跳转到主内容

NetApp_Insight_2020.png 

CIFS 共享上的 NTFS 权限不会对特定用户生效

Views:
5
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

适用于

  • ONTAP 9
  • 集群模式 Data ONTAP 8.2+

问题

  • 即使 ACL 不允许访问、但能够访问 CIFS 共享的用户
  • 用户具有 "setcbprivilege" 权限

::> set diag
::*> diag secd authentication show-creds -node cdot-vsim1-01 -vserver svm -win-name

test\user1
   UNIX UID: pcuser <> Windows User: TEST\user1 (Windows Domain User)
   GID: pcuser
   Supplementary GIDs (partial):
   pcuser
   Primary Group SID: TEST\Domain Users (Windows Domain group)

Windows Membership:
   TEST\Domain Users (Windows Domain group)
   Service asserted identity (Windows Well known group)
   BUILTIN\Users (Windows Alias)
   User is also a member of Everyone, Authenticated Users, and Network Users
   Privileges (0x2088):
   SeTcbPrivilege

  • 共享上的权限也不显示此用户的访问权限

::*> file-directory show -vserver svm -path /vol1/
(vserver security file-directory show)
Vserver: svm
   File Path: /vol1/
   File Inode Number: 64
   Security Style: ntfs
   Effective Style: ntfs
   DOS Attributes: 10
   DOS Attributes in Text: ----D---

Expanded Dos Attributes: -
   UNIX User Id: 0
   UNIX Group Id: 0
   UNIX Mode Bits: 777
   UNIX Mode Bits in Text: rwxrwxrwx
   ACLs: NTFS Security Descriptor

Control:0x9504
   Owner:BUILTIN\Administrators
   Group:BUILTIN\Administrators
   DACL - ACEs
   ALLOW-TEST\Domain Admins-0x1f01ff-OI|CI
<<<< 仅允许域管理员访问。

  • vserver security trace 有关用户的输出

    "Access is allowed because the operation is trusted and no security is configured while opening existing file or directory. Access is granted for: <permissions>".

 

 

 

 

 

CUSTOMER EXCLUSIVE CONTENT

Registered NetApp customers get unlimited access to our dynamic Knowledge Base.

New authoritative content is published and updated each day by our team of experts.

Current Customer or Partner?

Sign In for unlimited access

New to NetApp?

Learn more about our award-winning Support