"steve" == steve klise sklise@hotmail.com writes:
steve> Can the user \filer\appshare and see the share?
No, it keeps asking for a username/password.
steve> If not, that would be a problem, and the share is not setup, or steve> visible.
I can browse \filer from another client (Vista) and see the share (one of a couple on this filer) but I cannot access it, which is ok from that client. Hmm.. when I try to map the \filer\appvol to my laptop, using the appuser account and password, it doesn't let me on. Which is ok, but ideally should be allowed. Esp since I now have:
*\appuser => appuser
in the usermap.cfg file, and the password on the Unix side is known.
steve> You need to create a local user on the filer with the same steve> password, or add the domain or local user to the NTFS security, steve> and I would add the computerobject account.
I don't have any privs to add users to the domain, nor do we want to add this user to the domain, it's a purely local account to the Windows box. Since I'm a unix admin, it's easy enough for me to add the Unix account to NIS for testing, though ideally it would be host local as well.
Adding it to the Netapp is possible as well.
steve> Usually I do this via the MMC, but that is maybe not an option steve> for you.
MMC? I could use the fileradmin web page stuff...
Thanks for the quick reply, John John Stoffel - Senior Staff Systems Administrator - System LSI Group Toshiba America Electronic Components, Inc. - http://www.toshiba.com/taec john.stoffel@taec.toshiba.com - 508-486-1087
Date: Fri, 10 Sep 2010 10:39:00 -0400 From: john.stoffel@taec.toshiba.com To: toasters@mathworks.com Subject: CIFS access question
Hi all,
I'm a Unix/NFS guy, but I've been asked to allow CIFS access from a Windows box to a volume currently mounted by NFS to a Solaris box. Not a problem, I'll just use our existing CIFS setup and setup a share for that volume.
The problems are in terms of authentication. I'd like to restrict the CIFS share for /vol/appvol to JUST this single windows host (winbox) and user (appuser).
But the user "appuser" is a purely local account on both the Windows and Unix systems. They're the same name luckily, but neither is on the NIS or AD domains.
So I've setup the usermap.cfg on the Netapp (3140, OnTap 7.3.1.1) to look like this:
winbox#appuser <= appuser
But I've also tried:
winbox\appuser == appuser *\appuser == appuser *\appuser => appuser
And I've setup the share with:
rsh filer cifs share access appvol appuser Full Control
but without any luck. It still asks for a password, but then refuses to let me in. Note that the filer doesn't really have a concept of this username, since it's purely local to the Unix and Window hosts. Do I need to add this username into NIS and/or AD to make things work?
So I decided to try first by adding the 'appuser' account into my NIS domain, with a matching password to the host local Windows account. No luck so far. Looking at things using 'wcc -u appuser' on the filer, I get "Mapped user not found" even though I can now see that userin NIS on other unix clients.
The funky thing is that I can see with 'cifs sessions' that there is a CIFS connection from the Windows box to the filer, but it says:
x.y.z.2(WINBOX) is connected, but has no users.
so something is working, but not the authentication. I see in the messages file on the netapp the following:
Fri Sep 10 10:34:01 EDT [auth.trace.authenticateUser.loginTraceIP:info]: AUTH: Login attempt by user appuser of domain WINBOX from client machine x.y.z.2 (WINBOX). Fri Sep 10 10:34:01 EDT [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: Trace DC- attempting authentication with domain controller \MARL-DC. Fri Sep 10 10:34:01 EDT [auth.trace.authenticateUser.loginRejected:info]: AUTH: Login attempt by user rejected by the domain controller with error 0xc0000064: D C indicates user is not from a trusted domain. Fri Sep 10 10:34:01 EDT [auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: login from x.y.z.2 rejected because guest account not set. Fri Sep 10 10:34:01 EDT [auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: Delaying the response by 5 seconds due to continuous failed login attempts by us er appuser of domain WINBOX from client machine x.y.z.2.
So maybe I need to add in a guest user? But I don't want a general guest user at all, I really want a very limited share setup for just two hosts and one username.
Any hints appreciated.
