跳转到主内容

CIFS 共享上的 NTFS 权限不会对特定用户生效

适用场景

ONTAP 9.  

问题描述

  • 即使ACL不允许访问、也能够访问CIFS共享的用户
  • 用户具有SeTcb特权  

示例:

::> set diag
::*> diag secd authentication show-creds -node cdot-vsim1-01 -vserver svm -win-name

test\user1
   UNIX UID: pcuser <> Windows User: TEST\user1 (Windows Domain User)
   GID: pcuser
   Supplementary GIDs (partial):
   pcuser
   Primary Group SID: TEST\Domain Users (Windows Domain group)

Windows Membership:
   TEST\Domain Users (Windows Domain group)
   Service asserted identity (Windows Well known group)
   BUILTIN\Users (Windows Alias)
   User is also a member of Everyone, Authenticated Users, and Network Users
   Privileges (0x2088):
   SeTcbPrivilege

::> cifs users-and-groups privilege show
Vserver        User or Group Name           Privileges
-------------- ---------------------------- -------------------
svm       DEMO\backdoor               SeTcbPrivilege

 

  • 共享权限也会显示此用户无访问权限

::*> file-directory show -vserver svm -path /vol1/
(vserver security file-directory show)
Vserver: svm
   File Path: /vol1/
   File Inode Number: 64
   Security Style: ntfs
   Effective Style: ntfs
   DOS Attributes: 10
   DOS Attributes in Text: ----D---

Expanded Dos Attributes: -
   UNIX User Id: 0
   UNIX Group Id: 0
   UNIX Mode Bits: 777
   UNIX Mode Bits in Text: rwxrwxrwx
   ACLs: NTFS Security Descriptor

Control:0x9504
   Owner:BUILTIN\Administrators
   Group:BUILTIN\Administrators
   DACL - ACEs
   ALLOW-TEST\Domain Admins-0x1f01ff-OI|CI
 

注意: 突出显示的行表示仅允许域管理员访问

  • vserver security trace 相关用户的输出

    "Access is allowed because the operation is trusted and no security is configured while opening existing file or directory. Access is granted for: <permissions>".

 

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.