes: - Andrei> Unix User Id: 65534 Andrei> Unix Group Id: 65534 Andrei> Unix Mode Bits: 0 Andrei> Unix Mode Bits in Text: --------- Andrei> ACLs: NTFS Security Descriptor Andrei> Control:0x8504 Andrei> Owner:FOO\someone Andrei> Group:FOO\Domain Users Andrei> DACL - ACEs Andrei> ALLOW-FOO\MIT Admins-0x1f01ff-OI|IO Andrei> (Inherited)
Andrei> And since I'm a Linux/Netapp admin with limited understand of NTFS or Windows, I'm wondering what I can do to fix the permissions, or at least be able to open things up so that we can go in and fix it properly.
Andrei> I have tried setting up a 'vserver security trace filter create ...' Andrei> but it never seemed to give me any results back. Is there any simple way I can just change the top level permissions to make them WIDE open, so they can be modified again?
Andrei> I even tried creating a new share, thinking that it was a share level issue, but it looks more like it's an NTFS permissions issue, which is why I'm stuck.
Andrei> Thanks, Andrei> John Andrei> _______________________________________________ Andrei> Toasters mailing list Andrei> Toasters@teaparty.net Andrei> http://www.teaparty.net/mailman/listinfo/toasters