FSx for NetApp ONTAP - Windows permission issues

0

Hi there, I managed to add FSx for NetApp ONTAP to our domain with FSxServiceAccount as described on the product page. However, I am running into issues when I am trying to attach it to my Windows instance. (It works fine on Linux). I see the following issues:

  • When I am running this command New-SmbGlobalMapping -Persistent $true -RemotePath \<IO of my smb>\share -Credential $creds -LocalPath G:I get the following error:New-SmbGlobalMapping : Access is denied.` - I am using domain admin credentials
  • When I am running this command net use Z: \\<dns address of the smb>\share I got the following error: System error 5 has occurred. Access is denied. - Also with domain admin creds
  • I can successfully attach via File Explorer > This PC > Computer >Map network drive, however I can not read/write to it. If I check the FIle permission mode in Propertires I can see that only the owner (FSxServiceAccount?) is allowed to write, however Read should work, but I can not change the permissions as domain Admin.

I am using Directory Service Standard Edition. Did you guys experience issues with this? What am I doing wrong?

Update: I managed to attach the disk, but I can not write or read any file on the disk. It is in OU=Computers, and allowed Everyone Full Access, also allowed Everyone Read/Write the NFS filesystems attached to the AD, but still not working. I am suspecting this is something NetApp specific, but we will see.

Update #2 Based on CloudWreck's comment I found the following: I am using mixed style.
I use the following code:

 net use P: \\WINDOWS\vol1 
$CurTgt = "P:"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $CurTgt 

Get-Acl returns

Path Owner    Access            
---- -----    ------            
P:\  Everyone Everyone Allow  -1 

Also using this one:

 $CurTgt = "P:"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr)
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $CurTgt

Also tried this:

 takeown /F * /R
takeown : ERROR: File ownership cannot be applied on insecure file systems; 

But I am still unable to write/read files or create folders.

Update#3 I ran the following commands and changed the permission from the ONTAP side

vserver security file-directory show -vserver windows -path /vol1
vserver security file-directory ntfs create -ntfs-sd sd1 -owner DomainName\Administrator
vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type success -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files
vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type allow -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files
vserver security file-directory policy create -policy-name policy1
vserver security file-directory policy task add -policy-name policy1 -path /vol1 -ntfs-sd sd1
vserver security file-directory apply -policy-name policy1
vserver security file-directory show  -path /vol1 -expand-mask true

It changed the file permissions (mode), however I am still unable to read/write files. These are the current settings:

              File Path: /vol1
      File Inode Number: 64
         Security Style: mixed
        Effective Style: ntfs
         DOS Attributes: 10
 DOS Attributes in Text: ----D---
Expanded Dos Attributes: 0x10
     ...0 .... .... .... = Offline
     .... ..0. .... .... = Sparse
     .... .... 0... .... = Normal
     .... .... ..0. .... = Archive
     .... .... ...1 .... = Directory
     .... .... .... .0.. = System
     .... .... .... ..0. = Hidden
     .... .... .... ...0 = Read Only
           UNIX User Id: 0
          UNIX Group Id: 0
         UNIX Mode Bits: 777
 UNIX Mode Bits in Text: rwxrwxrwx
                   ACLs: NTFS Security Descriptor

                     ALLOW-Everyone-0x1f01ff-OI|CI
                              0... .... .... .... .... .... .... .... = Generic Read
                              .0.. .... .... .... .... .... .... .... = Generic Write
                              ..0. .... .... .... .... .... .... .... = Generic Execute
                              ...0 .... .... .... .... .... .... .... = Generic All
                              .... ...0 .... .... .... .... .... .... = System Security
                              .... .... ...1 .... .... .... .... .... = Synchronize
                              .... .... .... 1... .... .... .... .... = Write Owner
                              .... .... .... .1.. .... .... .... .... = Write DAC
                              .... .... .... ..1. .... .... .... .... = Read Control
                              .... .... .... ...1 .... .... .... .... = Delete
                              .... .... .... .... .... ...1 .... .... = Write Attributes
                              .... .... .... .... .... .... 1... .... = Read Attributes
                              .... .... .... .... .... .... .1.. .... = Delete Child
                              .... .... .... .... .... .... ..1. .... = Execute
                              .... .... .... .... .... .... ...1 .... = Write EA
                              .... .... .... .... .... .... .... 1... = Read EA
                              .... .... .... .... .... .... .... .1.. = Append
                              .... .... .... .... .... .... .... ..1. = Write
                              .... .... .... .... .... .... .... ...1 = Read
1 Answer
0

NetApp allows for volumes to have two types of filesystem level permission types - UNIX-style permissions and NTFS-style permissions. The default is UNIX-style permissions. To use a volume behind a Windows fileshare (SMB), then you'll need to change the volume file permissions type to NTFS-style.

If you created the volume through the AWS console, the default of UNIX-style permissions will be set. There is not currently a way to set this or modify permissions styles through the AWS console. You'll need to get SSH access to the filesystem to change this via the ONTAP CLI (below).

The permissions are defined through a construct called a Qtree. You can check the permissions style via:

FsxId0d2dd78f8bba6d032::> qtree show
Vserver    Volume        Qtree        Style        Oplocks   Status
---------- ------------- ------------ ------------ --------- --------
source-svm01 
           source_svm01_root 
                         ""           unix         enable    normal
source-svm01 
           testvol       ""           unix         enable    normal
2 entries were displayed.

You can change the permissions style via:

FsxId0d2dd78f8bba6d032::> qtree security -volume testvol -qtree "" -security-style ntfs 

And then check again to see that the permission style has changed.

FsxId0d2dd78f8bba6d032::> qtree show                                                    
Vserver    Volume        Qtree        Style        Oplocks   Status
---------- ------------- ------------ ------------ --------- --------
source-svm01 
           source_svm01_root 
                         ""           unix         enable    normal
source-svm01 
           testvol       ""           ntfs         enable    normal
2 entries were displayed.

There's also a "mixed" style that allows a volume to be accessed over both NFS from Linux and SMB from Windows. In these scenarios, a mapping construct is used to map the UNIX permissions to NTFS permissions, or vice versa. More on security styles here: https://docs.netapp.com/us-en/ontap/smb-admin/security-styles-their-effects-concept.html

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions