Hello I am unsure if this is an AD or a ONTAP config problem, but I thought I'd ask. I have not run into this before. Brand new cluster (9.4P4), brand new SVM, pretty minimal config.
# Standard issue create CIFS server, allow anyone to connect through default export -policy # Create a volume to test with, NTFS security, and a CIFS share on top of it MyCluster::> vserver cifs create -vserver MySvm -cifs-server MyNas -domain MyAdDomain.Business.com (joined it to MyAdDomain.Business.Com) MyCluster::> vserver export-policy rule create -policyname default -clientmatch 0.0.0.0/0 -rorule any -rwrule any -superuser any -vserver MySvm -protocol cifs MyCluster::> volume create -volume cifs_test -aggregate MyCluster_02_SATA_1 -size 1g -junction-path /cifs_test -security-style ntfs -vserver MySvm MyCluster::> vserver cifs share create -share-name cifs_test -path /cifs_test -vserver MySvm
# Test AD SID resolution from the filer, forwards and backwards MyCluster::> set diagnostic
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyUserName S-1-5-21-348434689-563360211-3986294115-29846 MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-29846 MyAdDomain\MyUserName (Windows User)
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyAdDomain\aGroupIamAmemberOf S-1-5-21-348434689-563360211-3986294115-1154 MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-1154 MyAdDomain\aGroupIamAmemberOf (Windows Domain group)
So far so good. CIFS share permission by default is Everyone/Full. NTFS permission by default is Everyone/Full. I am able to connect to the share at \MyNas\cifs_test and create a directory. The test directory has permission of Everyone/Full as viewed by right clicking on the test directory, selecting Properties, and viewing the Security tab. If I click on Advanced, I see the Owner correctly set to MyUserName as defined in AD. The Permissions tab in the Advanced window has Allow/Everyone/Full Control.
Now, here is the problem. if I click on 'Add', the Permission Entry window pops up and I need to Select A Principal. When I Select A Principal and enter a known-good username into the 'Enter the object name to select' field and click Check Names, I get 'An object with the following name cannot be found.. blahblahblah'. I've tried with multiple users, multiple groups, all with the same result. I know these objects (users, groups) exist. The 'From this location' box in the window that pops up is referencing MyAdDomain.Business.Com, and the Object Type is User/Group/Built In SP.
Is this a failure of something in our AD environment and our workstations, or is this a failure somewhere in ONTAP land? I'm leaning towards something screwed up in our AD environment because of the diag secd test from above working, but I'm not sure. Any ideas?
Ian Ehrenwald Senior Infrastructure Engineer Hachette Book Group, Inc. 1.617.263.1948 / ian.ehrenwald@hbgusa.com
This may contain confidential material. If you are not an intended recipient, please notify the sender, delete immediately, and understand that no disclosure or reliance on the information herein is permitted. Hachette Book Group may monitor email to and from our network.
Can you add the test user to a share on a Windows server?
On Fri, Jan 18, 2019 at 5:30 PM Ian Ehrenwald Ian.Ehrenwald@hbgusa.com wrote:
Hello I am unsure if this is an AD or a ONTAP config problem, but I thought I'd ask. I have not run into this before. Brand new cluster (9.4P4), brand new SVM, pretty minimal config.
# Standard issue create CIFS server, allow anyone to connect through default export -policy # Create a volume to test with, NTFS security, and a CIFS share on top of it MyCluster::> vserver cifs create -vserver MySvm -cifs-server MyNas -domain MyAdDomain.Business.com (joined it to MyAdDomain.Business.Com) MyCluster::> vserver export-policy rule create -policyname default -clientmatch 0.0.0.0/0 -rorule any -rwrule any -superuser any -vserver MySvm -protocol cifs MyCluster::> volume create -volume cifs_test -aggregate MyCluster_02_SATA_1 -size 1g -junction-path /cifs_test -security-style ntfs -vserver MySvm MyCluster::> vserver cifs share create -share-name cifs_test -path /cifs_test -vserver MySvm
# Test AD SID resolution from the filer, forwards and backwards MyCluster::> set diagnostic
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyUserName S-1-5-21-348434689-563360211-3986294115-29846 MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-29846 MyAdDomain\MyUserName (Windows User)
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyAdDomain\aGroupIamAmemberOf S-1-5-21-348434689-563360211-3986294115-1154 MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-1154 MyAdDomain\aGroupIamAmemberOf (Windows Domain group)
So far so good. CIFS share permission by default is Everyone/Full. NTFS permission by default is Everyone/Full. I am able to connect to the share at \MyNas\cifs_test and create a directory. The test directory has permission of Everyone/Full as viewed by right clicking on the test directory, selecting Properties, and viewing the Security tab. If I click on Advanced, I see the Owner correctly set to MyUserName as defined in AD. The Permissions tab in the Advanced window has Allow/Everyone/Full Control.
Now, here is the problem. if I click on 'Add', the Permission Entry window pops up and I need to Select A Principal. When I Select A Principal and enter a known-good username into the 'Enter the object name to select' field and click Check Names, I get 'An object with the following name cannot be found.. blahblahblah'. I've tried with multiple users, multiple groups, all with the same result. I know these objects (users, groups) exist. The 'From this location' box in the window that pops up is referencing MyAdDomain.Business.Com, and the Object Type is User/Group/Built In SP.
