CIFS 共享上的 NTFS 权限不会对特定用户生效

适用于

• ONTAP 9
• 集群模式 Data ONTAP 8.2+

问题

• 即使 ACL 不允许访问、但能够访问 CIFS 共享的用户
• 用户具有 "setcbprivilege" 权限

::> set diag
::*> diag secd authentication show-creds -node cdot-vsim1-01 -vserver svm -win-name

test\user1
   UNIX UID: pcuser <> Windows User: TEST\user1 (Windows Domain User)
   GID: pcuser
   Supplementary GIDs (partial):
   pcuser
   Primary Group SID: TEST\Domain Users (Windows Domain group)

Windows Membership:
   TEST\Domain Users (Windows Domain group)
   Service asserted identity (Windows Well known group)
   BUILTIN\Users (Windows Alias)
   User is also a member of Everyone, Authenticated Users, and Network Users
   Privileges (0x2088):
   SeTcbPrivilege

• 共享上的权限也不显示此用户的访问权限

::*> file-directory show -vserver svm -path /vol1/
(vserver security file-directory show)
Vserver: svm
   File Path: /vol1/
   File Inode Number: 64
   Security Style: ntfs
   Effective Style: ntfs
   DOS Attributes: 10
   DOS Attributes in Text: ----D---

Expanded Dos Attributes: -
   UNIX User Id: 0
   UNIX Group Id: 0
   UNIX Mode Bits: 777
   UNIX Mode Bits in Text: rwxrwxrwx
   ACLs: NTFS Security Descriptor

Control:0x9504
   Owner:BUILTIN\Administrators
   Group:BUILTIN\Administrators
   DACL - ACEs
   ALLOW-TEST\Domain Admins-0x1f01ff-OI|CI <<<< 仅允许域管理员访问。

• vserver security trace 有关用户的输出

  "Access is allowed because the operation is trusted and no security is configured while opening existing file or directory. Access is granted for: <permissions>".