由于文件级权限不足、用户无法访问CIFS共享
适用场景
- ONTAP 9
- CIFS
- NTFS
问题描述
- 用户尝试访问CIFS共享:
Access Denied - 从7模式迁移到集群模式并收到权限被拒绝错误后、用户无法修改或删除文件
- 访问共享的共享级别权限就足够了:
示例:
::> cifs share show -share-name vol Vserver Share Path Properties Comment ACL
-------------- ------------- ------------- ---------- -------- -----------
svm1 vol /vol oplocks - user1 / Full Control
browsable
changenotify
show-previous-versions- 文件级权限指示
user1未 在DACL中列出:
示例:
::> file-directory show -vserver svm1 -path /vol
Vserver: svm1
File Path: /vol
File Inode Number: 64
Security Style: ntfs
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: -
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
Control:0x8004
Owner:BUILTIN\Administrators
Group:BUILTIN\Administrators
DACL - ACEs
ALLOW-User2-0x1f01ff
- 安全跟踪 可能会显示以下错误:
Access is denied. The requested permissions are not granted by the ACE
Access is denied by an explicit ACE
Access is denied by an inherited ACE
- 收集的数据包跟踪显示、
STATUS_ACCESS_DENIED由于共享ACL配置不当、树连接失败:
No. Source Destination Protocol NT Status Info
258 10.11.12.1 10.11.12.2 SMB2 Tree Connect Request Tree: \\10.11.12.2\share_name
259 10.11.12.2 10.11.12.1 SMB2 STATUS_ACCESS_DENIED Tree Connect Response, Error: STATUS_ACCESS_DENIED