Guys,
I've got a strange problem with a CIFS share on a cDOT 8.3 system. It's a small 2250 with some NFS storage for ESX and one volume with a single CIFS share.
The local admin to making changes to permissions and managed to lock himself out completely. The top level share name is /MIS, and we can get into sub-folders (luckily!) but can't actually map the top level any more.
I've opened a ticket, and I'm reading the man pages at:
https://library.netapp.com/ecmdocs/ECMP1196891/html/GUID-3D32772D-B4E8-4497-...
but I'm hesitant to make changes. So here's some example info:
ntap_019::*> vserver security file-directory show -vserver filestorage -path /MIS
Vserver: filestorage File Path: /MIS Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - Unix User Id: 0 Unix Group Id: 0 Unix Mode Bits: 0 Unix Mode Bits in Text: --------- ACLs: NTFS Security Descriptor Control:0x9504 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-FOO\MIT Admins-0x1f01ff-OI|IO
ntap_019::*> vserver security file-directory show -vserver filestorage -path /MIS/UserDrives
Vserver: filestorage File Path: /MIS/UserDrives Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - Unix User Id: 65534 Unix Group Id: 65534 Unix Mode Bits: 0 Unix Mode Bits in Text: --------- ACLs: NTFS Security Descriptor Control:0x8504 Owner:FOO\someone Group:FOO\Domain Users DACL - ACEs ALLOW-FOO\MIT Admins-0x1f01ff-OI|IO (Inherited)
And since I'm a Linux/Netapp admin with limited understand of NTFS or Windows, I'm wondering what I can do to fix the permissions, or at least be able to open things up so that we can go in and fix it properly.
I have tried setting up a 'vserver security trace filter create ...' but it never seemed to give me any results back. Is there any simple way I can just change the top level permissions to make them WIDE open, so they can be modified again?
I even tried creating a new share, thinking that it was a share level issue, but it looks more like it's an NTFS permissions issue, which is why I'm stuck.
Thanks, John
Well, these two directories have effectively empty DACL (Discretionary Access Control List) - the only ACE (Access Control Entry) is for inheritance only (flag IO) and does not apply to object itself. If DACL exists but is empty, all access from any account is denied.
Your administrator should be able to take ownership of this folder and then set permissions. If it does not work, you would need to assign appropriate permissions at least to your administrator (administrator need at least change access rights permission to be able to continue).
-----Original Message----- From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of John Stoffel Sent: Thursday, July 02, 2015 8:01 PM To: toasters@teaparty.net Subject: Fixing NTFS permissions in cDOT 8.3 CIFS share
Guys,
I've got a strange problem with a CIFS share on a cDOT 8.3 system. It's a small 2250 with some NFS storage for ESX and one volume with a single CIFS share.
The local admin to making changes to permissions and managed to lock himself out completely. The top level share name is /MIS, and we can get into sub-folders (luckily!) but can't actually map the top level any more.
I've opened a ticket, and I'm reading the man pages at:
https://library.netapp.com/ecmdocs/ECMP1196891/html/GUID-3D32772D-B4E8-4497-...
but I'm hesitant to make changes. So here's some example info:
ntap_019::*> vserver security file-directory show -vserver filestorage -path /MIS
Vserver: filestorage File Path: /MIS Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - Unix User Id: 0 Unix Group Id: 0 Unix Mode Bits: 0 Unix Mode Bits in Text: --------- ACLs: NTFS Security Descriptor Control:0x9504 Owner:BUILTIN\Administrators Group:BUILTIN\Administrators DACL - ACEs ALLOW-FOO\MIT Admins-0x1f01ff-OI|IO
ntap_019::*> vserver security file-directory show -vserver filestorage -path /MIS/UserDrives
Vserver: filestorage File Path: /MIS/UserDrives Security Style: ntfs Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: - Unix User Id: 65534 Unix Group Id: 65534 Unix Mode Bits: 0 Unix Mode Bits in Text: --------- ACLs: NTFS Security Descriptor Control:0x8504 Owner:FOO\someone Group:FOO\Domain Users DACL - ACEs ALLOW-FOO\MIT Admins-0x1f01ff-OI|IO (Inherited)
And since I'm a Linux/Netapp admin with limited understand of NTFS or Windows, I'm wondering what I can do to fix the permissions, or at least be able to open things up so that we can go in and fix it properly.
I have tried setting up a 'vserver security trace filter create ...' but it never seemed to give me any results back. Is there any simple way I can just change the top level permissions to make them WIDE open, so they can be modified again?