Thanks, John John Stoffel - Senior Staff Systems Administrator - System LSI Group Toshiba America Electronic Components, Inc. - http://www.toshiba.com/taec john.stoffel@taec.toshiba.com - 508-486-1087
steve> <html> steve> <head> steve> <style><!-- steve> .hmmessage P steve> { steve> margin:0px; steve> padding:0px steve> } steve> body.hmmessage steve> { steve> font-size: 10pt; steve> font-family:Tahoma steve> } --> </style> steve> </head> steve> <body class='hmmessage'> steve> Can the user <A href="file://\\filer\appshare">\filer\appshare</A> and see the share?<BR> steve> <BR> steve> If not, that would be a problem, and the share is not setup, or visible.<BR> steve> <BR> steve> You need to create a local user on the filer with the same password, or add the domain or local user to the NTFS security, and I would add the computerobject account. <BR> steve> <BR> steve> Usually I do this via the MMC, but that is maybe not an option for you. <BR> <BR> steve> > Date: Fri, 10 Sep 2010 10:39:00 -0400<BR>> From: john.stoffel@taec.toshiba.com<BR>> To: toasters@mathworks.com<BR>> Subject: CIFS access question<BR>> <BR>> <BR>> Hi all,<BR>> <BR>> I'm a Unix/NFS guy, but I've been asked to allow CIFS access from a<BR>> Windows box to a volume currently mounted by NFS to a Solaris box.<BR>> Not a problem, I'll just use our existing CIFS setup and setup a share<BR>> for that volume.<BR>> <BR>> The problems are in terms of authentication. I'd like to restrict the<BR>> CIFS share for /vol/appvol to JUST this single windows host (winbox)<BR>> and user (appuser).<BR>> <BR>> But the user "appuser" is a purely local account on both the Windows<BR>> and Unix systems. They're the same name luckily, but neither is on<BR>> the NIS or AD domains.<BR>> <BR>> So I've setup the usermap.cfg on the Netapp (3140, OnTap 7.3.1.1) to<BR>> look like this:<BR>> <BR>> winbox#appuser <= appuser<BR>> <BR>> But I've also tried:<BR>> <BR>> winbox\appuser == appuser<BR>> *\appuser == appuser<BR>> *\appuser => appuser<BR>> <BR>> <BR>> And I've setup the share with:<BR>> <BR>> rsh filer cifs share access appvol appuser Full Control<BR>> <BR>> but without any luck. It still asks for a password, but then refuses<BR>> to let me in. Note that the filer doesn't really have a concept of<BR>> this username, since it's purely local to the Unix and Window hosts.<BR>> Do I need to add this username into NIS and/or AD to make things work?<BR>> <BR>> So I decided to try first by adding the 'appuser' account into my NIS<BR>> domain, with a matching password to the host local Windows account.<BR>> No luck so far. Looking at things using 'wcc -u appuser' on the<BR>> filer, I get "Mapped user not found" even though I can now see that<BR>> userin NIS on other unix clients. <BR>> <BR>> The funky thing is that I can see with 'cifs sessions' that there is a<BR!
> CI
F S connection from the Windows box to the filer, but it says:<BR>> <BR>> x.y.z.2(WINBOX) is connected, but has no users.<BR>> <BR>> so something is working, but not the authentication. I see in the<BR>> messages file on the netapp the following:<BR>> <BR>> Fri Sep 10 10:34:01 EDT [auth.trace.authenticateUser.loginTraceIP:info]: AUTH: Login attempt by user appuser of domain WINBOX from client machine x.y.z.2 (WINBOX).<BR>> Fri Sep 10 10:34:01 EDT [auth.dc.trace.DCConnection.statusMsg:info]: AUTH: Trace<BR>> DC- attempting authentication with domain controller \MARL-DC.<BR>> Fri Sep 10 10:34:01 EDT [auth.trace.authenticateUser.loginRejected:info]: AUTH: <BR>> Login attempt by user rejected by the domain controller with error 0xc0000064: D<BR>> C indicates user is not from a trusted domain.<BR>> Fri Sep 10 10:34:01 EDT [auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: <BR>> login from x.y.z.2 rejected because guest account not set.<BR>> Fri Sep 10 10:34:01 EDT [auth.trace.authenticateUser.loginTraceMsg:info]: AUTH: <BR>> Delaying the response by 5 seconds due to continuous failed login attempts by us<BR>> er appuser of domain WINBOX from client machine x.y.z.2.<BR>> <BR>> <BR>> So maybe I need to add in a guest user? But I don't want a general<BR>> guest user at all, I really want a very limited share setup for just<BR>> two hosts and one username.<BR>> <BR>> Any hints appreciated.<BR>> <BR>> Thanks,<BR>> John<BR>> John Stoffel - Senior Staff Systems Administrator - System LSI Group<BR>> Toshiba America Electronic Components, Inc. - http://www.toshiba.com/taec<BR>> john.stoffel@taec.toshiba.com - 508-486-1087<BR> </body> steve> </html>
-
John Stoffel