Is this a failure of something in our AD environment and our workstations, or is this a failure somewhere in ONTAP land? I'm leaning towards something screwed up in our AD environment because of the diag secd test from above working, but I'm not sure. Any ideas?
Ian Ehrenwald Senior Infrastructure Engineer Hachette Book Group, Inc. 1.617.263.1948 / ian.ehrenwald@hbgusa.com
This may contain confidential material. If you are not an intended recipient, please notify the sender, delete immediately, and understand that no disclosure or reliance on the information herein is permitted. Hachette Book Group may monitor email to and from our network.
Toasters mailing list Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toasters
Good morning I'm thinking this is an AD/environmental problem. I tried this same test from home connected to my workplace VPN and did not encounter the same issue. Add another ticket to the queue, it'll get looked at some day :)
________________________________________ From: Basil basilberntsen@gmail.com Sent: Saturday, January 19, 2019 9:50:29 AM To: Ian Ehrenwald Cc: Toasters Subject: Re: Setting permissions on NTFS CIFS share, users not found?
Can you add the test user to a share on a Windows server?
On Fri, Jan 18, 2019 at 5:30 PM Ian Ehrenwald <Ian.Ehrenwald@hbgusa.commailto:Ian.Ehrenwald@hbgusa.com> wrote: Hello I am unsure if this is an AD or a ONTAP config problem, but I thought I'd ask. I have not run into this before. Brand new cluster (9.4P4), brand new SVM, pretty minimal config.
# Standard issue create CIFS server, allow anyone to connect through default export -policy # Create a volume to test with, NTFS security, and a CIFS share on top of it MyCluster::> vserver cifs create -vserver MySvm -cifs-server MyNas -domain MyAdDomain.Business.comhttps://protect-us.mimecast.com/s/eNxNCQWK5WHXJ6EvhM-rpJ?domain=myaddomain.business.com (joined it to MyAdDomain.Business.Comhttps://protect-us.mimecast.com/s/MhMxCR6K56tGyrk4HODg8z?domain=myaddomain.business.com) MyCluster::> vserver export-policy rule create -policyname default -clientmatch 0.0.0.0/0https://protect-us.mimecast.com/s/D_1jCVO20OU2zlLquQwG_z?domain=0.0.0.0 -rorule any -rwrule any -superuser any -vserver MySvm -protocol cifs MyCluster::> volume create -volume cifs_test -aggregate MyCluster_02_SATA_1 -size 1g -junction-path /cifs_test -security-style ntfs -vserver MySvm MyCluster::> vserver cifs share create -share-name cifs_test -path /cifs_test -vserver MySvm
# Test AD SID resolution from the filer, forwards and backwards MyCluster::> set diagnostic
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyUserName S-1-5-21-348434689-563360211-3986294115-29846 MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-29846 MyAdDomain\MyUserName (Windows User)
MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -win-name MyAdDomain\aGroupIamAmemberOf S-1-5-21-348434689-563360211-3986294115-1154 MyCluster::*> diag secd authentication translate -node MyCluster-02 -vserver MySvm -sid S-1-5-21-348434689-563360211-3986294115-1154 MyAdDomain\aGroupIamAmemberOf (Windows Domain group)
So far so good. CIFS share permission by default is Everyone/Full. NTFS permission by default is Everyone/Full. I am able to connect to the share at \MyNas\cifs_test and create a directory. The test directory has permission of Everyone/Full as viewed by right clicking on the test directory, selecting Properties, and viewing the Security tab. If I click on Advanced, I see the Owner correctly set to MyUserName as defined in AD. The Permissions tab in the Advanced window has Allow/Everyone/Full Control.
Now, here is the problem. if I click on 'Add', the Permission Entry window pops up and I need to Select A Principal. When I Select A Principal and enter a known-good username into the 'Enter the object name to select' field and click Check Names, I get 'An object with the following name cannot be found.. blahblahblah'. I've tried with multiple users, multiple groups, all with the same result. I know these objects (users, groups) exist. The 'From this location' box in the window that pops up is referencing MyAdDomain.Business.Comhttps://protect-us.mimecast.com/s/MhMxCR6K56tGyrk4HODg8z?domain=myaddomain.business.com, and the Object Type is User/Group/Built In SP.
Is this a failure of something in our AD environment and our workstations, or is this a failure somewhere in ONTAP land? I'm leaning towards something screwed up in our AD environment because of the diag secd test from above working, but I'm not sure. Any ideas?
Ian Ehrenwald Senior Infrastructure Engineer Hachette Book Group, Inc. 1.617.263.1948 / ian.ehrenwald@hbgusa.commailto:ian.ehrenwald@hbgusa.com
This may contain confidential material. If you are not an intended recipient, please notify the sender, delete immediately, and understand that no disclosure or reliance on the information herein is permitted. Hachette Book Group may monitor email to and from our network.
_______________________________________________ Toasters mailing list Toasters@teaparty.netmailto:Toasters@teaparty.net http://www.teaparty.net/mailman/listinfo/toastershttps://protect-us.mimecast.com/s/TxcSCPNK5NC0J4rzc0N6Su?domain=teaparty.net This may contain confidential material. If you are not an intended recipient, please notify the sender, delete immediately, and understand that no disclosure or reliance on the information herein is permitted. Hachette Book Group may monitor email to and from our network.
-
Basil -
Ian Ehrenwald