I even tried creating a new share, thinking that it was a share level issue, but it looks more like it's an NTFS permissions issue, which is why I'm stuck.
Thanks, John _______________________________________________ Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Well, we did manage to fix this, with a bit of help from Netapp support. Luckily, we had exported the share from /MIS, so we were able to setup a share pointing to the / instead, then map that using the builtin\administrator account and fix the permissions.
Once that was done, the admin could get back into the /MIS share and work on fixed the permissions for other directories as well. I feel a little stupid for not thinking of just going higher up.
John
Andrei> Well, these two directories have effectively empty DACL Andrei> (Discretionary Access Control List) - the only ACE (Access Andrei> Control Entry) is for inheritance only (flag IO) and does not Andrei> apply to object itself. If DACL exists but is empty, all Andrei> access from any account is denied. Your administrator should Andrei> be able to take ownership of this folder and then set Andrei> permissions. If it does not work, you would need to assign Andrei> appropriate permissions at least to your administrator Andrei> (administrator need at least change access rights permission Andrei> to be able to continue).
Andrei> -----Original Message----- Andrei> From: toasters-bounces@teaparty.net [mailto:toasters-bounces@teaparty.net] On Behalf Of John Stoffel Andrei> Sent: Thursday, July 02, 2015 8:01 PM Andrei> To: toasters@teaparty.net Andrei> Subject: Fixing NTFS permissions in cDOT 8.3 CIFS share
Andrei> Guys,
Andrei> I've got a strange problem with a CIFS share on a cDOT 8.3 system. Andrei> It's a small 2250 with some NFS storage for ESX and one volume with a single CIFS share.
Andrei> The local admin to making changes to permissions and managed to lock himself out completely. The top level share name is /MIS, and we can get into sub-folders (luckily!) but can't actually map the top level any more.
Andrei> I've opened a ticket, and I'm reading the man pages at:
Andrei> https://library.netapp.com/ecmdocs/ECMP1196891/html/GUID-3D32772D-B4E8-4497-...
Andrei> but I'm hesitant to make changes. So here's some example info:
Andrei> ntap_019::*> vserver security file-directory show -vserver filestorage -path /MIS
Andrei> Vserver: filestorage Andrei> File Path: /MIS Andrei> Security Style: ntfs Andrei> Effective Style: ntfs Andrei> DOS Attributes: 10 Andrei> DOS Attributes in Text: ----D--- Andrei> Expanded Dos Attributes: - Andrei> Unix User Id: 0 Andrei> Unix Group Id: 0 Andrei> Unix Mode Bits: 0 Andrei> Unix Mode Bits in Text: --------- Andrei> ACLs: NTFS Security Descriptor Andrei> Control:0x9504 Andrei> Owner:BUILTIN\Administrators Andrei> Group:BUILTIN\Administrators Andrei> DACL - ACEs Andrei> ALLOW-FOO\MIT Admins-0x1f01ff-OI|IO
Andrei> ntap_019::*> vserver security file-directory show -vserver filestorage -path /MIS/UserDrives
Andrei> Vserver: filestorage Andrei> File Path: /MIS/UserDrives Andrei> Security Style: ntfs Andrei> Effective Style: ntfs Andrei> DOS Attributes: 10 Andrei> DOS Attributes in Text: ----D--- Andrei> Expanded Dos Attributes: - Andrei> Unix User Id: 65534 Andrei> Unix Group Id: 65534 Andrei> Unix Mode Bits: 0 Andrei> Unix Mode Bits in Text: --------- Andrei> ACLs: NTFS Security Descriptor Andrei> Control:0x8504 Andrei> Owner:FOO\someone Andrei> Group:FOO\Domain Users Andrei> DACL - ACEs Andrei> ALLOW-FOO\MIT Admins-0x1f01ff-OI|IO Andrei> (Inherited)
Andrei> And since I'm a Linux/Netapp admin with limited understand of NTFS or Windows, I'm wondering what I can do to fix the permissions, or at least be able to open things up so that we can go in and fix it properly.
Andrei> I have tried setting up a 'vserver security trace filter create ...' Andrei> but it never seemed to give me any results back. Is there any simple way I can just change the top level permissions to make them WIDE open, so they can be modified again?
Andrei> I even tried creating a new share, thinking that it was a share level issue, but it looks more like it's an NTFS permissions issue, which is why I'm stuck.
Andrei> Thanks, Andrei> John Andrei> _______________________________________________ Andrei> Toasters mailing list Andrei> Toasters@teaparty.net Andrei> http://www.teaparty.net/mailman/listinfo/toasters
-
Borzenkov, Andrei -
John Stoffel