Hi there,
I managed to add FSx for NetApp ONTAP to our domain with FSxServiceAccount as described on the product page. However, I am running into issues when I am trying to attach it to my Windows instance.
(It works fine on Linux). I see the following issues:
- When I am running this command New-SmbGlobalMapping -Persistent $true -RemotePath \<IO of my smb>\share -Credential $creds -LocalPath G:
I get the following error:
New-SmbGlobalMapping : Access is denied.` - I am using domain admin credentials
- When I am running this command
net use Z: \\<dns address of the smb>\share
I got the following error: System error 5 has occurred. Access is denied.
- Also with domain admin creds
- I can successfully attach via File Explorer > This PC > Computer >Map network drive, however I can not read/write to it. If I check the FIle permission mode in Propertires I can see that only the owner (FSxServiceAccount?) is allowed to write, however Read should work, but I can not change the permissions as domain Admin.
I am using Directory Service Standard Edition.
Did you guys experience issues with this? What am I doing wrong?
Update:
I managed to attach the disk, but I can not write or read any file on the disk.
It is in OU=Computers, and allowed Everyone Full Access, also allowed Everyone Read/Write the NFS filesystems attached to the AD, but still not working. I am suspecting this is something NetApp specific, but we will see.
Update #2
Based on CloudWreck's comment I found the following:
I am using mixed style.
I use the following code:
net use P: \\WINDOWS\vol1
$CurTgt = "P:"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow")
$acl.SetAccessRule($AccessRule)
$acl | Set-Acl $CurTgt
Get-Acl returns
Path Owner Access
---- ----- ------
P:\ Everyone Everyone Allow -1
Also using this one:
$CurTgt = "P:"
$CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
$acl = Get-Acl $CurTgt
$usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr)
$acl.PurgeAccessRules($usersid)
$acl | Set-Acl $CurTgt
Also tried this:
takeown /F * /R
takeown : ERROR: File ownership cannot be applied on insecure file systems;
But I am still unable to write/read files or create folders.
Update#3
I ran the following commands and changed the permission from the ONTAP side
vserver security file-directory show -vserver windows -path /vol1
vserver security file-directory ntfs create -ntfs-sd sd1 -owner DomainName\Administrator
vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type success -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files
vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type allow -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files
vserver security file-directory policy create -policy-name policy1
vserver security file-directory policy task add -policy-name policy1 -path /vol1 -ntfs-sd sd1
vserver security file-directory apply -policy-name policy1
vserver security file-directory show -path /vol1 -expand-mask true
It changed the file permissions (mode), however I am still unable to read/write files.
These are the current settings:
File Path: /vol1
File Inode Number: 64
Security Style: mixed
Effective Style: ntfs
DOS Attributes: 10
DOS Attributes in Text: ----D---
Expanded Dos Attributes: 0x10
...0 .... .... .... = Offline
.... ..0. .... .... = Sparse
.... .... 0... .... = Normal
.... .... ..0. .... = Archive
.... .... ...1 .... = Directory
.... .... .... .0.. = System
.... .... .... ..0. = Hidden
.... .... .... ...0 = Read Only
UNIX User Id: 0
UNIX Group Id: 0
UNIX Mode Bits: 777
UNIX Mode Bits in Text: rwxrwxrwx
ACLs: NTFS Security Descriptor
ALLOW-Everyone-0x1f01ff-OI|CI
0... .... .... .... .... .... .... .... = Generic Read
.0.. .... .... .... .... .... .... .... = Generic Write
..0. .... .... .... .... .... .... .... = Generic Execute
...0 .... .... .... .... .... .... .... = Generic All
.... ...0 .... .... .... .... .... .... = System Security
.... .... ...1 .... .... .... .... .... = Synchronize
.... .... .... 1... .... .... .... .... = Write Owner
.... .... .... .1.. .... .... .... .... = Write DAC
.... .... .... ..1. .... .... .... .... = Read Control
.... .... .... ...1 .... .... .... .... = Delete
.... .... .... .... .... ...1 .... .... = Write Attributes
.... .... .... .... .... .... 1... .... = Read Attributes
.... .... .... .... .... .... .1.. .... = Delete Child
.... .... .... .... .... .... ..1. .... = Execute
.... .... .... .... .... .... ...1 .... = Write EA
.... .... .... .... .... .... .... 1... = Read EA
.... .... .... .... .... .... .... .1.. = Append
.... .... .... .... .... .... .... ..1. = Write
.... .... .... .... .... .... .... ...1 = Read